The name is more consistent with red_marshall_cursor_init.
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
Acked-by: Frediano Ziglio <fziglio@redhat.com>
There's an implicit API/ABI contract between QEMU and SPICE that SPICE
will keep the guest QXL resources alive as long as QEMU can hold a
pointer to them. This implicit contract was broken in 1c6e7cf7 "Release
cursor as soon as possible", causing crashes at migration time.
While the proper fix would be in QEMU so that spice-server does not need
to have that kind of knowledge regarding QEMU internal implementation,
this commit reverts to the pre-1c6e7cf7 behaviour to avoid a regression
while QEMU is being fixed.
This version of the fix is based on a suggestion from Frediano Ziglio.
https://bugzilla.redhat.com/show_bug.cgi?id=1540919
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
Acked-by: Frediano Ziglio <fziglio@redhat.com>
Code can have problems reading empty messages, check we can
handle it.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe de Dinechin <dinechin@redhat.com>
Handle capabilities from guest device.
Send capability to the guest when device is opened.
Currently there's no capabilities set on the message sent.
On the tests we need to discard the capability message before
reading the error.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe de Dinechin <dinechin@redhat.com>
This function will be reused to initialise different message
headers.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe de Dinechin <dinechin@redhat.com>
Currently, red-parse-qxl.c uses g_malloc+memcpy to duplicate the cursor
data when it could use g_memdup() instead. red-stream-device.c does the
same thing but uses spice_memdup(). This commit makes use of g_memdup()
in both cases so that this memory is consistently allocated through
glib.
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
The name 'com.redhat.stream.0' is too generic and in no way denotes it
belongs to SPICE. It is preferred to have the project's domain in the
name and Red Hat doesn't own the project. Rename it to
org.spice-space.stream.0.
Signed-off-by: Lukáš Hrázký <lhrazky@redhat.com>
Acked-by: Frediano Ziglio <fziglio@redhat.com>
Reuse option from common code.
Also reuse spice_extra_checks constant instead of using the preprocessor
macro directly.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Eduardo Lima (Etrunko) <etrunko@redhat.com>
The timeout is too short when the test run under Valgrind
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
In order to avoid confusion with file named stream-device.h, from
spice-protocol.
Signed-off-by: Eduardo Lima (Etrunko) <etrunko@redhat.com>
Acked-by: Frediano Ziglio <fziglio@redhat.com>
These factor a bit of common code, and more importantly, help with
freeing all event loop related data at the end of each test.
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
This test case will be testing the external spice-server API to
configure the address/port it's listening on. For now it sets up a
listening server, spawns a thread which is going to connect to that
port, and check it gets the REDQ magic upon connection. It will be
extended to test for Unix sockets, TLS sockets, ...
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
There is currently a debug printf which is always shown when a mainloop
event is triggered. This is unlikely to be useful unless one is
debugging the event loop code.
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
Currently if we fail to set up the watch waiting for accept() to be
called on the socket, we still keep the network socket(s) open even if we
are not going to be able to use it. This commit makes sure it's closed a
set to -1 when such a failure occurs rather than having a half
initialized spice-server instance.
Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
Fix clang warning:
red-record-qxl.c:893:13: error: variable 'fd_in' is used uninitialized whenever 'if' condition is false [-Werror,-Wsometimes-uninitialized]
if (ret)
This is technically impossible but is not on a hot path.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
Due to ticket expiration, it is possible that the streaming channels for
the client are created after the ticket expires. Currently, streaming
channels are created dynamically when the guest starts streaming to the
server, which can happen at any time (for instance if you decide to start
the graphic server manually).
If the ticket has expired before the streaming channel is created,
authentication will fail and the client will not be able to connect.
To avoid this, create the channels when the first main channel connection
is made. This ensures that client will connect to all streaming channels.
This could be considered a temporary solution. There may be other
situations where it would be useful to connect new channels after the
ticket has expired, but enabling this behavior would require protocol
changes and a careful analysis of security implications.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
Move public declaration (stream_device_connect) from char-device.h
to a new stream-device.h.
Add type declaration for StreamDevice.
This allows to use the type outside the implementation file and makes it
easier to extend the interface without changing char-device.h header.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
This is a preparation for meson build, which has built-in support for
generating enums, but requires the template files to be renamed. It uses
the basename of template files to generate the output, and in this case
it would be the same file for both '.c' and '.h'. Ideally meson would
let us specify the name of the output files, but this is not the case.
Without renaming, the following error happens:
Meson encountered an error in file server/meson.build, line 30, column 0:
Tried to create target "spice-server-enums.tmpl", but a target of that
name already exists.
