On Di, 2016-01-12 at 13:52 +0100, Wolfgang Bumiller wrote: > This pointer should be cleared in vnc_display_close() > otherwise a use-after-free can happen when when using the > old style 'x509' and 'tls' options rather than a persistent > tls-creds -object, by issuing monitor commands to change > the vnc server like so: > > Start with: -vnc unix:test.socket,x509,tls > Then use the following monitor command: > change vnc unix:test.socket > > After this the pointer is still set but invalid and a crash > can be triggered for instance by issuing the same command a > second time which will try to object_unparent() the same > pointer again.
Added to patch queue. thanks, Gerd