gdbus: fix use-after-free

g_dbus_connection_call_internal() accesses the user data it passes to
g_dbus_connection_send_message_with_reply() after the call. That data
might be freed already in the case that the callback is called
immediately.

Fix this by removing the 'serial' field from the user data altogether
and fetch the serial from the message in the callback.

https://bugzilla.gnome.org/show_bug.cgi?id=748263

Change-Id: I6c6406f4782bbaeb19dad6b4ae08b3375592d3bc

diff --git a/gio/gdbusconnection.c b/gio/gdbusconnection.c
index e0181ac..29e8c10 100755 (executable)
--- a/gio/gdbusconnection.c
+++ b/gio/gdbusconnection.c
@@ -6611,7 +6611,6 @@ typedef struct
 {
   GVariantType *reply_type;
   gchar *method_name; /* for error message */
-  guint32 serial;
 
   GUnixFDList *fd_list;
 } CallState;
@@ -6652,7 +6651,7 @@ g_dbus_connection_call_done (GObject      *source,
                " <<<< ASYNC COMPLETE %s() (serial %d)\n"
                "      ",
                state->method_name,
-               state->serial);
+               g_dbus_message_get_reply_serial (reply));
       if (reply != NULL)
         {
           g_print ("SUCCESS\n");
@@ -6749,11 +6748,10 @@ g_dbus_connection_call_internal (GDBusConnection        *connection,
                                                  message,
                                                  G_DBUS_SEND_MESSAGE_FLAGS_NONE,
                                                  timeout_msec,
-                                                 &state->serial,
+                                                 &serial,
                                                  cancellable,
                                                  g_dbus_connection_call_done,
                                                  task);
-      serial = state->serial;
     }
   else
     {