mirror of
https://gitlab.gnome.org/GNOME/glib.git
synced 2024-12-25 15:06:14 +01:00
gdbus: fix use-after-free
g_dbus_connection_call_internal() accesses the user data it passes to g_dbus_connection_send_message_with_reply() after the call. That data might be freed already in the case that the callback is called immediately. Fix this by removing the 'serial' field from the user data altogether and fetch the serial from the message in the callback. https://bugzilla.gnome.org/show_bug.cgi?id=748263
This commit is contained in:
parent
783e12e86c
commit
0751ccd315
@ -5660,7 +5660,6 @@ typedef struct
|
||||
{
|
||||
GVariantType *reply_type;
|
||||
gchar *method_name; /* for error message */
|
||||
guint32 serial;
|
||||
|
||||
GUnixFDList *fd_list;
|
||||
} CallState;
|
||||
@ -5701,7 +5700,7 @@ g_dbus_connection_call_done (GObject *source,
|
||||
" <<<< ASYNC COMPLETE %s() (serial %d)\n"
|
||||
" ",
|
||||
state->method_name,
|
||||
state->serial);
|
||||
g_dbus_message_get_reply_serial (reply));
|
||||
if (reply != NULL)
|
||||
{
|
||||
g_print ("SUCCESS\n");
|
||||
@ -5798,11 +5797,10 @@ g_dbus_connection_call_internal (GDBusConnection *connection,
|
||||
message,
|
||||
G_DBUS_SEND_MESSAGE_FLAGS_NONE,
|
||||
timeout_msec,
|
||||
&state->serial,
|
||||
&serial,
|
||||
cancellable,
|
||||
g_dbus_connection_call_done,
|
||||
task);
|
||||
serial = state->serial;
|
||||
}
|
||||
else
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user