Reference: http://mesonbuild.com/Gnome-module.html#gnomemkenums
Note that by the time of this commit, the documentation is not accurate
and does not mention the fact that output files will get the base name
of the template files if they are specified, I submitted a pull request
to meson fixing this detail in docs:
https://github.com/mesonbuild/meson/pull/3191
Signed-off-by: Eduardo Lima (Etrunko) <etrunko@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
Test case for the issue fixed by previous commit.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
If data message is followed by another message, it's theoretically
possible that device loses the sync with the guest.
The actual Qemu and streaming agent implementation avoids it, but better to
make sure this can't happen in the server code too.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
Previous patch causes a bug in Qemu if the patch
46764fe09ca2e0f15c0981a672c166ed8cf57e72 ("virtio-serial: fix segfault
on disconnect") is not included in that version of Qemu (patch present in
version 2.10.0).
This crash happens when device is closed during a write operation.
For SPICE character device, spice_server_char_device_wakeup is called
to write data which handles both read and write pending operations.
As we want to close the device but we can't do it inside the handler
without causing a crash, this commit schedules a timer that will close the
guest device outside this callback.
The proper solution would be to patch Qemu but making sure of this is not
so easy, hence this workaround in spice-server.
Code is marked with some comments to remember to remove this
hack in a safe future.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
Once the device is an error state, we don't want the guest to keep
reading/writing to it, especially as this could put the device in an
inconsistent state. This commit disables the device when an error occurs to
prevent further unintended use of the device by the guest.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
Due to the way Qemu handle the device, when an error occurs we must consume
all pending data inside the callback which reads data from the device.
If we don't flush this data, the next time spice-server tries to read from
the device (after the guest closes/reopens it), we'll be getting stale
data. This can happen because we cannot prevent the guest from writing to
the device even after it got in an error state.
This needs to be done within this callback, as QEMU returns 0 if you call
SpiceCharDeviceInterface::read() outside of it. QEMU invokes this callback
through a call to spice_server_char_device_wakeup.
On the test now we must test that we receive an error from the device.
Previously we checked that last part of the data was not read. Now
potentially all data are read, so we need another way to check the device
detected the error.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
Test all batched (send together) messages are handled correctly
and device is not stuck.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
Qemu does not trigger a new data read if we don't read all data in
the buffer.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
If messages are sent together by the agent the device is reading
only part of the data. This cause Qemu to not poll for new data and
stream_device_read_msg_from_dev won't be called again.
This can cause a stall. To avoid this continue handling data
after a full message was processed.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Jonathon Jongsma <jjongsma@redhat.com>
TLS 1.0 is considered now insecure.
TLS 1.1 was introduced in 2006.
Our SPICE clients uses OpenSSL to use TLS and the support for TLS 1.1
in OpenSSL was introduced in 2006 too so even in systems like
Windows XP which are not officially supporting TLS 1.0 will work
with SPICE and TLS 1.1.
This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1521053.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Victor Toso <victortoso@redhat.com>
Code in rgb32_data_has_alpha possibly generate this warning using
clang:
utils.c:35:16: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'uint32_t *' (aka 'unsigned int *') increases required alignment from 1 to 4 [-Werror,-Wcast-align]
line = (uint32_t *)data;
^~~~~~~~~~~~~~~~
Although the images are expected to be all aligned in this respect
use byte access on the data instead. This, beside fixing the alignment
issue also avoid problem with big endian machines (images in SPICE are
expected to have the alpha channel as the forth byte).
