rpms / glib2

Clone
Source Code
GIT

Blame SOURCES/0001-gdbus-fix-use-after-free.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-atomic-beta c7-beta c8 c8-beta c8s c9 c9-beta
  1.   d5349f2c4d69d36e4ba5914e895fa2d7c9ad908c
  2.   SOURCES
  3.   0001-gdbus-fix-use-after-free.patch
Blob History Raw
d5349f 
From 0751ccd31505cd2774053553263466c6933b3c42 Mon Sep 17 00:00:00 2001
d5349f 
From: Lars Uebernickel <lars.uebernickel@canonical.com>
d5349f 
Date: Thu, 28 Jan 2016 15:39:18 +0100
d5349f 
Subject: [PATCH] gdbus: fix use-after-free
d5349f
d5349f 
g_dbus_connection_call_internal() accesses the user data it passes to
d5349f 
g_dbus_connection_send_message_with_reply() after the call. That data
d5349f 
might be freed already in the case that the callback is called
d5349f 
immediately.
d5349f
d5349f 
Fix this by removing the 'serial' field from the user data altogether
d5349f 
and fetch the serial from the message in the callback.
d5349f
d5349f 
https://bugzilla.gnome.org/show_bug.cgi?id=748263
d5349f 
---
d5349f 
 gio/gdbusconnection.c | 6 ++----
d5349f 
 1 file changed, 2 insertions(+), 4 deletions(-)
d5349f
d5349f 
diff --git a/gio/gdbusconnection.c b/gio/gdbusconnection.c
d5349f 
index 4a4f403..8263419 100644
d5349f 
--- a/gio/gdbusconnection.c
d5349f 
+++ b/gio/gdbusconnection.c
d5349f 
@@ -5660,7 +5660,6 @@ typedef struct
d5349f 
 {
d5349f 
   GVariantType *reply_type;
d5349f 
   gchar *method_name; /* for error message */
d5349f 
-  guint32 serial;
d5349f
d5349f 
   GUnixFDList *fd_list;
d5349f 
 } CallState;
d5349f 
@@ -5701,7 +5700,7 @@ g_dbus_connection_call_done (GObject      *source,
d5349f 
                " <<<< ASYNC COMPLETE %s() (serial %d)\n"
d5349f 
                "      ",
d5349f 
                state->method_name,
d5349f 
-               state->serial);
d5349f 
+               g_dbus_message_get_reply_serial (reply));
d5349f 
       if (reply != NULL)
d5349f 
         {
d5349f 
           g_print ("SUCCESS\n");
d5349f 
@@ -5798,11 +5797,10 @@ g_dbus_connection_call_internal (GDBusConnection        *connection,
d5349f 
                                                  message,
d5349f 
                                                  G_DBUS_SEND_MESSAGE_FLAGS_NONE,
d5349f 
                                                  timeout_msec,
d5349f 
-                                                 &state->serial,
d5349f 
+                                                 &serial,
d5349f 
                                                  cancellable,
d5349f 
                                                  g_dbus_connection_call_done,
d5349f 
                                                  task);
d5349f 
-      serial = state->serial;
d5349f 
     }
d5349f 
   else
d5349f 
     {
d5349f 
--
d5349f 
2.9.4
d5349f

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation