37 lines
1.2 KiB
Diff
37 lines
1.2 KiB
Diff
From 9a661ab970d194afc59f9b7cdf603fe4bd66505d Mon Sep 17 00:00:00 2001
|
|
From: Philip Withnall <pwithnall@gnome.org>
|
|
Date: Mon, 26 Feb 2024 15:26:03 +0000
|
|
Subject: [PATCH] gsocketclient: Fix a use-after-free in
|
|
g_socket_client_connected_callback()
|
|
|
|
The ref held by `data->task` may be the last one on the `GTask`. The
|
|
`GTask` stores `attempt->data` as its task data, and so when the `GTask`
|
|
is finalised, `attempt->data` is too. `connection_attempt_remove()`
|
|
needs to access `attempt->data`, so must be called before the
|
|
`g_object_unref()` in this situation.
|
|
|
|
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
|
|
|
|
Fixes: #3266
|
|
---
|
|
gio/gsocketclient.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/gio/gsocketclient.c b/gio/gsocketclient.c
|
|
index 1127e4599..d4231599a 100644
|
|
--- a/gio/gsocketclient.c
|
|
+++ b/gio/gsocketclient.c
|
|
@@ -1879,8 +1879,8 @@ g_socket_client_connected_callback (GObject *source,
|
|
|
|
if (task_completed_or_cancelled (data) || g_cancellable_is_cancelled (attempt->cancellable))
|
|
{
|
|
- g_object_unref (data->task);
|
|
connection_attempt_unref (attempt);
|
|
+ g_object_unref (data->task);
|
|
return;
|
|
}
|
|
|
|
--
|
|
2.27.0
|
|
|