|
 |
0202c3 |
From cd5f5fcbde1dd92dabc59058ad90cf0e7dcfaad9 Mon Sep 17 00:00:00 2001
|
|
|
0202c3 |
From: Colin Walters <walters@verbum.org>
|
|
|
0202c3 |
Date: Mon, 3 Apr 2017 12:46:37 -0400
|
|
|
0202c3 |
Subject: [PATCH] soup: Hold a ref to the pending URI during completion
|
|
|
0202c3 |
processing
|
|
|
0202c3 |
|
|
|
0202c3 |
It was reported that in the range request handling, we called `remove_pending()`
|
|
|
0202c3 |
twice, and this could be viewed as a use-after-free. Currently though, the task
|
|
|
0202c3 |
object already holds a strong reference, so I observed the refcount was 2, hence
|
|
|
0202c3 |
there is no use-after-free in practice.
|
|
|
0202c3 |
|
|
|
0202c3 |
Reported-By: "Siddharth Sharma" <siddharth@redhat.com>
|
|
|
0202c3 |
---
|
|
|
0202c3 |
src/libostree/ostree-fetcher-soup.c | 12 ++++++------
|
|
|
0202c3 |
1 file changed, 6 insertions(+), 6 deletions(-)
|
|
|
0202c3 |
|
|
|
0202c3 |
diff --git a/src/libostree/ostree-fetcher-soup.c b/src/libostree/ostree-fetcher-soup.c
|
|
|
0202c3 |
index b130b48..0a931c4 100644
|
|
|
0202c3 |
--- a/src/libostree/ostree-fetcher-soup.c
|
|
|
0202c3 |
+++ b/src/libostree/ostree-fetcher-soup.c
|
|
|
0202c3 |
@@ -1040,21 +1040,20 @@ on_request_sent (GObject *object,
|
|
|
0202c3 |
gpointer user_data)
|
|
|
0202c3 |
{
|
|
|
0202c3 |
GTask *task = G_TASK (user_data);
|
|
|
0202c3 |
- OstreeFetcherPendingURI *pending;
|
|
|
0202c3 |
- GCancellable *cancellable;
|
|
|
0202c3 |
+ /* Hold a ref to the pending across this function, since we remove
|
|
|
0202c3 |
+ * it from the hash early in some cases, not in others. */
|
|
|
0202c3 |
+ OstreeFetcherPendingURI *pending = pending_uri_ref (g_task_get_task_data (task));
|
|
|
0202c3 |
+ GCancellable *cancellable = g_task_get_cancellable (task);
|
|
|
0202c3 |
GError *local_error = NULL;
|
|
|
0202c3 |
glnx_unref_object SoupMessage *msg = NULL;
|
|
|
0202c3 |
|
|
|
0202c3 |
- pending = g_task_get_task_data (task);
|
|
|
0202c3 |
- cancellable = g_task_get_cancellable (task);
|
|
|
0202c3 |
-
|
|
|
0202c3 |
pending->state = OSTREE_FETCHER_STATE_COMPLETE;
|
|
|
0202c3 |
pending->request_body = soup_request_send_finish ((SoupRequest*) object,
|
|
|
0202c3 |
result, &local_error);
|
|
|
0202c3 |
|
|
|
0202c3 |
if (!pending->request_body)
|
|
|
0202c3 |
goto out;
|
|
|
0202c3 |
-
|
|
|
0202c3 |
+
|
|
|
0202c3 |
if (SOUP_IS_REQUEST_HTTP (object))
|
|
|
0202c3 |
{
|
|
|
0202c3 |
msg = soup_request_http_get_message ((SoupRequestHTTP*) object);
|
|
|
0202c3 |
@@ -1183,6 +1182,7 @@ on_request_sent (GObject *object,
|
|
|
0202c3 |
remove_pending (pending);
|
|
|
0202c3 |
}
|
|
|
0202c3 |
|
|
|
0202c3 |
+ pending_uri_unref (pending);
|
|
|
0202c3 |
g_object_unref (task);
|
|
|
0202c3 |
}
|
|
|
0202c3 |
|
|
|
0202c3 |
--
|
|
|
0202c3 |
2.9.3
|
|
|
0202c3 |
|