[glib] gdbus: fix use-after-free
- From: Colin Walters <walters src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib] gdbus: fix use-after-free
- Date: Fri, 12 May 2017 18:43:54 +0000 (UTC)
commit 0751ccd31505cd2774053553263466c6933b3c42
Author: Lars Uebernickel <lars uebernickel canonical com>
Date: Thu Jan 28 15:39:18 2016 +0100
gdbus: fix use-after-free
g_dbus_connection_call_internal() accesses the user data it passes to
g_dbus_connection_send_message_with_reply() after the call. That data
might be freed already in the case that the callback is called
immediately.
Fix this by removing the 'serial' field from the user data altogether
and fetch the serial from the message in the callback.
https://bugzilla.gnome.org/show_bug.cgi?id=748263
gio/gdbusconnection.c | 6 ++----
1 files changed, 2 insertions(+), 4 deletions(-)
---
diff --git a/gio/gdbusconnection.c b/gio/gdbusconnection.c
index 4a4f403..8263419 100644
--- a/gio/gdbusconnection.c
+++ b/gio/gdbusconnection.c
@@ -5660,7 +5660,6 @@ typedef struct
{
GVariantType *reply_type;
gchar *method_name; /* for error message */
- guint32 serial;
GUnixFDList *fd_list;
} CallState;
@@ -5701,7 +5700,7 @@ g_dbus_connection_call_done (GObject *source,
" <<<< ASYNC COMPLETE %s() (serial %d)\n"
" ",
state->method_name,
- state->serial);
+ g_dbus_message_get_reply_serial (reply));
if (reply != NULL)
{
g_print ("SUCCESS\n");
@@ -5798,11 +5797,10 @@ g_dbus_connection_call_internal (GDBusConnection *connection,
message,
G_DBUS_SEND_MESSAGE_FLAGS_NONE,
timeout_msec,
- &state->serial,
+ &serial,
cancellable,
g_dbus_connection_call_done,
task);
- serial = state->serial;
}
else
{
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
