>From 0d1c4ac000a66ef22b4a0cd0c4bedd840192096a Mon Sep 17 00:00:00 2001
From: Rid <[email protected]>
Date: Tue, 30 Sep 2025 10:23:58 +0100
Subject: [PATCH] ui/vnc: Fix NULL pointer dereference in vnc_disconnect_start
When a WebSocket connection fails during the handshake, vs->ioc can be
NULL when vnc_disconnect_start() is called, leading to a segmentation
fault when qio_channel_close() tries to dereference it.
This can be reproduced by sending incomplete HTTP requests to the
WebSocket port:
for i in {1..100}; do
(echo -n "GET / HTTP/1.1" && sleep 0.05) | nc -w 1 <IP> <PORT> &
done
Add a NULL check before calling qio_channel_close() to prevent the crash.
Signed-off-by: Rid <[email protected]>
---
ui/vnc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/ui/vnc.c b/ui/vnc.c
index 77c823bf2e..1669ed1b80 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -1301,7 +1301,9 @@ static void vnc_disconnect_start(VncState *vs)
g_source_remove(vs->ioc_tag);
vs->ioc_tag = 0;
}
- qio_channel_close(vs->ioc, NULL);
+ if (vs->ioc) {
+ qio_channel_close(vs->ioc, NULL);
+ }
vs->disconnecting = TRUE;
}
--
2.39.5
