diff options
author | Stef Walter <stefw@redhat.com> | 2016-03-11 10:00:43 +0100 |
---|---|---|
committer | Miloslav Trmač <mitr@redhat.com> | 2016-03-12 02:50:36 +0100 |
commit | 673ef80ed0079d8a4343fb2567b483be17c58969 (patch) | |
tree | a30e6cf7fd5fcd64e3473b3071337e8a6f5fd421 | |
parent | 7d2610550e3fecb0d9895bbaf56bab58f937db36 (diff) | |
download | polkit-673ef80ed0079d8a4343fb2567b483be17c58969.tar.gz |
polkitagent: Fix access after dereference on hashtable
If an authentication is going on while the agent listener is
going away, then we access memory that has been freed.
g_hash_table_lookup_node: assertion failed: (hash_table->ref_count > 0)'
https://bugs.freedesktop.org/show_bug.cgi?id=94486
-rw-r--r-- | src/polkitagent/polkitagentlistener.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/src/polkitagent/polkitagentlistener.c b/src/polkitagent/polkitagentlistener.c index 80d1dc1..491e4b9 100644 --- a/src/polkitagent/polkitagentlistener.c +++ b/src/polkitagent/polkitagentlistener.c @@ -569,8 +569,8 @@ polkit_agent_register_listener (PolkitAgentListener *listener, typedef struct { - Server *server; gchar *cookie; + GHashTable *cookie_to_pending_auth; GDBusMethodInvocation *invocation; GCancellable *cancellable; } AuthData; @@ -581,6 +581,7 @@ auth_data_free (AuthData *data) g_free (data->cookie); g_object_unref (data->invocation); g_object_unref (data->cancellable); + g_hash_table_unref (data->cookie_to_pending_auth); g_free (data); } @@ -607,7 +608,7 @@ auth_cb (GObject *source_object, g_dbus_method_invocation_return_value (data->invocation, NULL); } - g_hash_table_remove (data->server->cookie_to_pending_auth, data->cookie); + g_hash_table_remove (data->cookie_to_pending_auth, data->cookie); auth_data_free (data); } @@ -668,7 +669,7 @@ auth_agent_handle_begin_authentication (Server *server, identities = g_list_reverse (identities); data = g_new0 (AuthData, 1); - data->server = server; + data->cookie_to_pending_auth = g_hash_table_ref (server->cookie_to_pending_auth); data->cookie = g_strdup (cookie); data->invocation = g_object_ref (invocation); data->cancellable = g_cancellable_new (); |