From: "Daniel P. Berrange" <berrange(a)redhat.com&gt; When sending outbound stream RPC messages, a callback is used to re-enable stream data transmission. If the stream aborts while one of these messages is outstanding, the stream may have been free'd by the time it is invoked. This results in a use-after-free error * daemon/stream.c: Ref-count streams to avoid use-after-free --- daemon/stream.c | 10 +++++++++- 1 files changed, 9 insertions(+), 1 deletions(-) diff --git a/daemon/stream.c b/daemon/stream.c index 7d2b367..ba3adc2 100644 --- a/daemon/stream.c +++ b/daemon/stream.c @@ -38,6 +38,7 @@ struct daemonClientStream { daemonClientPrivatePtr priv; + int refs; virNetServerProgramPtr prog; @@ -102,6 +103,8 @@ daemonStreamMessageFinished(virNetMessagePtr msg, stream->tx = 1; daemonStreamUpdateEvents(stream); + + daemonFreeClientStream(NULL, stream); } @@ -299,6 +302,7 @@ daemonCreateClientStream(virNetServerClientPtr client, return NULL; } + stream->refs = 1; stream->priv = priv; stream->prog = prog; stream->procedure = header->proc; @@ -326,6 +330,10 @@ int daemonFreeClientStream(virNetServerClientPtr client, if (!stream) return 0; + stream->refs--; + if (stream->refs) + return 0; + VIR_DEBUG("client=%p, proc=%d, serial=%d", client, stream->procedure, stream->serial); @@ -727,7 +735,7 @@ daemonStreamHandleRead(virNetServerClientPtr client, if (msg) { msg->cb = daemonStreamMessageFinished; msg->opaque = stream; - virNetServerClientRef(client); + stream->refs++; ret = virNetServerProgramSendStreamData(remoteProgram, client, msg, -- 1.7.6