diff --git a/SOURCES/0014-Remove-some-warnings-from-Clang-static-analyzer.patch b/SOURCES/0014-Remove-some-warnings-from-Clang-static-analyzer.patch new file mode 100644 index 0000000..ccfb3d7 --- /dev/null +++ b/SOURCES/0014-Remove-some-warnings-from-Clang-static-analyzer.patch @@ -0,0 +1,74 @@ +From 95f6f22c4fee847cdf84465107561b94a5c10782 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Thu, 27 Aug 2020 17:20:06 +0100 +Subject: [PATCH] Remove some warnings from Clang static analyzer + +qmp-port.c: +warning: Although the value stored to 'node' is used in the enclosing +expression, the value is never actually read from 'node' + +usb-backend.c: +warning: Value stored to 'done' is never read +warning: Use of memory after it is freed + +usb-device-cd.c: +warning: Value stored to 'error' is never read + +Signed-off-by: Frediano Ziglio +--- + src/qmp-port.c | 2 +- + src/usb-backend.c | 3 +-- + src/usb-device-cd.c | 2 +- + 3 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/src/qmp-port.c b/src/qmp-port.c +index 25ab1d1..f0cbbc7 100644 +--- a/src/qmp-port.c ++++ b/src/qmp-port.c +@@ -104,7 +104,7 @@ spice_qmp_dispatch_message(SpiceQmpPort *self) + return TRUE; + } + +- if ((node = json_object_get_member(obj, "error"))) { ++ if (json_object_get_member(obj, "error") != NULL) { + gint id = json_object_get_int_member(obj, "id"); + const gchar *desc = json_object_get_string_member(obj, "desc"); + +diff --git a/src/usb-backend.c b/src/usb-backend.c +index 5d3912b..a4a5f0a 100644 +--- a/src/usb-backend.c ++++ b/src/usb-backend.c +@@ -867,7 +867,6 @@ usbredir_control_packet(void *priv, uint64_t id, struct usb_redir_control_packet + + if (!done) { + device_ops(edev)->control_request(edev, data, data_len, &response, &out_buffer); +- done = TRUE; + } + + if (response.status) { +@@ -1367,8 +1366,8 @@ void spice_usb_backend_channel_delete(SpiceUsbBackendChannel *ch) + free(ch->rules); + } + ++ SPICE_DEBUG("%s << %p", __FUNCTION__, ch); + g_free(ch); +- SPICE_DEBUG("%s << %p", __FUNCTION__, ch); + } + + void +diff --git a/src/usb-device-cd.c b/src/usb-device-cd.c +index 1aa553a..b9fa317 100644 +--- a/src/usb-device-cd.c ++++ b/src/usb-device-cd.c +@@ -150,7 +150,7 @@ static int cd_device_load(SpiceCdLU *unit, gboolean load) + if (load) { + error = ioctl(fd, CDROMCLOSETRAY, 0); + } else { +- error = ioctl(fd, CDROM_LOCKDOOR, 0); ++ ioctl(fd, CDROM_LOCKDOOR, 0); + error = ioctl(fd, CDROMEJECT, 0); + } + if (error) { +-- +2.28.0 + diff --git a/SOURCES/0015-ssl_verify-Do-not-check-IP-if-we-fail-to-resolve-it.patch b/SOURCES/0015-ssl_verify-Do-not-check-IP-if-we-fail-to-resolve-it.patch new file mode 100644 index 0000000..3bc60d7 --- /dev/null +++ b/SOURCES/0015-ssl_verify-Do-not-check-IP-if-we-fail-to-resolve-it.patch @@ -0,0 +1,66 @@ +From c39cc1b1ef5165523f3394f06a65cc9a6c65b7ae Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Thu, 27 Aug 2020 17:57:36 +0100 +Subject: [PATCH] ssl_verify: Do not check IP if we fail to resolve it + +There's no point on checking an empty IP address, an IP +address is never empty. +This also solve some compiler warnings trying to possibly +pass a NULL pointer to memcmp or setting a variable without +reading it. + +Signed-off-by: Frediano Ziglio +Acked-by: Uri Lublin +--- + common/ssl_verify.c | 21 ++++++++++----------- + 1 file changed, 10 insertions(+), 11 deletions(-) + +diff --git a/subprojects/spice-common/common/ssl_verify.c b/subprojects/spice-common/common/ssl_verify.c +index dee719f..9ee8059 100644 +--- a/subprojects/spice-common/common/ssl_verify.c ++++ b/subprojects/spice-common/common/ssl_verify.c +@@ -196,21 +196,22 @@ static int verify_hostname(X509* cert, const char *hostname) + return 1; + } + } else if (name->type == GEN_IPADD) { +- GInetAddress * ip = NULL; +- const guint8 * ip_binary = NULL; +- int alt_ip_len = 0; +- int ip_len = 0; ++ GInetAddress * ip; ++ const guint8 * ip_binary; ++ int alt_ip_len; ++ int ip_len; + + found_dns_name = 1; + + ip = g_inet_address_new_from_string(hostname); +- if (ip != NULL) { +- ip_len = g_inet_address_get_native_size(ip); +- ip_binary = g_inet_address_to_bytes(ip); +- } else { ++ if (ip == NULL) { + spice_warning("Could not parse hostname: %s", hostname); ++ continue; + } + ++ ip_len = g_inet_address_get_native_size(ip); ++ ip_binary = g_inet_address_to_bytes(ip); ++ + alt_ip_len = ASN1_STRING_length(name->d.iPAddress); + + if ((ip_len == alt_ip_len) && +@@ -229,9 +230,7 @@ static int verify_hostname(X509* cert, const char *hostname) + GENERAL_NAMES_free(subject_alt_names); + return 1; + } +- if (ip != NULL) { +- g_object_unref(ip); +- } ++ g_object_unref(ip); + } + } + GENERAL_NAMES_free(subject_alt_names); +-- +2.28.0 + diff --git a/SOURCES/0016-usb-backend-Fix-spice-usbredir-redirect-on-connect-o.patch b/SOURCES/0016-usb-backend-Fix-spice-usbredir-redirect-on-connect-o.patch new file mode 100644 index 0000000..a948ca6 --- /dev/null +++ b/SOURCES/0016-usb-backend-Fix-spice-usbredir-redirect-on-connect-o.patch @@ -0,0 +1,37 @@ +From afc5872bff1eb327dd299bacdc4eec5e26d37a10 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Wed, 23 Sep 2020 17:05:01 +0100 +Subject: [PATCH] usb-backend: Fix spice-usbredir-redirect-on-connect option + +After commit 3e20f17b90598e740c4e274b81d99f28187da800 (cfr +"usb-redir: extend USB backend to support emulated devices") +this option stopped working, as devices are not redirected. +Data for device to guest were not written during initialisation. + +With this fix both spice-usbredir-redirect-on-connect and +spice-share-cd are working (even together). + +This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1874740. + +Signed-off-by: Frediano Ziglio +Acked-by: Uri Lublin +--- + src/usb-backend.