gdbus: fix use-after-free

g_dbus_connection_call_internal() accesses the user data it passes to g_dbus_connection_send_message_with_reply() after the call. That data might be freed already in the case that the callback is called immediately. Fix this by removing the 'serial' field from the user data altogether and fetch the serial from the message in the callback. https://bugzilla.gnome.org/show_bug.cgi?id=748263
2024-11-09 19:06:15 +01:00 · 2016-01-28 15:39:18 +01:00 · 2016-01-28 15:39:18 +01:00 · 0751ccd315
commit 0751ccd315
parent 783e12e86c
1 changed files with 2 additions and 4 deletions
--- a/gio/gdbusconnection.c
+++ b/gio/gdbusconnection.c
@ -5660,7 +5660,6 @@ typedef struct
 {
  GVariantType *reply_type;
  gchar *method_name; /* for error message */
-  guint32 serial;

  GUnixFDList *fd_list;
 } CallState;
@ -5701,7 +5700,7 @@ g_dbus_connection_call_done (GObject      *source,
               " <<<< ASYNC COMPLETE %s() (serial %d)\n"
               "      ",
               state->method_name,
-               state->serial);
+               g_dbus_message_get_reply_serial (reply));
      if (reply != NULL)
        {
          g_print ("SUCCESS\n");
@ -5798,11 +5797,10 @@ g_dbus_connection_call_internal (GDBusConnection        *connection,
                                                 message,
                                                 G_DBUS_SEND_MESSAGE_FLAGS_NONE,
                                                 timeout_msec,
-                                                 &state->serial,
+                                                 &serial,
                                                 cancellable,
                                                 g_dbus_connection_call_done,
                                                 task);
-      serial = state->serial;
    }
  else
    {