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Victor Toso <victortoso@redhat.com>
clang reports lot of warnings like:
spicevmc.c:47:1: error: unused function 'RED_CHAR_DEVICE_SPICEVMC_CLASS' [-Werror,-Wunused-function]
SPICE_DECLARE_TYPE(RedCharDeviceSpiceVmc, red_char_device_spicevmc, CHAR_DEVICE_SPICEVMC);
^
./red-common.h:110:43: note: expanded from macro 'SPICE_DECLARE_TYPE'
static inline ModuleObjName ## Class *G_PASTE(G_PASTE(RED_,OBJ_NAME),_CLASS)(void *klass) \
^
They are all static inline function and usually should not generate
warnings but for some reasons they do.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Victor Toso <victortoso@redhat.com>
clang is reporting:
sound.c:292:16: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'uint32_t *' (aka 'unsigned int *') increases required alignment from 1 to 4 [-Werror,-Wcast-align]
data = (uint32_t *)packet->data;
^~~~~~~~~~~~~~~~~~~~~~~~
however we are using memcpy to access "data" pointer so there's no
need to use uint32_t pointer. Also considering we don't do math with
that pointer.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Victor Toso <victortoso@redhat.com>
clang reports may warnings like:
test-display-base.c:252:11: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'uint32_t *' (aka 'unsigned int *') increases required alignment from 1 to 4 [-Werror,-Wcast-align]
dst = (uint32_t *)bitmap;
^~~~~~~~~~~~~~~~~~
Use SPICE_ALIGNED_CAST/SPICE_UNALIGNED_CAST macros in common/mem.h to
mark the cast safe or possibly unsafe.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Victor Toso <victortoso@redhat.com>
Not really possible but clang raise these warnings:
test-sasl.c:555:13: error: variable 'is_ok' is uninitialized when used here [-Werror,-Wuninitialized]
if (is_ok) {
^~~~~
test-sasl.c:553:22: note: initialize the variable 'is_ok' to silence this warning
uint8_t is_ok;
^
= '\0'
test-gst.c:792:18: error: variable 'height' is used uninitialized whenever '&&' condition is false [-Werror,-Wsometimes-uninitialized]
spice_assert(gst_structure_get_int(s, "width", &width) &&
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../spice-common/common/log.h:91:17: note: expanded from macro 'spice_assert'
if G_LIKELY(x) { } else { \
^
/usr/include/glib-2.0/glib/gmacros.h:376:60: note: expanded from macro 'G_LIKELY'
^~~~
/usr/include/glib-2.0/glib/gmacros.h:370:8: note: expanded from macro '_G_BOOLEAN_EXPR'
if (expr) \
^~~~
test-gst.c:799:17: note: uninitialized use occurs here
bitmap->y = height;
^~~~~~
test-gst.c:792:18: note: remove the '&&' if its condition is always true
spice_assert(gst_structure_get_int(s, "width", &width) &&
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../spice-common/common/log.h:91:17: note: expanded from macro 'spice_assert'
if G_LIKELY(x) { } else { \
^
/usr/include/glib-2.0/glib/gmacros.h:376:60: note: expanded from macro 'G_LIKELY'
^
/usr/include/glib-2.0/glib/gmacros.h:370:8: note: expanded from macro '_G_BOOLEAN_EXPR'
if (expr) \
^
test-gst.c:791:23: note: initialize the variable 'height' to silence this warning
gint width, height;
^
= 0
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Victor Toso <victortoso@redhat.com>
Marked as obsolete with clang and some options is detected as
error.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Victor Toso <victortoso@redhat.com>
This causes some warnings with clang:
char-device.c:898:29: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'uint32_t *' (aka 'unsigned int *') increases required alignment from 1 to 4 [-Werror,-Wcast-align]
write_to_dev_size_ptr = (uint32_t *)spice_marshaller_reserve_space(m, sizeof(uint32_t));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
char-device.c:899:31: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'uint32_t *' (aka 'unsigned int *') increases required alignment from 1 to 4 [-Werror,-Wcast-align]
write_to_dev_tokens_ptr = (uint32_t *)spice_marshaller_reserve_space(m, sizeof(uint32_t));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This also fixes some minor endianness issue (on big endian machine
integers were not properly encoded).
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Victor Toso <victortoso@redhat.com>
This give an hint to client which can optimise rendering.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe de Dinechin <dinechin@redhat.com>
Currently red_stream_async_read cannot handle read of 0 bytes.
This would cause a wrong assert in async_read_handler.
Fixing the assert would just make the code wrongly detect a
disconnection (usually a return of 0 from read is handled that
way but happens also if you try to read 0 bytes).
Current callers of these function does not pass 0 as size however
handling data protocols having data_length+data this can happen
and is handled manually in red_sasl_handle_auth_steplen.
Avoid needing manually to check for this condition.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe de Dinechin <dinechin@redhat.com>
After 497b8042dc
("lz4-encoder: Use GUINT32_TO_BE instead of htonl") patch this header
is not needed.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Victor Toso <victortoso@redhat.com>
This causes some warnings with clang:
dcc-send.c:1799:28: error: cast from 'uint8_t *' (aka 'unsigned char *') to 'uint32_t *' (aka 'unsigned int *') increases required alignment from 1 to 4 [-Werror,-Wcast-align]
num_surfaces_created = (uint32_t *)spice_marshaller_reserve_space(m2, sizeof(uint32_t));
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This also fixes some endianness issue (on big endian machine integers
were not properly encoded).
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Victor Toso <victortoso@redhat.com>
