[network-manager-applet] applet: fix crash when destroying AP objects

From: Beniamino Galvani <bgalvani src gnome org>
To: commits-list gnome org
Cc:
Subject: [network-manager-applet] applet: fix crash when destroying AP objects
Date: Fri, 18 Nov 2016 14:55:32 +0000 (UTC)

commit 93d5c134bcb7e0051eabe2395033be99ecddd4c2
Author: Beniamino Galvani <bgalvani redhat com>
Date:   Fri Nov 18 15:44:42 2016 +0100

    applet: fix crash when destroying AP objects
    
    Setting d->ap to NULL in _active_ap_set_weakref() causes the
    ActiveAPData to be destroyed in _active_ap_set() and the access to
    d->applet to be invalid.
    
    ==31046== Invalid read of size 8
    ==31046==    at 0x4227C0: _active_ap_set_weakref (applet-device-wifi.c:125)
    ==31046==    by 0x94F4F7E: weak_refs_notify (gobject.c:2636)
    ==31046==    by 0x7468E53: dispose (nm-object.c:1243)
    ==31046==    by 0x94F6095: g_object_unref (gobject.c:3146)
    ==31046==    by 0x995607A: g_ptr_array_foreach (garray.c:1502)
    ==31046==    by 0x995610F: ptr_array_free (garray.c:1088)
    ==31046==    by 0x745C0BD: clean_up_aps (nm-device-wifi.c:537)
    ==31046==  Address 0x1e1ab090 is 0 bytes inside a block of size 32 free'd
    ==31046==    at 0x4C2CD5A: free (vg_replace_malloc.c:530)
    ==31046==    by 0x9986F2D: g_free (gmem.c:189)
    ==31046==    by 0x999E40F: g_slice_free1 (gslice.c:1136)
    ==31046==    by 0x421734: _active_ap_set (applet-device-wifi.c:146)
    ==31046==    by 0x4227BF: _active_ap_set_weakref (applet-device-wifi.c:123)
    ==31046==    by 0x94F4F7E: weak_refs_notify (gobject.c:2636)
    ==31046==    by 0x7468E53: dispose (nm-object.c:1243)

 src/applet-device-wifi.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)
---
diff --git a/src/applet-device-wifi.c b/src/applet-device-wifi.c
index 50d02b0..7b8fa6e 100644
--- a/src/applet-device-wifi.c
+++ b/src/applet-device-wifi.c
@@ -113,6 +113,7 @@ static void
 _active_ap_set_weakref (gpointer data, GObject *where_the_object_was)
 {
        ActiveAPData *d = data;
+       NMApplet *applet = d->applet;
 
        if ((GObject *) d->ap == where_the_object_was)
                d->ap = NULL;
@@ -120,9 +121,9 @@ _active_ap_set_weakref (gpointer data, GObject *where_the_object_was)
                d->device = NULL;
        else
                g_return_if_reached ();
-       _active_ap_set (d->applet, NULL, NULL);
+       _active_ap_set (applet, NULL, NULL);
 
-       applet_schedule_update_icon (d->applet);
+       applet_schedule_update_icon (applet);
 }
 
 static void

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]