[prev in list] [next in list] [prev in thread] [next in thread]
List: qemu-devel
Subject: [Qemu-devel] [PATCH] Fix infinite loop caused by mishandling of
From: Marc Bevand <m.bevand () gmail ! com>
Date: 2007-08-27 23:00:57
Message-ID: loom.20070828T004747-397 () post ! gmane ! org
[Download RAW message or body]
Hi, I have been using QEMU's VNC support quite extensively since 0.8.1
came out, and every once in a while QEMU froze on me while interacting
with a guest OS through a VNC client. I recently spent some time
tracking down this bug in QEMU 0.9.0 and I found and fixed it in vnc.c
(see patch below).
In protocol_client_msg(), type-6 messages ("client cut text") are not
handled properly. From time to time my VNC client (xvncviewer version
3.3.7-8ubuntu2_amd64.deb, from Ubuntu 6.06.1) appears to send type-6
messages with an empty text string:
06 message-type
xx xx xx padding
00 00 00 00 length
- (empty text string)
This causes protocol_client_msg() to enter this if-condition:
if (len == 8)
return 8 + read_u32(data, 4);
Which returns 8 (8 + 0), meaning that 8 more bytes are expected (it
doesn't realize that the lenght field is 0.) This causes QEMU to enter
an infinite loop: protocol_client_msg keeps getting called again and
again, making the guest OS appear frozen.
The bug seems to stil exist in CVS HEAD, I made a patch against
qemu-snapshot-2007-08-27_05, please apply it.
-marc
--- qemu-snap-2007-08-27_05/vnc.c.orig 2007-08-24 18:39:57.000000000 -0700
+++ qemu-snap-2007-08-27_05/vnc.c 2007-08-27 15:25:57.379836750 -0700
@@ -1196,7 +1196,11 @@
return 8;
if (len == 8)
- return 8 + read_u32(data, 4);
+ {
+ uint32_t dlen = read_u32(data, 4);
+ if (dlen > 0)
+ return 8 + dlen;
+ }
client_cut_text(vs, read_u32(data, 4), data + 8);
break;
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic