From 067992f8dedd11651e624921129cd0ffb099180f Mon Sep 17 00:00:00 2001 From: Christoph Reiter Date: Thu, 14 Feb 2019 04:16:18 +0100 Subject: [PATCH 605/682] gdbus: Fix a potential use-after-free on connection close. Fixes #1686 512e9b3b34d added a call to schedule_pending_close() in the read callback after the reference to the worker is already gone. In case this was the last reference to the worker this resulted in a use-after-free. 6f3d57d2ee2 made this more likely to happen because on connection close the worker cancel action is now async while the reference to the worker gets dropped right away. Move the call to schedule_pending_close() before the unref. Fixes #1686 --- gio/gdbusprivate.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/gio/gdbusprivate.c b/gio/gdbusprivate.c index c2a04ae12..1e8e1d64b 100644 --- a/gio/gdbusprivate.c +++ b/gio/gdbusprivate.c @@ -809,11 +809,11 @@ _g_dbus_worker_do_read_cb (GInputStream *input_stream, out: g_mutex_unlock (&worker->read_lock); - /* gives up the reference acquired when calling g_input_stream_read_async() */ - _g_dbus_worker_unref (worker); - /* check if there is any pending close */ schedule_pending_close (worker); + + /* gives up the reference acquired when calling g_input_stream_read_async() */ + _g_dbus_worker_unref (worker); } /* called in private thread shared by all GDBusConnection instances (with read-lock held) */ -- 2.19.1