|
|
51e99a |
From 2a09e2b15e7493256de4f40331ce6be4e1fe90f4 Mon Sep 17 00:00:00 2001
|
|
|
51e99a |
From: Bastien Nocera <hadess@hadess.net>
|
|
|
51e99a |
Date: Thu, 3 Dec 2015 18:28:46 +0100
|
|
|
51e99a |
Subject: [PATCH] Fix possible use-after-free on exit
|
|
|
51e99a |
|
|
|
51e99a |
When the last client of dleyna-server exits, and dleyna-server
|
|
|
51e99a |
tries to exit, it might use the "upnp" pointer after it was freed as we
|
|
|
51e99a |
receive a signal where the user_data is invalid. Avoid that by zero'ing
|
|
|
51e99a |
freed pointers and disconnecting from the signal for which "upnp" is
|
|
|
51e99a |
user_data.
|
|
|
51e99a |
|
|
|
51e99a |
See https://retrace.fedoraproject.org/faf/reports/855440/
|
|
|
51e99a |
---
|
|
|
51e99a |
libdleyna/server/server.c | 5 ++++-
|
|
|
51e99a |
libdleyna/server/upnp.c | 3 +++
|
|
|
51e99a |
2 files changed, 7 insertions(+), 1 deletion(-)
|
|
|
51e99a |
|
|
|
51e99a |
diff --git a/libdleyna/server/server.c b/libdleyna/server/server.c
|
|
|
51e99a |
index ec725de3f6b3..865336162d61 100644
|
|
|
51e99a |
--- a/libdleyna/server/server.c
|
|
|
51e99a |
+++ b/libdleyna/server/server.c
|
|
|
51e99a |
@@ -1352,12 +1352,15 @@ static void prv_control_point_stop_service(void)
|
|
|
51e99a |
{
|
|
|
51e99a |
uint i;
|
|
|
51e99a |
|
|
|
51e99a |
- if (g_context.manager)
|
|
|
51e99a |
+ if (g_context.manager) {
|
|
|
51e99a |
dls_manager_delete(g_context.manager);
|
|
|
51e99a |
+ g_context.manager = NULL;
|
|
|
51e99a |
+ }
|
|
|
51e99a |
|
|
|
51e99a |
if (g_context.upnp) {
|
|
|
51e99a |
dls_upnp_unsubscribe(g_context.upnp);
|
|
|
51e99a |
dls_upnp_delete(g_context.upnp);
|
|
|
51e99a |
+ g_context.upnp = NULL;
|
|
|
51e99a |
}
|
|
|
51e99a |
|
|
|
51e99a |
if (g_context.connection) {
|
|
|
51e99a |
diff --git a/libdleyna/server/upnp.c b/libdleyna/server/upnp.c
|
|
|
51e99a |
index 6d6c696dd42c..dcf31d98f171 100755
|
|
|
51e99a |
--- a/libdleyna/server/upnp.c
|
|
|
51e99a |
+++ b/libdleyna/server/upnp.c
|
|
|
51e99a |
@@ -547,6 +547,9 @@ dls_upnp_t *dls_upnp_new(dleyna_connector_id_t connection,
|
|
|
51e99a |
void dls_upnp_delete(dls_upnp_t *upnp)
|
|
|
51e99a |
{
|
|
|
51e99a |
if (upnp) {
|
|
|
51e99a |
+ g_signal_handlers_disconnect_by_func (G_OBJECT (upnp->context_manager),
|
|
|
51e99a |
+ G_CALLBACK(prv_on_context_available),
|
|
|
51e99a |
+ upnp);
|
|
|
51e99a |
g_object_unref(upnp->context_manager);
|
|
|
51e99a |
g_hash_table_unref(upnp->property_map);
|
|
|
51e99a |
g_hash_table_unref(upnp->filter_map);
|
|
|
51e99a |
--
|
|
|
51e99a |
2.5.5
|
|
|
51e99a |
|