bus: fix use-after-free in slot-release
We must not access slot->floating after we possible dropped the last reference to it. Fix all callback-invocations to first check slot->floating and possible disconnect the slot, then release the last reference.
This commit is contained in:
parent
fa9838ddd6
commit
d974ad0524
|
@ -2107,7 +2107,7 @@ static int process_timeout(sd_bus *bus) {
|
|||
r = c->callback(bus, m, slot->userdata, &error_buffer);
|
||||
bus->current_userdata = NULL;
|
||||
bus->current_handler = NULL;
|
||||
bus->current_slot = sd_bus_slot_unref(slot);
|
||||
bus->current_slot = NULL;
|
||||
bus->current_message = NULL;
|
||||
|
||||
if (slot->floating) {
|
||||
|
@ -2115,6 +2115,8 @@ static int process_timeout(sd_bus *bus) {
|
|||
sd_bus_slot_unref(slot);
|
||||
}
|
||||
|
||||
sd_bus_slot_unref(slot);
|
||||
|
||||
return bus_maybe_reply_error(m, r, &error_buffer);
|
||||
}
|
||||
|
||||
|
@ -2203,13 +2205,15 @@ static int process_reply(sd_bus *bus, sd_bus_message *m) {
|
|||
r = c->callback(bus, m, slot->userdata, &error_buffer);
|
||||
bus->current_userdata = NULL;
|
||||
bus->current_handler = NULL;
|
||||
bus->current_slot = sd_bus_slot_unref(slot);
|
||||
bus->current_slot = NULL;
|
||||
|
||||
if (slot->floating) {
|
||||
bus_slot_disconnect(slot);
|
||||
sd_bus_slot_unref(slot);
|
||||
}
|
||||
|
||||
sd_bus_slot_unref(slot);
|
||||
|
||||
return bus_maybe_reply_error(m, r, &error_buffer);
|
||||
}
|
||||
|
||||
|
@ -2529,7 +2533,7 @@ static int process_closing(sd_bus *bus, sd_bus_message **ret) {
|
|||
r = c->callback(bus, m, slot->userdata, &error_buffer);
|
||||
bus->current_userdata = NULL;
|
||||
bus->current_handler = NULL;
|
||||
bus->current_slot = sd_bus_slot_unref(slot);
|
||||
bus->current_slot = NULL;
|
||||
bus->current_message = NULL;
|
||||
|
||||
if (slot->floating) {
|
||||
|
@ -2537,6 +2541,8 @@ static int process_closing(sd_bus *bus, sd_bus_message **ret) {
|
|||
sd_bus_slot_unref(slot);
|
||||
}
|
||||
|
||||
sd_bus_slot_unref(slot);
|
||||
|
||||
return bus_maybe_reply_error(m, r, &error_buffer);
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue