diff options
| author | Frediano Ziglio <fziglio@redhat.com> | 2015-09-03 10:25:13 +0100 |
|---|---|---|
| committer | Frediano Ziglio <fziglio@redhat.com> | 2015-09-03 10:25:13 +0100 |
| commit | 83f507db4bef97507feb92d8edcbbe12881de435 (patch) | |
| tree | 662a502488a229224c06c1868c8e526eb14e5c44 /server/spice_timer_queue.c | |
| parent | 2a09a5fa36763214fd0f03f57528eba9a878039f (diff) | |
| download | spice-83f507db4bef97507feb92d8edcbbe12881de435.tar.gz spice-83f507db4bef97507feb92d8edcbbe12881de435.tar.xz spice-83f507db4bef97507feb92d8edcbbe12881de435.zip | |
spice_timer_queue: fix access after free
Do not access to timer after we call the associated function.
Some of these callbacks can call spice_timer_remove making the pointer
pointing to freed data.
This happen for instance when the client is disconnecting.
This does not cause memory corruption on current allocator
implementations as all freeing/accessing happen on a single thread quite
closely and allocators use different pools for different thread.
Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
Diffstat (limited to 'server/spice_timer_queue.c')
| -rw-r--r-- | server/spice_timer_queue.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/server/spice_timer_queue.c b/server/spice_timer_queue.c index d4578453..c4f2f6e6 100644 --- a/server/spice_timer_queue.c +++ b/server/spice_timer_queue.c @@ -261,8 +261,13 @@ void spice_timer_queue_cb(void) if (timer->expiry_time > now_ms) { break; } else { - timer->func(timer->opaque); + /* Remove active timer before calling the timer function. + * Timer function could delete the timer making the timer + * pointer point to freed data. + */ spice_timer_cancel(timer); + timer->func(timer->opaque); + /* timer could now be invalid ! */ } } } |