From 9a661ab970d194afc59f9b7cdf603fe4bd66505d Mon Sep 17 00:00:00 2001
From: Philip Withnall <pwithnall@gnome.org>
Date: Mon, 26 Feb 2024 15:26:03 +0000
Subject: [PATCH] gsocketclient: Fix a use-after-free in
 g_socket_client_connected_callback()

The ref held by `data->task` may be the last one on the `GTask`. The
`GTask` stores `attempt->data` as its task data, and so when the `GTask`
is finalised, `attempt->data` is too. `connection_attempt_remove()`
needs to access `attempt->data`, so must be called before the
`g_object_unref()` in this situation.

Signed-off-by: Philip Withnall <pwithnall@gnome.org>

Fixes: #3266
---
 gio/gsocketclient.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gio/gsocketclient.c b/gio/gsocketclient.c
index 1127e4599..d4231599a 100644
--- a/gio/gsocketclient.c
+++ b/gio/gsocketclient.c
@@ -1931,9 +1931,9 @@ g_socket_client_connected_callback (GObject      *source,
 
   if (task_completed_or_cancelled (data) || g_cancellable_is_cancelled (attempt->cancellable))
     {
-      g_object_unref (data->task);
       connection_attempt_remove (attempt);
       connection_attempt_unref (attempt);
+      g_object_unref (data->task);
       return;
     }