[PATCH] spice_timer_queue: fix access after free

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Do not access to timer after we call the associated function.
Some of these callbacks can free timer making the pointer pointing
to freed data.
This happen for instance when the client is disconnecting.
This does not cause memory corruption on current allocator
implementations as all freeing/accessing happen on a single thread quite
closely and allocators use different pools for different thread.

Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
---
 server/spice_timer_queue.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/server/spice_timer_queue.c b/server/spice_timer_queue.c
index d457845..c4f2f6e 100644
--- a/server/spice_timer_queue.c
+++ b/server/spice_timer_queue.c
@@ -261,8 +261,13 @@ void spice_timer_queue_cb(void)
         if (timer->expiry_time > now_ms) {
             break;
         } else {
-            timer->func(timer->opaque);
+            /* Remove active timer before calling the timer function.
+             * Timer function could delete the timer making the timer
+             * pointer point to freed data.
+             */
             spice_timer_cancel(timer);
+            timer->func(timer->opaque);
+            /* timer could now be invalid ! */
         }
     }
 }
-- 
2.4.3

_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]