gdbus: fix use-after-free

g_dbus_connection_call_internal() accesses the user data it passes to
g_dbus_connection_send_message_with_reply() after the call. That data
might be freed already in the case that the callback is called
immediately.

Fix this by removing the 'serial' field from the user data altogether
and fetch the serial from the message in the callback.

https://bugzilla.gnome.org/show_bug.cgi?id=748263

1 files changed, 2 insertions, 4 deletions

diff --git a/gio/gdbusconnection.c b/gio/gdbusconnection.c
index 4a4f4031b..826341950 100644
--- a/gio/gdbusconnection.c
+++ b/gio/gdbusconnection.c
@@ -5660,7 +5660,6 @@ typedef struct
 {
   GVariantType *reply_type;
   gchar *method_name; /* for error message */
-  guint32 serial;
 
   GUnixFDList *fd_list;
 } CallState;
@@ -5701,7 +5700,7 @@ g_dbus_connection_call_done (GObject      *source,
                " <<<< ASYNC COMPLETE %s() (serial %d)\n"
                "      ",
                state->method_name,
-               state->serial);
+               g_dbus_message_get_reply_serial (reply));
       if (reply != NULL)
         {
           g_print ("SUCCESS\n");
@@ -5798,11 +5797,10 @@ g_dbus_connection_call_internal (GDBusConnection        *connection,
                                                  message,
                                                  G_DBUS_SEND_MESSAGE_FLAGS_NONE,
                                                  timeout_msec,
-                                                 &state->serial,
+                                                 &serial,
                                                  cancellable,
                                                  g_dbus_connection_call_done,
                                                  task);
-      serial = state->serial;
     }
   else
     {