[glib: 1/3] gdbus: Fix a potential use-after-free on connection close. Fixes #1686
- From: Christoph Reiter <creiter src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib: 1/3] gdbus: Fix a potential use-after-free on connection close. Fixes #1686
- Date: Thu, 14 Feb 2019 13:36:33 +0000 (UTC)
commit 067992f8dedd11651e624921129cd0ffb099180f
Author: Christoph Reiter <creiter src gnome org>
Date: Thu Feb 14 04:16:18 2019 +0100
gdbus: Fix a potential use-after-free on connection close. Fixes #1686
512e9b3b34d added a call to schedule_pending_close() in the read
callback after the reference to the worker is already gone. In case this was
the last reference to the worker this resulted in a use-after-free.
6f3d57d2ee2 made this more likely to happen because on connection close
the worker cancel action is now async while the reference to the worker
gets dropped right away.
Move the call to schedule_pending_close() before the unref.
Fixes #1686
gio/gdbusprivate.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
---
diff --git a/gio/gdbusprivate.c b/gio/gdbusprivate.c
index c2a04ae12..1e8e1d64b 100644
--- a/gio/gdbusprivate.c
+++ b/gio/gdbusprivate.c
@@ -809,11 +809,11 @@ _g_dbus_worker_do_read_cb (GInputStream *input_stream,
out:
g_mutex_unlock (&worker->read_lock);
- /* gives up the reference acquired when calling g_input_stream_read_async() */
- _g_dbus_worker_unref (worker);
-
/* check if there is any pending close */
schedule_pending_close (worker);
+
+ /* gives up the reference acquired when calling g_input_stream_read_async() */
+ _g_dbus_worker_unref (worker);
}
/* called in private thread shared by all GDBusConnection instances (with read-lock held) */
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]