Details
-
Bug
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
None
-
None
Description
An instance of guac_user has a lifecycle that may result in that guac_user becoming invalid at any moment except within the context of a callback directly related to that user. The guac_client_for_user() function exists to provide a mechanism for referencing a guac_user without a corresponding callback, but this call is missing in a few locations, resulting in potential segfaults.
For example:
static void guac_rdp_audio_buffer_ack(guac_rdp_audio_buffer* audio_buffer, const char* message, guac_protocol_status status) { guac_user* user = audio_buffer->user; guac_stream* stream = audio_buffer->stream; ... guac_protocol_send_ack(user->socket, stream, message, status); ... }
The above is incorrect because user->socket is being accessed outside a user-related callback and without using guac_client_for_user(). If the user turns out to not be valid, this will segfault.
We should fix the above, look through the code for other references to guac_user outside a user-related callback, and fix those as well.