diff options
| author | Johan Hedberg <johan.hedberg@intel.com> | 2012-10-15 13:21:11 +0300 |
|---|---|---|
| committer | Marcel Holtmann <marcel@holtmann.org> | 2012-11-26 15:03:33 +0100 |
| commit | dda063bae15115189424bb498fcc81574518cf80 (patch) | |
| tree | a3735fedef888cab2fc36f222419d6efe5e241f8 | |
| parent | 74f945e5de07a5f2294c15b11b4f9c1107d89a7d (diff) | |
| download | obexd-dda063bae15115189424bb498fcc81574518cf80.tar.gz | |
gdbus: Fix invalid memory access during interface removal
If an interface is removed from the root path during the same mainloop
iteration that it was added we need to check for data->added before
doing the check for data->parent == NULL in the remove_interface()
function. Otherwise the added interface doesn't get removed from the
data->added list and will result in accessing freed memory:
==337== Invalid read of size 8
==337== at 0x4F65AFA: dbus_message_iter_append_basic (in /usr/lib64/libdbus-1.so.3.7.1)
==337== by 0x1247B5: append_interface (object.c:556)
==337== by 0x4C8DC5C: g_slist_foreach (gslist.c:840)
==337== by 0x1261F7: process_changes (object.c:594)
==337== by 0x126372: generic_unregister (object.c:997)
==337== by 0x4F69669: ??? (in /usr/lib64/libdbus-1.so.3.7.1)
==337== by 0x4F5CE51: dbus_connection_unregister_object_path (in /usr/lib64/libdbus-1.so.3.7.1)
==337== by 0x125E81: object_path_unref (object.c:1236)
==337== by 0x126136: g_dbus_unregister_interface (object.c:1361)
==337== by 0x14CDF0: service_exit (service.c:581)
==337== by 0x177556: plugin_cleanup (plugin.c:242)
==337== by 0x12221F: main (main.c:559)
==337== Address 0x5bc1550 is 0 bytes inside a block of size 56 free'd
==337== at 0x4A079AE: free (vg_replace_malloc.c:427)
==337== by 0x4C7850E: g_free (gmem.c:252)
==337== by 0x125DB0: remove_interface (object.c:671)
==337== by 0x125E3B: object_path_unref (object.c:1230)
==337== by 0x126136: g_dbus_unregister_interface (object.c:1361)
==337== by 0x14CDF0: service_exit (service.c:581)
==337== by 0x177556: plugin_cleanup (plugin.c:242)
==337== by 0x12221F: main (main.c:559)
| -rw-r--r-- | gdbus/object.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/gdbus/object.c b/gdbus/object.c index aa38c07..4147361 100644 --- a/gdbus/object.c +++ b/gdbus/object.c @@ -655,12 +655,6 @@ static gboolean remove_interface(struct generic_data *data, const char *name) iface->user_data = NULL; } - if (data->parent == NULL) { - g_free(iface->name); - g_free(iface); - return TRUE; - } - /* * Interface being removed was just added, on the same mainloop * iteration? Don't send any signal @@ -672,6 +666,12 @@ static gboolean remove_interface(struct generic_data *data, const char *name) return TRUE; } + if (data->parent == NULL) { + g_free(iface->name); + g_free(iface); + return TRUE; + } + data->removed = g_slist_prepend(data->removed, iface->name); g_free(iface); |