usb-redir: fix use-after-free

Reinitialize dev->cs to NULL after deleting it, to make sure it isn't
used afterwards.

Reported-by: Martin Cerveny <M.Cerveny@computer.org>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>

diff --git a/hw/usb/redirect.c b/hw/usb/redirect.c
index 8b8c010d94d841ae32310716e3374431d9f48ba3..e3b9f324b38c1e0e114880809622c7c428a587a9 100644 (file)
--- a/hw/usb/redirect.c
+++ b/hw/usb/redirect.c
@@ -1334,6 +1334,7 @@ static void usbredir_handle_destroy(USBDevice *udev)
     USBRedirDevice *dev = DO_UPCAST(USBRedirDevice, dev, udev);
 
     qemu_chr_delete(dev->cs);
+    dev->cs = NULL;
     /* Note must be done after qemu_chr_close, as that causes a close event */
     qemu_bh_delete(dev->chardev_close_bh);