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/usb-backend.c b/src/usb-backend.c +index a4a5f0a..857488e 100644 +--- a/src/usb-backend.c ++++ b/src/usb-backend.c +@@ -418,7 +418,7 @@ static void usbredir_write_flush_callback(void *user_data) + return; + } + if (is_channel_ready(ch->usbredir_channel)) { +- if (ch->state == USB_CHANNEL_STATE_HOST) { ++ if (ch->state != USB_CHANNEL_STATE_PARSER && ch->usbredirhost != NULL) { + SPICE_DEBUG("%s ch %p -> usbredirhost", __FUNCTION__, ch); + usbredirhost_write_guest_data(ch->usbredirhost); + } else { +-- +2.28.0 + diff --git a/SOURCES/0017-empty_cd_clicked_cb-g_free-basename.patch b/SOURCES/0017-empty_cd_clicked_cb-g_free-basename.patch new file mode 100644 index 0000000..18f855b --- /dev/null +++ b/SOURCES/0017-empty_cd_clicked_cb-g_free-basename.patch @@ -0,0 +1,33 @@ +From 20eebc549da508c82e139120b577b047c76964c3 Mon Sep 17 00:00:00 2001 +From: Uri Lublin +Date: Wed, 11 Nov 2020 14:12:19 +0200 +Subject: [PATCH 17/22] empty_cd_clicked_cb: g_free basename + +Fix the following static analyzer warning: + src/usb-device-widget.c:224: leaked_storage: Failing to save or free + storage allocated by "g_path_get_basename(filename)" leaks it. + +Signed-off-by: Uri Lublin +--- + src/usb-device-widget.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/usb-device-widget.c b/src/usb-device-widget.c +index 257e9e1..0ff4e52 100644 +--- a/src/usb-device-widget.c ++++ b/src/usb-device-widget.c +@@ -220,8 +220,10 @@ empty_cd_clicked_cb(GtkToggleButton *toggle, gpointer user_data) + + rc = spice_usb_device_manager_create_shared_cd_device(priv->manager, filename, &err); + if (!rc && err != NULL) { ++ const gchar *basename = g_path_get_basename(filename); + gchar *err_msg = g_strdup_printf(_("shared CD %s, %s"), +- g_path_get_basename(filename), err->message); ++ basename, err->message); ++ g_free((gpointer)basename); + + SPICE_DEBUG("Failed to create %s", err_msg); + spice_usb_device_widget_add_err_msg(self, err_msg); +-- +2.28.0 + diff --git a/SOURCES/0018-spice_usbutil_parse_usbids-verify-at-least-one-vendo.patch b/SOURCES/0018-spice_usbutil_parse_usbids-verify-at-least-one-vendo.patch new file mode 100644 index 0000000..299cd8c --- /dev/null +++ b/SOURCES/0018-spice_usbutil_parse_usbids-verify-at-least-one-vendo.patch @@ -0,0 +1,44 @@ +From 032ca202f839fe1c49cddfd2b0459f9fecc23c86 Mon Sep 17 00:00:00 2001 +From: Uri Lublin +Date: Wed, 11 Nov 2020 20:03:57 +0200 +Subject: [PATCH 18/22] spice_usbutil_parse_usbids: verify at least one vendor + and product + +Fixes the following clang warning: + src/usbutil.c:148:52: warning: Use of zero-allocated memory + ... + + product_info[product_count].product_id = id; + ^ + 146| while (isspace(line[0])) + 147| line++; + 148|-> product_info[product_count].product_id = id; + 149| snprintf(product_info[product_count].name, + 150| PRODUCT_NAME_LEN, "%s", line); + +Signed-off-by: Uri Lublin +--- + src/usbutil.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/usbutil.c b/src/usbutil.c +index 7d7f38a..f29302b 100644 +--- a/src/usbutil.c ++++ b/src/usbutil.c +@@ -113,6 +113,13 @@ static gboolean spice_usbutil_parse_usbids(gchar *path) + usbids_vendor_count++; + } + ++ if (usbids_vendor_info == 0 || product_count == 0) { ++ usbids_vendor_count = -1; ++ g_strfreev(lines); ++ g_free(contents); ++ return FALSE; ++ } ++ + usbids_vendor_info = g_new(usb_vendor_info, usbids_vendor_count); + product_info = g_new(usb_product_info, product_count); + +-- +2.28.0 + diff --git a/SOURCES/0019-sink_event_probe-do-not-keep-duration-in-a-variable.patch b/SOURCES/0019-sink_event_probe-do-not-keep-duration-in-a-variable.patch new file mode 100644 index 0000000..f27f04a --- /dev/null +++ b/SOURCES/0019-sink_event_probe-do-not-keep-duration-in-a-variable.patch @@ -0,0 +1,42 @@ +From bb4999f6e450aa1b1270ade7113966869fc4ed27 Mon Sep 17 00:00:00 2001 +From: Uri Lublin +Date: Wed, 11 Nov 2020 20:34:09 +0200 +Subject: [PATCH 19/22] sink_event_probe: do not keep duration in a variable + +If not ENABLE_RECORDER, then duration is assigned a value +but is never used - as the compiler optimizes it out. + +Fixes the following clang warning: + src/channel-display-gst.c:443:21: warning: Value stored to + 'duration' during its initialization is never read + +Signed-off-by: Uri Lublin +--- + src/channel-display-gst.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/channel-display-gst.c b/src/channel-display-gst.c +index c58a90f..36db3a3 100644 +--- a/src/channel-display-gst.c ++++ b/src/channel-display-gst.c +@@ -439,7 +439,6 @@ sink_event_probe(GstPad *pad, GstPadProbeInfo *info, gpointer data) + if (l) { + SpiceGstFrame *gstframe = l->data; + const SpiceFrame *frame = gstframe->encoded_frame; +- int64_t duration = g_get_monotonic_time() - frame->creation_time; + /* Note that queue_len (the length of the queue prior to adding + * this frame) is crucial to correctly interpret the decoding time: + * - Less than MAX_DECODED_FRAMES means nothing blocked the +@@ -450,7 +449,8 @@ sink_event_probe(GstPad *pad, GstPadProbeInfo *info, gpointer data) + record(frames_stats, + "frame mm_time %u size %u creation time %" PRId64 + " decoded time %" PRId64 " queue %u before %u", +- frame->mm_time, frame->size, frame->creation_time, duration, ++ frame->mm_time, frame->size, frame->creation_time, ++ g_get_monotonic_time() - frame->creation_time, + decoder->decoding_queue->length, gstframe->queue_len); + + if (!decoder->appsink) { +-- +2.28.0 + diff --git a/SOURCES/0020-mark_false_event_id-is-guint-assign-0-to-it-not-FALS.patch b/SOURCES/0020-mark_false_event_id-is-guint-assign-0-to-it-not-FALS.patch new file mode 100644 index 0000000..7984e75 --- /dev/null +++ b/SOURCES/0020-mark_false_event_id-is-guint-assign-0-to-it-not-FALS.patch @@ -0,0 +1,26 @@ +From df47365c32711bae5dfa163f8eba7b0f741326d6 Mon Sep 17 00:00:00 2001 +From: Uri Lublin +Date: Thu, 19 Nov 2020 19:30:54 +0200 +Subject: [PATCH 20/22] mark_false_event_id is guint, assign 0 to it not FALSE + +Signed-off-by: Uri Lublin +--- + src/channel-display.