picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

bus: fix use-after-free in slot-release 

We must not access slot->floating after we possible dropped the last
reference to it. Fix all callback-invocations to first check
slot->floating and possible disconnect the slot, then release the last
reference.
This commit is contained in:
David Herrmann 2014-08-28 12:42:03 +02:00
parent fa9838ddd6
commit d974ad0524
1 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/libsystemd/sd-bus/sd-bus.c
View File

@ -2107,7 +2107,7 @@ static int process_timeout(sd_bus *bus) {
r = c->callback(bus, m, slot->userdata, &error_buffer);
bus->current_userdata = NULL;
bus->current_handler = NULL;
bus->current_slot = sd_bus_slot_unref(slot);
bus->current_slot = NULL;
bus->current_message = NULL;
if (slot->floating) {
@ -2115,6 +2115,8 @@ static int process_timeout(sd_bus *bus) {
sd_bus_slot_unref(slot);
}
sd_bus_slot_unref(slot);
return bus_maybe_reply_error(m, r, &error_buffer);
}
@ -2203,13 +2205,15 @@ static int process_reply(sd_bus *bus, sd_bus_message *m) {
r = c->callback(bus, m, slot->userdata, &error_buffer);
bus->current_userdata = NULL;
bus->current_handler = NULL;
bus->current_slot = sd_bus_slot_unref(slot);
bus->current_slot = NULL;
if (slot->floating) {
bus_slot_disconnect(slot);
sd_bus_slot_unref(slot);
}
sd_bus_slot_unref(slot);
return bus_maybe_reply_error(m, r, &error_buffer);
}
@ -2529,7 +2533,7 @@ static int process_closing(sd_bus *bus, sd_bus_message **ret) {
r = c->callback(bus, m, slot->userdata, &error_buffer);
bus->current_userdata = NULL;
bus->current_handler = NULL;
bus->current_slot = sd_bus_slot_unref(slot);
bus->current_slot = NULL;
bus->current_message = NULL;
if (slot->floating) {
@ -2537,6 +2541,8 @@ static int process_closing(sd_bus *bus, sd_bus_message **ret) {
sd_bus_slot_unref(slot);
}
sd_bus_slot_unref(slot);
return bus_maybe_reply_error(m, r, &error_buffer);
}