pstream: Fix use-after-free in srb_callback

We need to guard the pstream with an extra ref to ensure it is not destroyed at the time we check whether or not the srbchannel is destroyed. Reported-by: Takashi Iwai <tiwai@suse.de> BugLink: http://bugzilla.opensuse.org/show_bug.cgi?id=950487 Signed-off-by: David Henningsson <david.henningsson@canonical.com>
author: David Henningsson <david.henningsson@canonical.com> 2015-10-16 22:12:32 +0200
committer: David Henningsson <david.henningsson@canonical.com> 2015-10-20 16:53:32 +0200
commit: f277f2c5094fb32c5d879923960eb807b3b1c535 (patch)
tree: bde5473de695c2e7efb7473c00ec8e08ecea414e
parent: 91313e60a81e96ce976f24c522656c57b4ab94ca (diff)
1 files changed, 10 insertions, 1 deletions
diff --git a/src/pulsecore/pstream.c b/src/pulsecore/pstream.c
index 8c14fbb3c..98a838203 100644
--- a/src/pulsecore/pstream.c
+++ b/src/pulsecore/pstream.c
@@ -216,14 +216,23 @@ fail:
 }
 
 static bool srb_callback(pa_srbchannel *srb, void *userdata) {
+    bool b;
     pa_pstream *p = userdata;
 
     pa_assert(p);
     pa_assert(PA_REFCNT_VALUE(p) > 0);
     pa_assert(p->srb == srb);
 
+    pa_pstream_ref(p);
+
     do_pstream_read_write(p);
-    return p->srb != NULL;
+
+    /* If either pstream or the srb is going away, return false.
+       We need to check this before p is destroyed. */
+    b = (PA_REFCNT_VALUE(p) > 1) && (p->srb == srb);
+    pa_pstream_unref(p);
+
+    return b;
 }
 
 static void io_callback(pa_iochannel*io, void *userdata) {
author	David Henningsson <david.henningsson@canonical.com>	2015-10-16 22:12:32 +0200
committer	David Henningsson <david.henningsson@canonical.com>	2015-10-20 16:53:32 +0200
commit	f277f2c5094fb32c5d879923960eb807b3b1c535 (patch)
tree	bde5473de695c2e7efb7473c00ec8e08ecea414e
parent	91313e60a81e96ce976f24c522656c57b4ab94ca (diff)