gnetworkmonitor: Fix use-after-free when using from another thread

When using g_network_monitor_get_default() from another thread, it’s possible for network-changed events to be processed after an instance of GNetworkMonitor has been disposed, causing use-after-free problems. Fix that by moving some of the initialisation into the GInitable.init() chain, rather than in a main context idle callback. This includes a unit test which probabilistically reproduces the bug (but can’t do so deterministically due to it being a race condition). Commit amended by Philip Withnall <withnall@endlessm.com> before pushing. https://bugzilla.gnome.org/show_bug.cgi?id=793727
2025-08-01 23:13:40 +02:00 · 2018-04-10 15:27:00 +00:00
parent 24e80aac1f
commit ca0add4b8a
7 changed files with 122 additions and 18 deletions
--- a/gio/gnetworkmonitorbase.c
+++ b/gio/gnetworkmonitorbase.c
@@ -81,7 +81,6 @@ g_network_monitor_base_init (GNetworkMonitorBase *monitor)
    g_main_context_ref (monitor->priv->context);

  monitor->priv->initializing = TRUE;
-  queue_network_changed (monitor);
 }

 static void
@@ -349,6 +348,10 @@ g_network_monitor_base_initable_init (GInitable     *initable,
                                      GCancellable  *cancellable,
                                      GError       **error)
 {
+  GNetworkMonitorBase *base = G_NETWORK_MONITOR_BASE (initable);
+
+  base->priv->initializing = FALSE;
+
  return TRUE;
 }

@@ -364,23 +367,21 @@ emit_network_changed (gpointer user_data)
  GNetworkMonitorBase *monitor = user_data;
  gboolean is_available;

+  if (g_source_is_destroyed (g_main_current_source ()))
+    return FALSE;
+
  g_object_ref (monitor);

-  if (monitor->priv->initializing)
-    monitor->priv->initializing = FALSE;
-  else
+  is_available = (monitor->priv->have_ipv4_default_route ||
+                  monitor->priv->have_ipv6_default_route);
+  if (monitor->priv->is_available != is_available)
    {
-      is_available = (monitor->priv->have_ipv4_default_route ||
-                      monitor->priv->have_ipv6_default_route);
-      if (monitor->priv->is_available != is_available)
-        {
-          monitor->priv->is_available = is_available;
-          g_object_notify (G_OBJECT (monitor), "network-available");
-        }
-
-      g_signal_emit (monitor, network_changed_signal, 0, is_available);
+      monitor->priv->is_available = is_available;
+      g_object_notify (G_OBJECT (monitor), "network-available");
    }

+  g_signal_emit (monitor, network_changed_signal, 0, is_available);
+
  g_source_unref (monitor->priv->network_changed_source);
  monitor->priv->network_changed_source = NULL;

@@ -391,7 +392,8 @@ emit_network_changed (gpointer user_data)
 static void
 queue_network_changed (GNetworkMonitorBase *monitor)
 {
-  if (!monitor->priv->network_changed_source)
+  if (!monitor->priv->network_changed_source &&
+      !monitor->priv->initializing)
    {
      GSource *source;