[gnome-bluetooth/wip/hadess/fix-set-trusted: 2/2] client: Fix possible use-after-free

From: Bastien Nocera <hadess src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnome-bluetooth/wip/hadess/fix-set-trusted: 2/2] client: Fix possible use-after-free
Date: Fri, 22 Mar 2019 15:18:49 +0000 (UTC)

commit 8e8835e2d782e8a80f5d1fb928c5b460a0b15e31
Author: Bastien Nocera <hadess hadess net>
Date:   Fri Mar 22 16:10:58 2019 +0100

    client: Fix possible use-after-free
    
    bluetooth_client_setup_device_finish() didn't copy the "device path"
    string that came through attached to the result object, so any uses
    after the async callback finished would have been from freed memory.
    
    Always return a copy of the path instead, and make sure to free that
    copy when we're done with it.

 lib/bluetooth-client.c          | 17 ++++++++++++++---
 lib/bluetooth-settings-widget.c |  1 +
 2 files changed, 15 insertions(+), 3 deletions(-)
---
diff --git a/lib/bluetooth-client.c b/lib/bluetooth-client.c
index e7aa850e..929497f5 100644
--- a/lib/bluetooth-client.c
+++ b/lib/bluetooth-client.c
@@ -1373,16 +1373,27 @@ bluetooth_client_setup_device_finish (BluetoothClient  *client,
                                      GError          **error)
 {
        GSimpleAsyncResult *simple;
+       char *object_path;
+       gboolean ret;
+
+       g_return_val_if_fail (path != NULL, FALSE);
+       *path = NULL;
 
        simple = (GSimpleAsyncResult *) res;
 
        g_warn_if_fail (g_simple_async_result_get_source_tag (simple) == bluetooth_client_setup_device);
 
-       if (path != NULL)
-               *path = g_object_get_data (G_OBJECT (res), "device-object-path");
+       ret = g_simple_async_result_get_op_res_gboolean (simple);
+       object_path = g_strdup (g_object_get_data (G_OBJECT (res), "device-object-path"));
+       g_debug ("bluetooth_client_setup_device_finish() %s (path: %s)",
+                ret ? "success" : "failure", object_path);
 
-       if (g_simple_async_result_get_op_res_gboolean (simple))
+       if (ret) {
+               *path = object_path;
                return TRUE;
+       }
+
+       g_free (object_path);
        g_simple_async_result_propagate_error (simple, error);
        return FALSE;
 }
diff --git a/lib/bluetooth-settings-widget.c b/lib/bluetooth-settings-widget.c
index 497c1999..197313ab 100644
--- a/lib/bluetooth-settings-widget.c
+++ b/lib/bluetooth-settings-widget.c
@@ -880,6 +880,7 @@ bail:
        if (data->timeout_id > 0)
                g_source_remove (data->timeout_id);
 
+       g_free (data->device);
        g_timer_destroy (data->timer);
        g_free (data);
 }

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]