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/channel-display.c b/src/channel-display.c +index 023baa1..f52ef12 100644 +--- a/src/channel-display.c ++++ b/src/channel-display.c +@@ -1971,7 +1971,7 @@ static void display_handle_surface_create(SpiceChannel *channel, SpiceMsgIn *in) + create_canvas(channel, surface); + if (c->mark_false_event_id != 0) { + g_source_remove(c->mark_false_event_id); +- c->mark_false_event_id = FALSE; ++ c->mark_false_event_id = 0; + } + } else { + surface->primary = false; +-- +2.28.0 + diff --git a/SOURCES/0021-usb-backend-create_emulated_device-assert-address-32.patch b/SOURCES/0021-usb-backend-create_emulated_device-assert-address-32.patch new file mode 100644 index 0000000..f4df551 --- /dev/null +++ b/SOURCES/0021-usb-backend-create_emulated_device-assert-address-32.patch @@ -0,0 +1,33 @@ +From 35f6926328cd415f6ba24efe49c3f990e44a8948 Mon Sep 17 00:00:00 2001 +From: Uri Lublin +Date: Sun, 22 Nov 2020 16:21:00 +0200 +Subject: [PATCH 21/22] usb-backend: create_emulated_device: assert address < + 32 + +This may fix the following static analyzer issue: + src/usb-backend.c:1507: large_shift: In expression "1 << address", left + shifting by more than 31 bits has undefined behavior. + The shift amount, "address", is 32. + +Signed-off-by: Uri Lublin +--- + src/usb-backend.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/usb-backend.c b/src/usb-backend.c +index 857488e..c76d576 100644 +--- a/src/usb-backend.c ++++ b/src/usb-backend.c +@@ -1482,6 +1482,9 @@ spice_usb_backend_create_emulated_device(SpiceUsbBackend *be, + } + } + ++ // for static analyzers: it is already checked above ++ g_assert(address < 32); ++ + dev = g_new0(SpiceUsbDevice, 1); + dev->device_info.bus = BUS_NUMBER_FOR_EMULATED_USB; + dev->device_info.address = address; +-- +2.28.0 + diff --git a/SOURCES/0022-spice-utils-allocate-ctx-after-g_return_val_if_fail.patch b/SOURCES/0022-spice-utils-allocate-ctx-after-g_return_val_if_fail.patch new file mode 100644 index 0000000..ae8543f --- /dev/null +++ b/SOURCES/0022-spice-utils-allocate-ctx-after-g_return_val_if_fail.patch @@ -0,0 +1,48 @@ +From 1068e4d0e39f3d8f3390102863a02eaed7ee81b1 Mon Sep 17 00:00:00 2001 +From: Uri Lublin +Date: Mon, 23 Nov 2020 15:38:43 +0200 +Subject: [PATCH 22/22] spice-utils: allocate ctx after g_return_val_if_fail + +Fix the following issue: + Error: RESOURCE_LEAK + src/spice-util.c:235: alloc_fn: Storage is returned + from allocation function "whc_new". + src/spice-util.c:235: var_assign: Assigning: "ctx" = + storage returned from "whc_new(instance_obj, gobject)". + src/spice-util.c:237: leaked_storage: Variable "ctx" + going out of scope leaks the storage it points to. + + 235| WeakHandlerCtx *ctx = whc_new (instance_obj, gobject); + 236| + 237|-> g_return_val_if_fail (G_TYPE_CHECK_INSTANCE (instance), 0); + 238| g_return_val_if_fail (detailed_signal != NULL, 0); + 239| g_return_val_if_fail (c_handler != NULL, 0); + +Signed-off-by: Uri Lublin +--- + src/spice-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/spice-util.c b/src/spice-util.c +index 1e49982..d0c56ba 100644 +--- a/src/spice-util.c ++++ b/src/spice-util.c +@@ -231,7 +231,6 @@ gulong spice_g_signal_connect_object (gpointer instance, + GConnectFlags connect_flags) + { + GObject *instance_obj = G_OBJECT (instance); +- WeakHandlerCtx *ctx = whc_new (instance_obj, gobject); + + g_return_val_if_fail (G_TYPE_CHECK_INSTANCE (instance), 0); + g_return_val_if_fail (detailed_signal != NULL, 0); +@@ -240,6 +239,7 @@ gulong spice_g_signal_connect_object (gpointer instance, + g_return_val_if_fail ( + (connect_flags & ~(G_CONNECT_AFTER|G_CONNECT_SWAPPED)) == 0, 0); + ++ WeakHandlerCtx *ctx = whc_new (instance_obj, gobject); + if (connect_flags & G_CONNECT_SWAPPED) + ctx->closure = g_cclosure_new_object_swap (c_handler, gobject); + else +-- +2.28.0 + diff --git a/SOURCES/0023-channel-main-Fix-indentation.patch b/SOURCES/0023-channel-main-Fix-indentation.patch new file mode 100644 index 0000000..d1d7837 --- /dev/null +++ b/SOURCES/0023-channel-main-Fix-indentation.patch @@ -0,0 +1,118 @@ +From 1defa5c0f0107b8496b7696408aad064c65947a5 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Tue, 17 Mar 2020 21:27:19 +0000 +Subject: [PATCH] channel-main: Fix indentation + +Signed-off-by: Frediano Ziglio +Acked-by: Victor Toso +--- + src/channel-main.c | 36 +++++++++++++++++++----------------- + 1 file changed, 19 insertions(+), 17 deletions(-) + +diff --git a/src/channel-main.c b/src/channel-main.c +index 1e85a36..0a0b9ca 100644 +--- a/src/channel-main.c ++++ b/src/channel-main.c +@@ -283,13 +283,13 @@ static void spice_main_get_property(GObject *object, + switch (prop_id) { + case PROP_MOUSE_MODE: + g_value_set_int(value, c->mouse_mode); +- break; ++ break; + case PROP_AGENT_CONNECTED: + g_value_set_boolean(value, c->agent_connected); +- break; ++ break; + case PROP_AGENT_CAPS_0: + g_value_set_int(value, c->agent_caps[0]); +- break; ++ break; + case PROP_DISPLAY_DISABLE_WALLPAPER: + g_value_set_boolean(value, c->display_disable_wallpaper); + break; +@@ -312,8 +312,8 @@ static void spice_main_get_property(GObject *object, + g_value_set_int(value, spice_main_get_max_clipboard(self)); + break; + default: +- G_OBJECT_WARN_INVALID_PROPERTY_ID(object, prop_id, pspec); +- break; ++ G_OBJECT_WARN_INVALID_PROPERTY_ID(object, prop_id, pspec); ++ break; + } + } + +@@ -346,8 +346,8 @@ static void spice_main_set_property(GObject *gobject, guint prop_id, + spice_main_set_max_clipboard(self, g_value_get_int(value)); + break; + default: +- G_OBJECT_WARN_INVALID_PROPERTY_ID(gobject, prop_id, pspec); +- break; ++ G_OBJECT_WARN_INVALID_PROPERTY_ID(gobject, prop_id, pspec); ++ break; + } + } + +@@ -2051,9 +2051,10 @@ static void main_agent_handle_msg(SpiceChannel *channel, + g_coroutine_signal_emit(self, signals[SPICE_MAIN_CLIPBOARD_SELECTION], 0, selection, + cb->type, cb->data, msg->size - sizeof(VDAgentClipboard)); + +- if (selection == VD_AGENT_CLIPBOARD_SELECTION_CLIPBOARD) +- g_coroutine_signal_emit(self, signals[SPICE_MAIN_CLIPBOARD], 0, +- cb->type, cb->data, msg->size - sizeof(VDAgentClipboard)); ++ if (selection == VD_AGENT_CLIPBOARD_SELECTION_CLIPBOARD) { ++ g_coroutine_signal_emit(self, signals[SPICE_MAIN_CLIPBOARD], 0, ++ cb->type, cb->data, msg->size - sizeof(VDAgentClipboard)); ++ } + break; + } + case VD_AGENT_CLIPBOARD_GRAB: +@@ -2075,10 +2076,11 @@ static void main_agent_handle_msg(SpiceChannel *channel, + } + + g_coroutine_signal_emit(self, signals[SPICE_MAIN_CLIPBOARD_SELECTION_GRAB], 0, selection, +- (guint8*)payload, msg->size / sizeof(uint32_t), &ret); +- if (selection == VD_AGENT_CLIPBOARD_SELECTION_CLIPBOARD) ++ (guint8*)payload, msg->size / sizeof(uint32_t), &ret); ++ if (selection == VD_AGENT_CLIPBOARD_SELECTION_CLIPBOARD) { + g_coroutine_signal_emit(self, signals[SPICE_MAIN_CLIPBOARD_GRAB], 0, +- payload, msg->size / sizeof(uint32_t), &ret); ++ payload, msg->size / sizeof(uint32_t), &ret); ++ } + break; + } + case VD_AGENT_CLIPBOARD_REQUEST: +@@ -2086,11 +2088,11 @@ static void main_agent_handle_msg(SpiceChannel *channel, + gboolean ret; + VDAgentClipboardRequest *req = payload; + g_coroutine_signal_emit(self, signals[SPICE_MAIN_CLIPBOARD_SELECTION_REQUEST], 0, selection, +- req->type, &ret); ++ req->type, &ret); + + if (selection == VD_AGENT_CLIPBOARD_SELECTION_CLIPBOARD) + g_coroutine_signal_emit(self, signals[SPICE_MAIN_CLIPBOARD_REQUEST], 0, +- req->type, &ret); ++ req->type, &ret); + break; + } + case VD_AGENT_CLIPBOARD_RELEASE: +@@ -2333,7 +2335,7 @@ static gboolean migrate_connect(gpointer data) + host = (char*)info->host_data; + + if (info->cert_subject_size == 0 || +- strlen((const char*)info->cert_subject_data) == 0) { ++ strlen((const char*)info->cert_subject_data) == 0) { + /* only verify hostname if no cert subject */ + g_object_set(mig->session, "verify", SPICE_SESSION_VERIFY_HOSTNAME, NULL); + } else { +@@ -2690,7 +2692,7 @@ void spice_main_update_display(SpiceMainChannel *channel, int id, + * Since: 0.35 + **/ + void spice_main_channel_update_display(SpiceMainChannel *channel, int id, int x, int y, int width, +- int height, gboolean update) ++ int height, gboolean update) + { + SpiceMainChannelPrivate *c; + +-- +2.28.0 + diff --git a/SOURCES/0024-channel-main-Fix-indentation.patch b/SOURCES/0024-channel-main-Fix-indentation.patch new file mode 100644 index 0000000..1079e96 --- /dev/null +++ b/SOURCES/0024-channel-main-Fix-indentation.patch @@ -0,0 +1,40 @@ +From 3c933f53bfa9b679750f5d0bbdc7707134d88598 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Fri, 20 Mar 2020 05:19:49 +0000 +Subject: [PATCH] channel-main: Fix indentation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Some mistake in recent patch, thanks to Marc-André's eagle eyes. + +Signed-off-by: Frediano Ziglio +Acked-by: Victor Toso +--- + src/channel-main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/channel-main.c b/src/channel-main.c +index d7669e8..6a1bb40 100644 +--- a/src/channel-main.c ++++ b/src/channel-main.c +@@ -283,13 +283,13 @@ static void spice_main_get_property(GObject *object, + switch (prop_id) { + case PROP_MOUSE_MODE: + g_value_set_int(value, c->mouse_mode); +- break; ++ break; + case PROP_AGENT_CONNECTED: + g_value_set_boolean(value, c->agent_connected); +- break; ++ break; + case PROP_AGENT_CAPS_0: + g_value_set_int(value, c->agent_caps[0]); +- break; ++ break; + case PROP_DISPLAY_DISABLE_WALLPAPER: + g_value_set_boolean(value, c->display_disable_wallpaper); + break; +-- +2.28.0 + diff --git a/SOURCES/0025-channel-main-Remove-unused-declaration.patch b/SOURCES/0025-channel-main-Remove-unused-declaration.patch new file mode 100644 index 0000000..ee8a4b3 --- /dev/null +++ b/SOURCES/0025-channel-main-Remove-unused-declaration.patch @@ -0,0 +1,42 @@ +From 41c8a60e5e9451080863d2f87bb0f5007a71cc34 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Tue, 4 Aug 2020 15:50:03 +0100 +Subject: [PATCH] channel-main: Remove unused declaration + +OldRedMigrationBegin is not used. Last usage removed in + + commit f944ad6935f12efe47f78cbde1c5e6db31442597 + + More cleanup for old protocol support + + Support for protocol version 1 was dropped in commit f77a1d50. + +Signed-off-by: Frediano Ziglio +--- + src/channel-main.