usb-redir: fix use-after-free

Reinitialize dev->cs to NULL after deleting it, to make sure it isn't used afterwards. Reported-by: Martin Cerveny <M.Cerveny@computer.org> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
2013-07-31 11:17:58 +02:00 · 2013-07-31 11:17:58 +02:00 · a14ff8a650
parent 75cc1c1fcb
commit a14ff8a650
1 changed files with 1 additions and 0 deletions
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@ -1334,6 +1334,7 @@ static void usbredir_handle_destroy(USBDevice *udev)
    USBRedirDevice *dev = DO_UPCAST(USBRedirDevice, dev, udev);

    qemu_chr_delete(dev->cs);
+    dev->cs = NULL;
    /* Note must be done after qemu_chr_close, as that causes a close event */
    qemu_bh_delete(dev->chardev_close_bh);