diff options
| author | Gerd Hoffmann <kraxel@redhat.com> | 2010-06-24 11:54:36 +0200 |
|---|---|---|
| committer | Gerd Hoffmann <kraxel@redhat.com> | 2010-06-29 12:30:20 +0200 |
| commit | 5de492e930ebe7597279b7392e14fe1d0653c94c (patch) | |
| tree | 99eec8f03e8b0c513b90cf6ad22be39ca31cbfaa /server | |
| parent | fada35a173996ff24aa081112d37cfa7292cabe3 (diff) | |
qxl abi: parse QXLMessage.
Diffstat (limited to 'server')
| -rw-r--r-- | server/red_parse_qxl.c | 22 | ||||
| -rw-r--r-- | server/red_parse_qxl.h | 9 | ||||
| -rw-r--r-- | server/red_worker.c | 14 |
3 files changed, 41 insertions, 4 deletions
diff --git a/server/red_parse_qxl.c b/server/red_parse_qxl.c index f7de6cf..6c8eb69 100644 --- a/server/red_parse_qxl.c +++ b/server/red_parse_qxl.c @@ -330,3 +330,25 @@ void red_put_update_cmd(RedUpdateCmd *red) { /* nothing yet */ } + +void red_get_message(RedMemSlotInfo *slots, int group_id, + RedMessage *red, SPICE_ADDRESS addr) +{ + QXLMessage *qxl; + + /* + * security alert: + * qxl->data[0] size isn't specified anywhere -> can't verify + * luckily this is for debug logging only, + * so we can just ignore it by default. + */ + qxl = (QXLMessage *)get_virt(slots, addr, sizeof(*qxl), group_id); + red->release_info = &qxl->release_info; + red->data = qxl->data; +} + +void red_put_message(RedMessage *red) +{ + /* nothing yet */ +} + diff --git a/server/red_parse_qxl.h b/server/red_parse_qxl.h index bc2dd4e..b4baed8 100644 --- a/server/red_parse_qxl.h +++ b/server/red_parse_qxl.h @@ -60,6 +60,11 @@ typedef struct SPICE_ATTR_PACKED RedUpdateCmd { uint32_t surface_id; } RedUpdateCmd; +typedef struct SPICE_ATTR_PACKED RedMessage { + QXLReleaseInfo *release_info; + uint8_t *data; +} RedMessage; + void red_get_drawable(RedMemSlotInfo *slots, int group_id, RedDrawable *red, SPICE_ADDRESS addr); void red_get_compat_drawable(RedMemSlotInfo *slots, int group_id, @@ -70,4 +75,8 @@ void red_get_update_cmd(RedMemSlotInfo *slots, int group_id, RedUpdateCmd *red, SPICE_ADDRESS addr); void red_put_update_cmd(RedUpdateCmd *red); +void red_get_message(RedMemSlotInfo *slots, int group_id, + RedMessage *red, SPICE_ADDRESS addr); +void red_put_message(RedMessage *red); + #endif diff --git a/server/red_worker.c b/server/red_worker.c index b90c3f9..34f723f 100644 --- a/server/red_worker.c +++ b/server/red_worker.c @@ -5057,13 +5057,19 @@ static int red_process_commands(RedWorker *worker, uint32_t max_pipe_size) break; } case QXL_CMD_MESSAGE: { + RedMessage message; QXLReleaseInfoExt release_info_ext; - QXLMessage *message = (QXLMessage *)get_virt(&worker->mem_slots, ext_cmd.cmd.data, - sizeof(QXLMessage), ext_cmd.group_id); - red_printf("MESSAGE: %s", message->data); + + red_get_message(&worker->mem_slots, ext_cmd.group_id, + &message, ext_cmd.cmd.data); +#ifdef DEBUG + /* alert: accessing message.data is insecure */ + red_printf("MESSAGE: %s", message.data); +#endif release_info_ext.group_id = ext_cmd.group_id; - release_info_ext.info = &message->release_info; + release_info_ext.info = message.release_info; worker->qxl->st->qif->release_resource(worker->qxl, release_info_ext); + red_put_message(&message); break; } case QXL_CMD_SURFACE: { |