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/src/channel-main.c b/src/channel-main.c +index e944771..3dd94a2 100644 +--- a/src/channel-main.c ++++ b/src/channel-main.c +@@ -2326,16 +2326,6 @@ static gboolean main_migrate_handshake_done(gpointer data) + return FALSE; + } + +-#ifdef __GNUC__ +-typedef struct __attribute__ ((__packed__)) OldRedMigrationBegin { +-#else +-typedef struct __declspec(align(1)) OldRedMigrationBegin { +-#endif +- uint16_t port; +- uint16_t sport; +- char host[0]; +-} OldRedMigrationBegin; +- + /* main context */ + static gboolean migrate_connect(gpointer data) + { +-- +2.28.0 + diff --git a/SOURCES/0026-main-add-a-few-missing-vdagent-capability-descriptio.patch b/SOURCES/0026-main-add-a-few-missing-vdagent-capability-descriptio.patch new file mode 100644 index 0000000..8d08d54 --- /dev/null +++ b/SOURCES/0026-main-add-a-few-missing-vdagent-capability-descriptio.patch @@ -0,0 +1,26 @@ +From 8d60d4fc3fe0bd620f216091b24bbb8b72bb055a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Mon, 17 Aug 2020 14:36:05 +0400 +Subject: [PATCH] main: add a few missing vdagent capability descriptions + +Acked-by: Frediano Ziglio +--- + src/channel-main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/channel-main.c b/src/channel-main.c +index 3dd94a2..671716a 100644 +--- a/src/channel-main.c ++++ b/src/channel-main.c +@@ -222,6 +222,8 @@ static const char *agent_caps[] = { + [ VD_AGENT_CAP_AUDIO_VOLUME_SYNC ] = "volume-sync", + [ VD_AGENT_CAP_MONITORS_CONFIG_POSITION ] = "monitors config position", + [ VD_AGENT_CAP_FILE_XFER_DISABLED ] = "file transfer disabled", ++ [ VD_AGENT_CAP_FILE_XFER_DETAILED_ERRORS ] = "file transfer detailed errors", ++ [ VD_AGENT_CAP_GRAPHICS_DEVICE_INFO ] = "graphics device info", + [ VD_AGENT_CAP_CLIPBOARD_NO_RELEASE_ON_REGRAB ] = "no release on re-grab", + [ VD_AGENT_CAP_CLIPBOARD_GRAB_SERIAL ] = "clipboard grab serial", + }; +-- +2.28.0 + diff --git a/SOURCES/0027-main-add-stricter-pre-condition-on-display-id-value.patch b/SOURCES/0027-main-add-stricter-pre-condition-on-display-id-value.patch new file mode 100644 index 0000000..60ec0f5 --- /dev/null +++ b/SOURCES/0027-main-add-stricter-pre-condition-on-display-id-value.patch @@ -0,0 +1,39 @@ +From e521ddee98961bb30a7a3d93c6c01dddb7da3662 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Tue, 15 Sep 2020 13:09:46 +0400 +Subject: [PATCH] main: add stricter pre-condition on display id value +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Marc-André Lureau +Acked-by: Frediano Ziglio +--- + src/channel-main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/channel-main.c b/src/channel-main.c +index 671716a..5fcf8e8 100644 +--- a/src/channel-main.c ++++ b/src/channel-main.c +@@ -2723,7 +2723,7 @@ void spice_main_channel_update_display(SpiceMainChannel *channel, int id, int x, + + c = SPICE_MAIN_CHANNEL(channel)->priv; + +- g_return_if_fail(id < SPICE_N_ELEMENTS(c->display)); ++ g_return_if_fail(id >= 0 && id < SPICE_N_ELEMENTS(c->display)); + + SpiceDisplayConfig display = { + .x = x, .y = y, .width = width, .height = height, +@@ -3040,7 +3040,7 @@ void spice_main_channel_update_display_enabled(SpiceMainChannel *channel, int id + c->display[i].display_state = display_state; + } + } else { +- g_return_if_fail(id < G_N_ELEMENTS(c->display)); ++ g_return_if_fail(id >= 0 && id < G_N_ELEMENTS(c->display)); + if (c->display[id].display_state == display_state) + return; + c->display[id].display_state = display_state; +-- +2.28.0 + diff --git a/SOURCES/0028-channel-main-Use-heap-and-reference-counting-for-spi.patch b/SOURCES/0028-channel-main-Use-heap-and-reference-counting-for-spi.patch new file mode 100644 index 0000000..1744443 --- /dev/null +++ b/SOURCES/0028-channel-main-Use-heap-and-reference-counting-for-spi.patch @@ -0,0 +1,273 @@ +From 8f1147b4119f920b69eb9c577121cbd5ac1e1d70 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Mon, 10 Aug 2020 15:27:09 +0100 +Subject: [PATCH 28/31] channel-main: Use heap and reference counting for + spice_migrate + +Don't use the stack, it will potentially disappear (see mig +variable in main_migrate_connect). +For instance channels use this structure when they are freed. As +the free is done in delayed mode the initial coroutine could be +ended releasing the stack and causing a segmentation fault. + +This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1867564. + +Signed-off-by: Frediano Ziglio +Acked-by: Uri Lublin +--- + src/channel-main.c | 110 ++++++++++++++++++++++++++++++++------------- + 1 file changed, 78 insertions(+), 32 deletions(-) + +diff --git a/src/channel-main.c b/src/channel-main.c +index 79fe63c..8caf727 100644 +--- a/src/channel-main.c ++++ b/src/channel-main.c +@@ -123,6 +123,7 @@ struct spice_migrate { + struct coroutine *from; + SpiceMigrationDstInfo *info; + SpiceSession *session; ++ int ref_count; + guint nchannels; + SpiceChannel *src_channel; + SpiceChannel *dst_channel; +@@ -175,8 +176,8 @@ static void channel_set_handlers(SpiceChannelClass *klass); + static void agent_send_msg_queue(SpiceMainChannel *channel); + static void agent_free_msg_queue(SpiceMainChannel *channel); + static void migrate_channel_event_cb(SpiceChannel *channel, SpiceChannelEvent event, +- gpointer data); +-static gboolean main_migrate_handshake_done(gpointer data); ++ spice_migrate *mig); ++static gboolean main_migrate_handshake_done(spice_migrate *mig); + static void spice_main_channel_send_migration_handshake(SpiceChannel *channel); + static void file_xfer_flushed(SpiceMainChannel *channel, gboolean success); + static void file_xfer_read_async_cb(GObject *source_object, +@@ -193,6 +194,7 @@ static void file_transfer_operation_task_finished(SpiceFileTransferTask *xfer_ta + GError *error, + gpointer userdata); + static void file_transfer_operation_send_progress(SpiceFileTransferTask *xfer_task); ++static void spice_migrate_unref(spice_migrate *mig); + + /* ------------------------------------------------------------------ */ + +@@ -387,6 +389,7 @@ static void spice_main_channel_finalize(GObject *obj) + { + SpiceMainChannelPrivate *c = SPICE_MAIN_CHANNEL(obj)->priv; + ++ spice_migrate_unref(c->migrate_data); + g_free(c->agent_msg_data); + agent_free_msg_queue(SPICE_MAIN_CHANNEL(obj)); + +@@ -2242,11 +2245,50 @@ static void main_handle_agent_token(SpiceChannel *channel, SpiceMsgIn *in) + agent_send_msg_queue(SPICE_MAIN_CHANNEL(channel)); + } + ++static spice_migrate* ++spice_migrate_ref(spice_migrate *mig) ++{ ++ if (mig != NULL) { ++ mig->ref_count++; ++ } ++ return mig; ++} ++ ++static void ++spice_migrate_unref(spice_migrate *mig) ++{ ++ if (mig != NULL && --mig->ref_count == 0) { ++ g_free(mig); ++ } ++} ++ ++static inline void ++spice_migrate_idle_add(gboolean (*func)(spice_migrate *mig), spice_migrate *mig) ++{ ++ g_idle_add_full(G_PRIORITY_DEFAULT_IDLE, (GSourceFunc) func, spice_migrate_ref(mig), ++ (GDestroyNotify) spice_migrate_unref); ++} ++ ++static void ++spice_migrate_closure_unref(spice_migrate *mig, GClosure *closure) ++{ ++ spice_migrate_unref(mig); ++} ++ ++static gulong ++spice_migrate_signal_connect(gpointer instance, const gchar *detailed_signal, ++ GCallback func, spice_migrate *mig) ++{ ++ return g_signal_connect_data(instance, detailed_signal, func, spice_migrate_ref(mig), ++ (GClosureNotify) spice_migrate_closure_unref, ++ (GConnectFlags) 0); ++} ++ + /* main context */ +-static void migrate_channel_new_cb(SpiceSession *s, SpiceChannel *channel, gpointer data) ++static void migrate_channel_new_cb(SpiceSession *s, SpiceChannel *channel, spice_migrate *mig) + { +- g_signal_connect(channel, "channel-event", +- G_CALLBACK(migrate_channel_event_cb), data); ++ spice_migrate_signal_connect(channel, "channel-event", ++ G_CALLBACK(migrate_channel_event_cb), mig); + } + + static void +@@ -2267,7 +2309,7 @@ static void spice_main_channel_send_migration_handshake(SpiceChannel *channel) + + if (!spice_channel_test_capability(channel, SPICE_MAIN_CAP_SEAMLESS_MIGRATE)) { + c->migrate_data->do_seamless = false; +- g_idle_add(main_migrate_handshake_done, c->migrate_data); ++ spice_migrate_idle_add(main_migrate_handshake_done, c->migrate_data); + } else { + SpiceMsgcMainMigrateDstDoSeamless msg_data; + SpiceMsgOut *msg_out; +@@ -2282,13 +2324,12 @@ static void spice_main_channel_send_migration_handshake(SpiceChannel *channel) + + /* main context */ + static void migrate_channel_event_cb(SpiceChannel *channel, SpiceChannelEvent event, +- gpointer data) ++ spice_migrate *mig) + { +- spice_migrate *mig = data; + SpiceChannelPrivate *c = SPICE_CHANNEL(channel)->priv; + + g_return_if_fail(mig->nchannels > 0); +- g_signal_handlers_disconnect_by_func(channel, migrate_channel_event_cb, data); ++ g_signal_handlers_disconnect_by_func(channel, migrate_channel_event_cb, mig); + + switch (event) { + case SPICE_CHANNEL_OPENED: +@@ -2299,7 +2340,8 @@ static void migrate_channel_event_cb(SpiceChannel *channel, SpiceChannelEvent ev + + c->state = SPICE_CHANNEL_STATE_MIGRATION_HANDSHAKE; + mig->dst_channel = channel; +- main_priv->migrate_data = mig; ++ spice_migrate_unref(main_priv->migrate_data); ++ main_priv->migrate_data = spice_migrate_ref(mig); + } else { + c->state = SPICE_CHANNEL_STATE_MIGRATING; + mig->nchannels--; +@@ -2332,9 +2374,8 @@ static void migrate_channel_event_cb(SpiceChannel *channel, SpiceChannelEvent ev + } + + /* main context */ +-static gboolean main_migrate_handshake_done(gpointer data) ++static gboolean main_migrate_handshake_done(spice_migrate *mig) + { +- spice_migrate *mig = data; + SpiceChannelPrivate *c = SPICE_CHANNEL(mig->dst_channel)->priv; + + g_return_val_if_fail(c->channel_type == SPICE_CHANNEL_MAIN, FALSE); +@@ -2348,9 +2389,8 @@ static gboolean main_migrate_handshake_done(gpointer data) + } + + /* main context */ +-static gboolean migrate_connect(gpointer data) ++static gboolean migrate_connect(spice_migrate *mig) + { +- spice_migrate *mig = data; + SpiceChannelPrivate *c; + int port, sport; + const char *host; +@@ -2393,8 +2433,8 @@ static gboolean migrate_connect(gpointer data) + g_object_set(mig->session, "host", host, NULL); + spice_session_set_port(mig->session, port, FALSE); + spice_session_set_port(mig->session, sport, TRUE); +- g_signal_connect(mig->session, "channel-new", +- G_CALLBACK(migrate_channel_new_cb), mig); ++ spice_migrate_signal_connect(mig->session, "channel-new", ++ G_CALLBACK(migrate_channel_new_cb), mig); + + g_signal_emit(mig->src_channel, signals[SPICE_MIGRATION_STARTED], 0, + mig->session); +@@ -2414,50 +2454,56 @@ static void main_migrate_connect(SpiceChannel *channel, + { + SpiceMainChannelPrivate *main_priv = SPICE_MAIN_CHANNEL(channel)->priv; + int reply_type = SPICE_MSGC_MAIN_MIGRATE_CONNECT_ERROR; +- spice_migrate mig = { 0, }; ++ spice_migrate *mig; + SpiceMsgOut *out; + SpiceSession *session; + +- mig.src_channel = channel; +- mig.info = dst_info; +- mig.from = coroutine_self(); +- mig.do_seamless = do_seamless; +- mig.src_mig_version = src_mig_version; ++ mig = spice_new0(spice_migrate, 1); ++ mig->ref_count = 1; ++ mig->src_channel = channel; ++ mig->info = dst_info; ++ mig->from = coroutine_self(); ++ mig->do_seamless = do_seamless; ++ mig->src_mig_version = src_mig_version; + + CHANNEL_DEBUG(channel, "migrate connect"); + session = spice_channel_get_session(channel); +- mig.session = spice_session_new_from_session(session); +- if (mig.session == NULL) ++ mig->session = spice_session_new_from_session(session); ++ if (mig->session == NULL) { + goto end; +- if (!spice_session_set_migration_session(session, mig.session)) ++ } ++ if (!spice_session_set_migration_session(session, mig->session)) { + goto