44 lines
1.5 KiB
Diff
44 lines
1.5 KiB
Diff
From 067992f8dedd11651e624921129cd0ffb099180f Mon Sep 17 00:00:00 2001
|
|
From: Christoph Reiter <creiter@src.gnome.org>
|
|
Date: Thu, 14 Feb 2019 04:16:18 +0100
|
|
Subject: [PATCH 605/682] gdbus: Fix a potential use-after-free on connection
|
|
close. Fixes #1686
|
|
|
|
512e9b3b34d added a call to schedule_pending_close() in the read
|
|
callback after the reference to the worker is already gone. In case this was
|
|
the last reference to the worker this resulted in a use-after-free.
|
|
|
|
6f3d57d2ee2 made this more likely to happen because on connection close
|
|
the worker cancel action is now async while the reference to the worker
|
|
gets dropped right away.
|
|
|
|
Move the call to schedule_pending_close() before the unref.
|
|
|
|
Fixes #1686
|
|
---
|
|
gio/gdbusprivate.c | 6 +++---
|
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/gio/gdbusprivate.c b/gio/gdbusprivate.c
|
|
index c2a04ae12..1e8e1d64b 100644
|
|
--- a/gio/gdbusprivate.c
|
|
+++ b/gio/gdbusprivate.c
|
|
@@ -809,11 +809,11 @@ _g_dbus_worker_do_read_cb (GInputStream *input_stream,
|
|
out:
|
|
g_mutex_unlock (&worker->read_lock);
|
|
|
|
- /* gives up the reference acquired when calling g_input_stream_read_async() */
|
|
- _g_dbus_worker_unref (worker);
|
|
-
|
|
/* check if there is any pending close */
|
|
schedule_pending_close (worker);
|
|
+
|
|
+ /* gives up the reference acquired when calling g_input_stream_read_async() */
|
|
+ _g_dbus_worker_unref (worker);
|
|
}
|
|
|
|
/* called in private thread shared by all GDBusConnection instances (with read-lock held) */
|
|
--
|
|
2.19.1
|
|
|