From fd4a179a15882234f86ded87905a240dc76a9445 Mon Sep 17 00:00:00 2001 From: Matthias Maier Date: Tue, 14 Jun 2016 00:08:05 -0500 Subject: [PATCH 1/2] Port fix for CVE-2016-0749 to 0.13.1, part I This is a port of 0065-smartcard-add-a-ref-to-item-before-adding-to-pipe.patch to version 0.13.1 Original commit message: From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Marc-Andre Lureau Date: Thu, 17 Dec 2015 18:13:47 +0100 Subject: [PATCH] smartcard: add a ref to item before adding to pipe There is an unref when the message is sent. [...] Signed-off-by: Marc-Andre Lureau --- server/smartcard.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/server/smartcard.c b/server/smartcard.c index ba6f2f5..96e4295 100644 --- a/server/smartcard.c +++ b/server/smartcard.c @@ -181,14 +181,18 @@ static void smartcard_unref_msg_to_client(RedCharDeviceMsgToClient *msg, smartcard_unref_vsc_msg_item((MsgItem *)msg); } -static void smartcard_send_msg_to_client(RedCharDeviceMsgToClient *msg, +static void smartcard_send_msg_to_client(RedCharDeviceMsgToClient *message, RedClient *client, void *opaque) { RedCharDeviceSmartcard *dev = opaque; - spice_assert(dev->priv->scc && dev->priv->scc->base.client == client); - smartcard_channel_client_pipe_add_push(&dev->priv->scc->base, &((MsgItem *)msg)->base); + MsgItem *msg = (MsgItem *)message; + PipeItem *item = &msg->base; + + spice_assert(dev->priv->scc && dev->priv->scc->base.client == client); + smartcard_ref_vsc_msg_item(msg); + smartcard_channel_client_pipe_add_push(&dev->priv->scc->base, item); } static void smartcard_send_tokens_to_client(RedClient *client, uint32_t tokens, void *opaque) -- 2.7.3