bus: fix use-after-free in slot-release

We must not access slot->floating after we possible dropped the last reference to it. Fix all callback-invocations to first check slot->floating and possible disconnect the slot, then release the last reference.
author: David Herrmann <dh.herrmann@gmail.com> 2014-08-28 12:42:03 +0200
committer: David Herrmann <dh.herrmann@gmail.com> 2014-08-28 12:45:51 +0200
commit: d974ad0524942882f489914013d08ab16d147170 (patch)
tree: bf184fa3e3d1a474f12b6a45908f27620bf2881e
parent: fa9838ddd62ea31f8aea99757916a16d76b31cbc (diff)
1 files changed, 9 insertions, 3 deletions
diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c
index a204d6759..8caa40422 100644
--- a/src/libsystemd/sd-bus/sd-bus.c
+++ b/src/libsystemd/sd-bus/sd-bus.c
@@ -2107,7 +2107,7 @@ static int process_timeout(sd_bus *bus) {
         r = c->callback(bus, m, slot->userdata, &error_buffer);
         bus->current_userdata = NULL;
         bus->current_handler = NULL;
-        bus->current_slot = sd_bus_slot_unref(slot);
+        bus->current_slot = NULL;
         bus->current_message = NULL;
 
         if (slot->floating) {
@@ -2115,6 +2115,8 @@ static int process_timeout(sd_bus *bus) {
                 sd_bus_slot_unref(slot);
         }
 
+        sd_bus_slot_unref(slot);
+
         return bus_maybe_reply_error(m, r, &error_buffer);
 }
 
@@ -2203,13 +2205,15 @@ static int process_reply(sd_bus *bus, sd_bus_message *m) {
         r = c->callback(bus, m, slot->userdata, &error_buffer);
         bus->current_userdata = NULL;
         bus->current_handler = NULL;
-        bus->current_slot = sd_bus_slot_unref(slot);
+        bus->current_slot = NULL;
 
         if (slot->floating) {
                 bus_slot_disconnect(slot);
                 sd_bus_slot_unref(slot);
         }
 
+        sd_bus_slot_unref(slot);
+
         return bus_maybe_reply_error(m, r, &error_buffer);
 }
 
@@ -2529,7 +2533,7 @@ static int process_closing(sd_bus *bus, sd_bus_message **ret) {
                 r = c->callback(bus, m, slot->userdata, &error_buffer);
                 bus->current_userdata = NULL;
                 bus->current_handler = NULL;
-                bus->current_slot = sd_bus_slot_unref(slot);
+                bus->current_slot = NULL;
                 bus->current_message = NULL;
 
                 if (slot->floating) {
@@ -2537,6 +2541,8 @@ static int process_closing(sd_bus *bus, sd_bus_message **ret) {
                         sd_bus_slot_unref(slot);
                 }
 
+                sd_bus_slot_unref(slot);
+
                 return bus_maybe_reply_error(m, r, &error_buffer);
         }
author	David Herrmann <dh.herrmann@gmail.com>	2014-08-28 12:42:03 +0200
committer	David Herrmann <dh.herrmann@gmail.com>	2014-08-28 12:45:51 +0200
commit	d974ad0524942882f489914013d08ab16d147170 (patch)
tree	bf184fa3e3d1a474f12b6a45908f27620bf2881e
parent	fa9838ddd62ea31f8aea99757916a16d76b31cbc (diff)