[Spice-devel] [PATCH spice-gtk 01/10] spice-channel: Fix a possible race triggered by spice_channel_iterate_write

[Hans de Goede]

Fix a race between spice_channel_buffered_write and
spice_channel_iterate_write.

Signed-off-by: Hans de Goede <hdego...@redhat.com>
---
 gtk/spice-channel.c |   17 +++++++++++++++--
 1 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/gtk/spice-channel.c b/gtk/spice-channel.c
index 8834143..f367b4d 100644
--- a/gtk/spice-channel.c
+++ b/gtk/spice-channel.c
@@ -1750,9 +1750,22 @@ static void spice_channel_iterate_write(SpiceChannel 
*channel)
 {
     SpiceChannelPrivate *c = channel->priv;
 
-    if (c->xmit_buffer_size) {
-        spice_channel_write(channel, c->xmit_buffer, c->xmit_buffer_size);
+    if (c->xmit_buffer) {
+        /*
+         * Take ownership of the buffer, so that if spice_channel_write calls
+         * g_io_wait and thus yields to the main context, and that then calls
+         * spice_channel_buffered_write it does not mess with the buffer
+         * being written out.
+         */
+        guint8 *buffer = c->xmit_buffer;
+        int size = c->xmit_buffer_size;
+
+        c->xmit_buffer = NULL;
         c->xmit_buffer_size = 0;
+        c->xmit_buffer_capacity = 0;
+
+        spice_channel_write(channel, buffer, size);
+        g_free(buffer);
     }
 }
 
-- 
1.7.5.1

_______________________________________________
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel