Do not access to timer after we call the associated function. Some of these callbacks can free timer making the pointer pointing to freed data. This happen for instance when the client is disconnecting. This does not cause memory corruption on current allocator implementations as all freeing/accessing happen on a single thread quite closely and allocators use different pools for different thread. Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx> --- server/spice_timer_queue.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/server/spice_timer_queue.c b/server/spice_timer_queue.c index d457845..c4f2f6e 100644 --- a/server/spice_timer_queue.c +++ b/server/spice_timer_queue.c @@ -261,8 +261,13 @@ void spice_timer_queue_cb(void) if (timer->expiry_time > now_ms) { break; } else { - timer->func(timer->opaque); + /* Remove active timer before calling the timer function. + * Timer function could delete the timer making the timer + * pointer point to freed data. + */ spice_timer_cancel(timer); + timer->func(timer->opaque); + /* timer could now be invalid ! */ } } } -- 2.4.3 _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel