From 83f507db4bef97507feb92d8edcbbe12881de435 Mon Sep 17 00:00:00 2001
From: Frediano Ziglio <fziglio@redhat.com>
Date: Thu, 3 Sep 2015 10:25:13 +0100
Subject: spice_timer_queue: fix access after free

Do not access to timer after we call the associated function.
Some of these callbacks can call spice_timer_remove making the pointer
pointing to freed data.
This happen for instance when the client is disconnecting.
This does not cause memory corruption on current allocator
implementations as all freeing/accessing happen on a single thread quite
closely and allocators use different pools for different thread.

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Christophe Fergeau <cfergeau@redhat.com>
---
 server/spice_timer_queue.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'server/spice_timer_queue.c')

diff --git a/server/spice_timer_queue.c b/server/spice_timer_queue.c
index d4578453..c4f2f6e6 100644
--- a/server/spice_timer_queue.c
+++ b/server/spice_timer_queue.c
@@ -261,8 +261,13 @@ void spice_timer_queue_cb(void)
         if (timer->expiry_time > now_ms) {
             break;
         } else {
-            timer->func(timer->opaque);
+            /* Remove active timer before calling the timer function.
+             * Timer function could delete the timer making the timer
+             * pointer point to freed data.
+             */
             spice_timer_cancel(timer);
+            timer->func(timer->opaque);
+            /* timer could now be invalid ! */
         }
     }
 }
-- 
cgit