eb34131a13
It fixes CVE-2026-22852, CVE-2026-22854, CVE-2026-22856, CVE-2026-23732, CVE-2026-23948, CVE-2026-24491, CVE-2026-24675, CVE-2026-24676, CVE-2026-24679, CVE-2026-24681, CVE-2026-24683, CVE-2026-24684 and CVE-2026-31806. Resolves: RHEL-147954, RHEL-147955, RHEL-147970, RHEL-147977, RHEL-147980 Resolves: RHEL-148002, RHEL-148014, RHEL-148031, RHEL-148906, RHEL-148996 Resolves: RHEL-149007, RHEL-149056, RHEL-155984
90 lines
3.1 KiB
Diff
90 lines
3.1 KiB
Diff
From 7cf742159bd2675366c7187c4bc51018b548d228 Mon Sep 17 00:00:00 2001
|
|
From: Ondrej Holy <oholy@redhat.com>
|
|
Date: Tue, 10 Mar 2026 08:47:45 +0100
|
|
Subject: [PATCH] [channels,serial] lock list dictionary
|
|
|
|
Backport of commit b35aa3614d32bff3fc1272cd7c4617f711fca1a4.
|
|
|
|
Made-with: Cursor
|
|
---
|
|
channels/serial/client/serial_main.c | 35 ++++++++++++++++------------
|
|
1 file changed, 20 insertions(+), 15 deletions(-)
|
|
|
|
diff --git a/channels/serial/client/serial_main.c b/channels/serial/client/serial_main.c
|
|
index afe67b4d3..d76d725f1 100644
|
|
--- a/channels/serial/client/serial_main.c
|
|
+++ b/channels/serial/client/serial_main.c
|
|
@@ -540,6 +540,7 @@ static void create_irp_thread(SERIAL_DEVICE* serial, IRP* irp)
|
|
HANDLE irpThread;
|
|
ULONG_PTR* ids;
|
|
int i, nbIds;
|
|
+ ListDictionary_Lock(serial->IrpThreads);
|
|
nbIds = ListDictionary_GetKeys(serial->IrpThreads, &ids);
|
|
|
|
for (i = 0; i < nbIds; i++)
|
|
@@ -581,6 +582,7 @@ static void create_irp_thread(SERIAL_DEVICE* serial, IRP* irp)
|
|
}
|
|
|
|
free(ids);
|
|
+ ListDictionary_Unlock(serial->IrpThreads);
|
|
}
|
|
|
|
LeaveCriticalSection(&serial->TerminatingIrpThreadsLock);
|
|
@@ -621,19 +623,6 @@ static void create_irp_thread(SERIAL_DEVICE* serial, IRP* irp)
|
|
return;
|
|
}
|
|
|
|
- if (ListDictionary_Count(serial->IrpThreads) >= MAX_IRP_THREADS)
|
|
- {
|
|
- WLog_Print(serial->log, WLOG_WARN,
|
|
- "Number of IRP threads threshold reached: %d, keep on anyway",
|
|
- ListDictionary_Count(serial->IrpThreads));
|
|
- assert(FALSE); /* unimplemented */
|
|
- /* TODO: MAX_IRP_THREADS has been thought to avoid a
|
|
- * flooding of pending requests. Use
|
|
- * WaitForMultipleObjects() when available in winpr
|
|
- * for threads.
|
|
- */
|
|
- }
|
|
-
|
|
/* error_handle to be used ... */
|
|
data = (IRP_THREAD_DATA*)calloc(1, sizeof(IRP_THREAD_DATA));
|
|
|
|
@@ -656,7 +645,23 @@ static void create_irp_thread(SERIAL_DEVICE* serial, IRP* irp)
|
|
|
|
key = irp->CompletionId;
|
|
|
|
- if (!ListDictionary_Add(serial->IrpThreads, (void*)key, irpThread))
|
|
+ ListDictionary_Lock(serial->IrpThreads);
|
|
+ if (ListDictionary_Count(serial->IrpThreads) >= MAX_IRP_THREADS)
|
|
+ {
|
|
+ WLog_Print(serial->log, WLOG_WARN,
|
|
+ "Number of IRP threads threshold reached: %d, keep on anyway",
|
|
+ ListDictionary_Count(serial->IrpThreads));
|
|
+ assert(FALSE); /* unimplemented */
|
|
+ /* TODO: MAX_IRP_THREADS has been thought to avoid a
|
|
+ * flooding of pending requests. Use
|
|
+ * WaitForMultipleObjects() when available in winpr
|
|
+ * for threads.
|
|
+ */
|
|
+ }
|
|
+ const BOOL added = ListDictionary_Add(serial->IrpThreads, (void*)key, irpThread);
|
|
+ ListDictionary_Unlock(serial->IrpThreads);
|
|
+
|
|
+ if (!added)
|
|
{
|
|
WLog_ERR(TAG, "ListDictionary_Add failed!");
|
|
goto error_handle;
|
|
@@ -927,7 +932,7 @@ UINT DeviceServiceEntry(PDEVICE_SERVICE_ENTRY_POINTS pEntryPoints)
|
|
}
|
|
|
|
/* IrpThreads content only modified by create_irp_thread() */
|
|
- serial->IrpThreads = ListDictionary_New(FALSE);
|
|
+ serial->IrpThreads = ListDictionary_New(TRUE);
|
|
|
|
if (!serial->IrpThreads)
|
|
{
|
|
--
|
|
2.53.0
|
|
|