socket: fix a heap use-after-free on the send queue

author Fabrice Bellet <fabrice@bellet.info>

Wed, 12 Jun 2019 13:58:41 +0000 (15:58 +0200)

committer Olivier Crête <olivier.crete@collabora.com>

Thu, 4 Jul 2019 21:03:43 +0000 (17:03 -0400)
author Fabrice Bellet <fabrice@bellet.info>
Wed, 12 Jun 2019 13:58:41 +0000 (15:58 +0200)
committer Olivier Crête <olivier.crete@collabora.com>
Thu, 4 Jul 2019 21:03:43 +0000 (17:03 -0400)
diff --git a/socket/socket.c b/socket/socket.c

index 260a190..b60d2d3 100644 (file)
--- a/socket/socket.c
+++ b/socket/socket.c
@@ -358,12 +358,6 @@ void nice_socket_queue_send_with_callback (GQueue *send_queue,
    else
      g_queue_push_tail (send_queue, tbs);
  
-  if (io_source && gsock && context && cb && *io_source == NULL) {
-    *io_source = g_socket_create_source(gsock, G_IO_OUT, NULL);
-    g_source_set_callback (*io_source, (GSourceFunc) G_CALLBACK (cb), user_data, NULL);
-    g_source_attach (*io_source, context);
-  }
-
    /* Move the data into the buffer. */
    for (j = 0;
         (message->n_buffers >= 0 && j < (guint) message->n_buffers) ||
@@ -386,6 +380,12 @@ void nice_socket_queue_send_with_callback (GQueue *send_queue,
      else
        message_offset = 0;
    }
+
+  if (io_source && gsock && context && cb && *io_source == NULL) {
+    *io_source = g_socket_create_source(gsock, G_IO_OUT, NULL);
+    g_source_set_callback (*io_source, (GSourceFunc) G_CALLBACK (cb), user_data, NULL);
+    g_source_attach (*io_source, context);
+  }
  }
  
  void nice_socket_flush_send_queue (NiceSocket *base_socket, GQueue *send_queue)
author	Fabrice Bellet <fabrice@bellet.info>
	Wed, 12 Jun 2019 13:58:41 +0000 (15:58 +0200)
committer	Olivier Crête <olivier.crete@collabora.com>
	Thu, 4 Jul 2019 21:03:43 +0000 (17:03 -0400)