polkitagent: Fix access after dereference on hashtable

If an authentication is going on while the agent listener is
going away, then we access memory that has been freed.

g_hash_table_lookup_node: assertion failed: (hash_table->ref_count > 0)'

https://bugs.freedesktop.org/show_bug.cgi?id=94486

1 files changed, 4 insertions, 3 deletions

diff --git a/src/polkitagent/polkitagentlistener.c b/src/polkitagent/polkitagentlistener.c
index 80d1dc1..491e4b9 100644
--- a/src/polkitagent/polkitagentlistener.c
+++ b/src/polkitagent/polkitagentlistener.c
@@ -569,8 +569,8 @@ polkit_agent_register_listener (PolkitAgentListener  *listener,
 
 typedef struct
 {
-  Server *server;
   gchar *cookie;
+  GHashTable *cookie_to_pending_auth;
   GDBusMethodInvocation *invocation;
   GCancellable *cancellable;
 } AuthData;
@@ -581,6 +581,7 @@ auth_data_free (AuthData *data)
   g_free (data->cookie);
   g_object_unref (data->invocation);
   g_object_unref (data->cancellable);
+  g_hash_table_unref (data->cookie_to_pending_auth);
   g_free (data);
 }
 
@@ -607,7 +608,7 @@ auth_cb (GObject      *source_object,
       g_dbus_method_invocation_return_value (data->invocation, NULL);
     }
 
-  g_hash_table_remove (data->server->cookie_to_pending_auth, data->cookie);
+  g_hash_table_remove (data->cookie_to_pending_auth, data->cookie);
 
   auth_data_free (data);
 }
@@ -668,7 +669,7 @@ auth_agent_handle_begin_authentication (Server                 *server,
   identities = g_list_reverse (identities);
 
   data = g_new0 (AuthData, 1);
-  data->server = server;
+  data->cookie_to_pending_auth = g_hash_table_ref (server->cookie_to_pending_auth);
   data->cookie = g_strdup (cookie);
   data->invocation = g_object_ref (invocation);
   data->cancellable = g_cancellable_new ();