Commit a14ff8a6 authored by Gerd Hoffmann's avatar Gerd Hoffmann
Browse files

usb-redir: fix use-after-free 



Reinitialize dev->cs to NULL after deleting it, to make sure it isn't
used afterwards.

Reported-by: default avatarMartin Cerveny <M.Cerveny@computer.org>
Signed-off-by: default avatarGerd Hoffmann <kraxel@redhat.com>
parent 75cc1c1f

hw/usb/redirect.c

+1 −0
Original line number Diff line number Diff line
@@ -1334,6 +1334,7 @@ static void usbredir_handle_destroy(USBDevice *udev) 
    USBRedirDevice *dev = DO_UPCAST(USBRedirDevice, dev, udev);



    qemu_chr_delete(dev->cs);

    dev->cs = NULL;

    /* Note must be done after qemu_chr_close, as that causes a close event */

    qemu_bh_delete(dev->chardev_close_bh);