From 06a27a4fb52653b4cbf67b75b8116cf6692b435d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Fri, 24 Aug 2018 17:18:04 +0100
Subject: [PATCH] fix crash when connection fails early
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When reading the initial greeting a timer is set in the background. If
the connection fails early, we can jump to cleanup code before the timer
is disable. The timer will later fire, read a coroutine context from
freed memory, and likely jump to somewhere awful with predictably crashy
results.

  https://bugzilla.redhat.com/show_bug.cgi?id=1620203

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 src/vncconnection.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/vncconnection.c b/src/vncconnection.c
index b6e13d5..afc1418 100644
--- a/src/vncconnection.c
+++ b/src/vncconnection.c
@@ -319,7 +319,9 @@ static gboolean vnc_connection_timeout(gpointer data)
 {
     struct wait_queue *wait = data;
 
+    VNC_DEBUG("Connection timeout wakeup start %p", data);
     g_io_wakeup(wait);
+    VNC_DEBUG("Connection timeout wakeup done %p", data);
 
     return FALSE;
 }
@@ -5318,6 +5320,7 @@ static gboolean vnc_connection_initialize(VncConnection *conn)
 
     priv->absPointer = TRUE;
 
+    VNC_DEBUG("Schedule greeting timeout %p", &priv->wait);
     timeout = g_timeout_add_seconds(2, vnc_connection_timeout, &priv->wait);
     want = 12;
     while (want > 0) {
@@ -5369,7 +5372,9 @@ static gboolean vnc_connection_initialize(VncConnection *conn)
     }
 
     if (timeout != 0) {
+        VNC_DEBUG("Remove timeout %p", &priv->wait);
         g_source_remove(timeout);
+        timeout = 0;
     }
 
     version[12] = 0;
@@ -5449,6 +5454,11 @@ static gboolean vnc_connection_initialize(VncConnection *conn)
     return !vnc_connection_has_error(conn);
 
  fail:
+    if (timeout != 0) {
+        VNC_DEBUG("Remove timeout %p", &priv->wait);
+        g_source_remove(timeout);
+        timeout = 0;
+    }
     return !vnc_connection_has_error(conn);
 }
 
@@ -5481,6 +5491,7 @@ static GSocket *vnc_connection_connect_socket(struct wait_queue *wait,
     if (!sock)
         return NULL;
 
+    VNC_DEBUG("Schedule socket timeout %p", wait);
     guint timeout = g_timeout_add_seconds(10, vnc_connection_timeout, wait);
 
     g_socket_set_blocking(sock, FALSE);
@@ -5513,8 +5524,10 @@ timeout:
     sock = NULL;
 
 end:
-    if (timeout != 0)
+    if (timeout != 0) {
+        VNC_DEBUG("Remove timeout %p", wait);
         g_source_remove(timeout);
+    }
 
     return sock;
 }
-- 
2.17.1