The chardev socket backend will unref the QIOChannel object while
it is still potentially open. When using TLS there could be a
pending TLS handshake taking place. If the channel is left open
then when the TLS handshake callback runs, it can end up accessing
free'd memory in the tcp_chr_tls_handshake method.
Closing the QIOChannel will unregister any pending handshake
source.
Reported-by: jiangyegen <jiangye...@huawei.com>
Reviewed-by: Marc-André Lureau <marcandre.lur...@redhat.com>
Signed-off-by: Daniel P. Berrangé <berra...@redhat.com>
---
chardev/char-socket.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/chardev/char-socket.c b/chardev/char-socket.c
index 73947da188..7105753815 100644
--- a/chardev/char-socket.c
+++ b/chardev/char-socket.c
@@ -378,6 +378,10 @@ static void tcp_chr_free_connection(Chardev *chr)
char_socket_yank_iochannel,
QIO_CHANNEL(s->sioc));
}
+
+ if (s->ioc) {
+ qio_channel_close(s->ioc, NULL);
+ }
object_unref(OBJECT(s->sioc));
s->sioc = NULL;
object_unref(OBJECT(s->ioc));
--
2.43.0
