diff options
author | Bastien Nocera <hadess@hadess.net> | 2015-12-03 18:28:46 +0100 |
---|---|---|
committer | Debarshi Ray <debarshir@gnome.org> | 2015-12-09 13:24:55 +0100 |
commit | 2a09e2b15e7493256de4f40331ce6be4e1fe90f4 (patch) | |
tree | e2ff0f727049486dc1260d95822d37a1e4cc3e9d | |
parent | 38651783914c76bd861f7fe8651b25e3986d7be8 (diff) | |
download | dleyna-server-2a09e2b15e7493256de4f40331ce6be4e1fe90f4.tar.gz |
Fix possible use-after-free on exit
When the last client of dleyna-server exits, and dleyna-server
tries to exit, it might use the "upnp" pointer after it was freed as we
receive a signal where the user_data is invalid. Avoid that by zero'ing
freed pointers and disconnecting from the signal for which "upnp" is
user_data.
See https://retrace.fedoraproject.org/faf/reports/855440/
-rw-r--r-- | libdleyna/server/server.c | 5 | ||||
-rwxr-xr-x | libdleyna/server/upnp.c | 3 |
2 files changed, 7 insertions, 1 deletions
diff --git a/libdleyna/server/server.c b/libdleyna/server/server.c index ec725de..8653361 100644 --- a/libdleyna/server/server.c +++ b/libdleyna/server/server.c @@ -1352,12 +1352,15 @@ static void prv_control_point_stop_service(void) { uint i; - if (g_context.manager) + if (g_context.manager) { dls_manager_delete(g_context.manager); + g_context.manager = NULL; + } if (g_context.upnp) { dls_upnp_unsubscribe(g_context.upnp); dls_upnp_delete(g_context.upnp); + g_context.upnp = NULL; } if (g_context.connection) { diff --git a/libdleyna/server/upnp.c b/libdleyna/server/upnp.c index 6d6c696..dcf31d9 100755 --- a/libdleyna/server/upnp.c +++ b/libdleyna/server/upnp.c @@ -547,6 +547,9 @@ dls_upnp_t *dls_upnp_new(dleyna_connector_id_t connection, void dls_upnp_delete(dls_upnp_t *upnp) { if (upnp) { + g_signal_handlers_disconnect_by_func (G_OBJECT (upnp->context_manager), + G_CALLBACK(prv_on_context_available), + upnp); g_object_unref(upnp->context_manager); g_hash_table_unref(upnp->property_map); g_hash_table_unref(upnp->filter_map); |