end; ++ } + +- main_priv->migrate_data = &mig; ++ spice_migrate_unref(main_priv->migrate_data); ++ main_priv->migrate_data = spice_migrate_ref(mig); + + /* no need to track idle, call is sync for this coroutine */ +- g_idle_add(migrate_connect, &mig); ++ spice_migrate_idle_add(migrate_connect, mig); + + /* switch to main loop and wait for connections */ + coroutine_yield(NULL); + +- if (mig.nchannels != 0) { ++ if (mig->nchannels != 0) { + CHANNEL_DEBUG(channel, "migrate failed: some channels failed to connect"); + spice_session_abort_migration(session); + } else { +- if (mig.do_seamless) { ++ if (mig->do_seamless) { + SPICE_DEBUG("migration (seamless): connections all ok"); + reply_type = SPICE_MSGC_MAIN_MIGRATE_CONNECTED_SEAMLESS; + } else { + SPICE_DEBUG("migration (semi-seamless): connections all ok"); + reply_type = SPICE_MSGC_MAIN_MIGRATE_CONNECTED; + } +- spice_session_start_migrating(session, mig.do_seamless); ++ spice_session_start_migrating(session, mig->do_seamless); + } + + end: + CHANNEL_DEBUG(channel, "migrate connect reply %d", reply_type); + out = spice_msg_out_new(channel, reply_type); + spice_msg_out_send(out); ++ spice_migrate_unref(mig); + } + + /* coroutine context */ +@@ -2489,7 +2535,7 @@ static void main_handle_migrate_dst_seamless_ack(SpiceChannel *channel, SpiceMsg + + g_return_if_fail(c->state == SPICE_CHANNEL_STATE_MIGRATION_HANDSHAKE); + main_priv->migrate_data->do_seamless = true; +- g_idle_add(main_migrate_handshake_done, main_priv->migrate_data); ++ spice_migrate_idle_add(main_migrate_handshake_done, main_priv->migrate_data); + } + + static void main_handle_migrate_dst_seamless_nack(SpiceChannel *channel, SpiceMsgIn *in) +@@ -2501,7 +2547,7 @@ static void main_handle_migrate_dst_seamless_nack(SpiceChannel *channel, SpiceMs + + g_return_if_fail(c->state == SPICE_CHANNEL_STATE_MIGRATION_HANDSHAKE); + main_priv->migrate_data->do_seamless = false; +- g_idle_add(main_migrate_handshake_done, main_priv->migrate_data); ++ spice_migrate_idle_add(main_migrate_handshake_done, main_priv->migrate_data); + } + + /* main context */ +-- +2.28.0 + diff --git a/SOURCES/0029-channel-main-Copy-SpiceMigrationDstInfo-into-spice_m.patch b/SOURCES/0029-channel-main-Copy-SpiceMigrationDstInfo-into-spice_m.patch new file mode 100644 index 0000000..29959c4 --- /dev/null +++ b/SOURCES/0029-channel-main-Copy-SpiceMigrationDstInfo-into-spice_m.patch @@ -0,0 +1,71 @@ +From ab42be2b00d12d0bc98c6ddea08a7f969e83b2ac Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Mon, 10 Aug 2020 15:35:26 +0100 +Subject: [PATCH 29/31] channel-main: Copy SpiceMigrationDstInfo into + spice_migrate + +The message could disappear while the structure is used. + +Signed-off-by: Frediano Ziglio +Acked-by: Uri Lublin +--- + src/channel-main.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/src/channel-main.c b/src/channel-main.c +index 8caf727..5f81975 100644 +--- a/src/channel-main.c ++++ b/src/channel-main.c +@@ -121,7 +121,7 @@ struct _SpiceMainChannelPrivate { + + struct spice_migrate { + struct coroutine *from; +- SpiceMigrationDstInfo *info; ++ SpiceMigrationDstInfo info; + SpiceSession *session; + int ref_count; + guint nchannels; +@@ -2258,6 +2258,8 @@ static void + spice_migrate_unref(spice_migrate *mig) + { + if (mig != NULL && --mig->ref_count == 0) { ++ g_free(mig->info.host_data); ++ g_free(mig->info.cert_subject_data); + g_free(mig); + } + } +@@ -2396,7 +2398,6 @@ static gboolean migrate_connect(spice_migrate *mig) + const char *host; + + g_return_val_if_fail(mig != NULL, FALSE); +- g_return_val_if_fail(mig->info != NULL, FALSE); + g_return_val_if_fail(mig->nchannels == 0, FALSE); + c = SPICE_CHANNEL(mig->src_channel)->priv; + g_return_val_if_fail(c != NULL, FALSE); +@@ -2404,7 +2405,7 @@ static gboolean migrate_connect(spice_migrate *mig) + + spice_session_set_migration_state(mig->session, SPICE_SESSION_MIGRATION_CONNECTING); + +- SpiceMigrationDstInfo *info = mig->info; ++ SpiceMigrationDstInfo *info = &mig->info; + SPICE_DEBUG("migrate_begin %u %s %d %d", + info->host_size, info->host_data, info->port, info->sport); + port = info->port; +@@ -2461,7 +2462,13 @@ static void main_migrate_connect(SpiceChannel *channel, + mig = spice_new0(spice_migrate, 1); + mig->ref_count = 1; + mig->src_channel = channel; +- mig->info = dst_info; ++ mig->info = *dst_info; ++ if (dst_info->host_data) { ++ mig->info.host_data = (void *) g_strdup((char*) dst_info->host_data); ++ } ++ if (dst_info->cert_subject_data) { ++ mig->info.cert_subject_data = (void *) g_strdup((char*) dst_info->cert_subject_data); ++ } + mig->from = coroutine_self(); + mig->do_seamless = do_seamless; + mig->src_mig_version = src_mig_version; +-- +2.28.0 + diff --git a/SOURCES/0030-channel-main-Make-more-clear-that-host_data-and-cert.patch b/SOURCES/0030-channel-main-Make-more-clear-that-host_data-and-cert.patch new file mode 100644 index 0000000..4010f4b --- /dev/null +++ b/SOURCES/0030-channel-main-Make-more-clear-that-host_data-and-cert.patch @@ -0,0 +1,47 @@ +From 1f2a7a079a42ac9bccc12749c5eac4fcdbd48b2e Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Wed, 16 Sep 2020 17:12:14 +0100 +Subject: [PATCH 30/31] channel-main: Make more clear that host_data and + cert_subject_data are C strings + +After commit ab42be2b00d12d0bc98c6ddea08a7f969e83b2ac ("channel-main: +Copy SpiceMigrationDstInfo into spice_migrate") host_data and +cert_subject_data fields in spice_migrate structure are proper +terminated C strings so: +- check pointer instead of related field; +- you don't need to terminate again. + +Signed-off-by: Frediano Ziglio +Acked-by: Uri Lublin +--- + src/channel-main.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/src/channel-main.c b/src/channel-main.c +index 5f81975..2881d59 100644 +--- a/src/channel-main.c ++++ b/src/channel-main.c +@@ -2412,18 +2412,14 @@ static gboolean migrate_connect(spice_migrate *mig) + sport = info->sport; + host = (char*)info->host_data; + +- if (info->cert_subject_size == 0 || ++ if (info->cert_subject_data == NULL || + strlen((const char*)info->cert_subject_data) == 0) { + /* only verify hostname if no cert subject */ + g_object_set(mig->session, "verify", SPICE_SESSION_VERIFY_HOSTNAME, NULL); + } else { +- gchar *subject = g_alloca(info->cert_subject_size + 1); +- strncpy(subject, (const char*)info->cert_subject_data, info->cert_subject_size); +- subject[info->cert_subject_size] = '\0'; +- + // session data are already copied + g_object_set(mig->session, +- "cert-subject", subject, ++ "cert-subject", info->cert_subject_data, + "verify", SPICE_SESSION_VERIFY_SUBJECT, + NULL); + } +-- +2.28.0 + diff --git a/SOURCES/0031-channel-main-Handle-not-terminated-host_data-and-cer.patch b/SOURCES/0031-channel-main-Handle-not-terminated-host_data-and-cer.patch new file mode 100644 index 0000000..7abc850 --- /dev/null +++ b/SOURCES/0031-channel-main-Handle-not-terminated-host_data-and-cer.patch @@ -0,0 +1,38 @@ +From 9b98e01c8f5d0dc8faaf3af7b8fc95768e1ff0ad Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Wed, 16 Sep 2020 15:50:33 +0100 +Subject: [PATCH 31/31] channel-main: Handle not terminated host_data and + cert_subject_data fields + +host_data and cert_subject_data fields from SPICE messages could be +not NUL terminated so using g_strdup can lead to some read overflow. + +This bug was discovered by Uri Lublin. + +Signed-off-by: Frediano Ziglio +Acked-by: Uri Lublin +--- + src/channel-main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/channel-main.c b/src/channel-main.c +index 2881d59..5fefded 100644 +--- a/src/channel-main.c ++++ b/src/channel-main.c +@@ -2460,10 +2460,11 @@ static void main_migrate_connect(SpiceChannel *channel, + mig->src_channel = channel; + mig->info = *dst_info; + if (dst_info->host_data) { +- mig->info.host_data = (void *) g_strdup((char*) dst_info->host_data); ++ mig->info.host_data = (void *) g_strndup((char*) dst_info->host_data, dst_info->host_size); + } + if (dst_info->cert_subject_data) { +- mig->info.cert_subject_data = (void *) g_strdup((char*) dst_info->cert_subject_data); ++ mig->info.cert_subject_data = (void *) g_strndup((char*) dst_info->cert_subject_data, ++ dst_info->cert_subject_size); + } + mig->from = coroutine_self(); + mig->do_seamless = do_seamless; +-- +2.28.0 + diff --git a/SPECS/spice-gtk.spec b/SPECS/spice-gtk.spec index 4716615..199c863 100644 --- a/SPECS/spice-gtk.spec +++ b/SPECS/spice-gtk.spec @@ -2,7 +2,7 @@ Name: spice-gtk Version: 0.38 -Release: 3%{?dist} +Release: 6%{?dist} Summary: A GTK+ widget for SPICE clients Group: System Environment/Libraries @@ -25,6 +25,31 @@ Patch0010: 0010-quic-Check-we-have-some-data-to-start-decoding-quic-.patch Patch0011: 0011-quic-Check-image-size-in-quic_decode_begin.patch Patch0012: 0012-quic-Check-RLE-lengths.patch Patch0013: 0013-quic-Avoid-possible-buffer-overflow-in-find_bucket.patch +Patch0014: 0014-Remove-some-warnings-from-Clang-static-analyzer.patch +Patch0015: 0015-ssl_verify-Do-not-check-IP-if-we-fail-to-resolve-it.patch +Patch0016: 0016-usb-backend-Fix-spice-usbredir-redirect-on-connect-o.patch + +Patch0017: 0017-empty_cd_clicked_cb-g_free-basename.patch +Patch0018: 0018-spice_usbutil_parse_usbids-verify-at-least-one-vendo.patch +Patch0019: 0019-sink_event_probe-do-not-keep-duration-in-a-variable.patch +Patch0020: 0020-mark_false_event_id-is-guint-assign-0-to-it-not-FALS.patch +Patch0021: 0021-usb-backend-create_emulated_device-assert-address-32.patch +Patch0022: 0022-spice-utils-allocate-ctx-after-g_return_val_if_fail.patch + +# migration fixes: some earlier patches to make the following patches apply +Patch0023: 0023-channel-main-Fix-indentation.patch +Patch0024: 0024-channel-main-Fix-indentation.patch +Patch0025: 0025-channel-main-Remove-unused-declaration.patch +# related to patch 0009 +Patch0026: 0026-main-add-a-few-missing-vdagent-capability-descriptio.patch +# same file, safer code +Patch0027: 0027-main-add-stricter-pre-condition-on-display-id-value.patch +# migration fixes: the patches +Patch0028: 0028-channel-main-Use-heap-and-reference-counting-for-spi.patch +Patch0029: 0029-channel-main-Copy-SpiceMigrationDstInfo-into-spice_m.patch +Patch0030: 0030-channel-main-Make-more-clear-that-host_data-and-cert.patch +Patch0031: 0031-channel-main-Handle-not-terminated-host_data-and-cer.patch + BuildRequires: meson BuildRequires: git-core @@ -193,11 +218,25 @@ gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} %{_bindir}/spicy-stats %changelog +* Sun Dec 13 2020 Uri Lublin - 0.38-6 +- Fix some migration issues + Related: rhbz#1867564 + +* Thu Dec 03 2020 Uri Lublin - 0.38-5 +- Fix more static analyzer issues + Resolves: rhbz#1839104 + +* Mon Nov 9 18:01:40 IST 2020 Uri Lublin - 0.38-4 +- Fix some static analyzer issues + Resolves: rhbz#1839104 +- Fix spice-usbredir-redirect-on-connect + Resolves: rhbz#1874740 + * Mon Jun 1 2020 Frediano Ziglio - 0.38-3 - Fix multiple buffer overflows in QUIC decoding code Resolves: rhbz#1842472 -* Tue May 20 2020 Victor Toso - 0.38-2 +* Wed May 20 2020 Victor Toso - 0.38-2 - Brings some post releases fixes and disables celt051 that is deprecated in spice-protocol 0.14.2 - Possibly related to rhbz#1688737 rhbz#1746239