From fbafb7059b369a3becd5891c75d6172ae5118ea5 Mon Sep 17 00:00:00 2001 From: Lars Uebernickel Date: Thu, 28 Jan 2016 15:39:18 +0100 Subject: [PATCH] gdbus: fix use-after-free g_dbus_connection_call_internal() accesses the user data it passes to g_dbus_connection_send_message_with_reply() after the call. That data might be freed already in the case that the callback is called immediately. Fix this by removing the 'serial' field from the user data altogether and fetch the serial from the message in the callback. https://bugzilla.gnome.org/show_bug.cgi?id=748263 Change-Id: I6c6406f4782bbaeb19dad6b4ae08b3375592d3bc --- gio/gdbusconnection.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/gio/gdbusconnection.c b/gio/gdbusconnection.c index e0181ac..29e8c10 100755 --- a/gio/gdbusconnection.c +++ b/gio/gdbusconnection.c @@ -6611,7 +6611,6 @@ typedef struct { GVariantType *reply_type; gchar *method_name; /* for error message */ - guint32 serial; GUnixFDList *fd_list; } CallState; @@ -6652,7 +6651,7 @@ g_dbus_connection_call_done (GObject *source, " <<<< ASYNC COMPLETE %s() (serial %d)\n" " ", state->method_name, - state->serial); + g_dbus_message_get_reply_serial (reply)); if (reply != NULL) { g_print ("SUCCESS\n"); @@ -6749,11 +6748,10 @@ g_dbus_connection_call_internal (GDBusConnection *connection, message, G_DBUS_SEND_MESSAGE_FLAGS_NONE, timeout_msec, - &state->serial, + &serial, cancellable, g_dbus_connection_call_done, task); - serial = state->serial; } else { -- 2.7.4