chardev: close QIOChannel before unref'ing

The chardev socket backend will unref the QIOChannel object while it is still potentially open. When using TLS there could be a pending TLS handshake taking place. If the channel is left open then when the TLS handshake callback runs, it can end up accessing free'd memory in the tcp_chr_tls_handshake method. Closing the QIOChannel will unregister any pending handshake source. Reported-by: jiangyegen <jiangyegen@huawei.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
qemu · Feb 9, 2024 · cb8ded0 · cb8ded0
1 parent 30c917b
commit cb8ded0
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/chardev/char-socket.c b/chardev/char-socket.c
@@ -378,6 +378,10 @@ static void tcp_chr_free_connection(Chardev *chr)
                                  char_socket_yank_iochannel,
                                  QIO_CHANNEL(s->sioc));
     }
+
+    if (s->ioc) {
+        qio_channel_close(s->ioc, NULL);
+    }
     object_unref(OBJECT(s->sioc));
     s->sioc = NULL;
     object_unref(OBJECT(s->ioc));