dbus_connection_send_with_reply_and_block and errors
Timo Teräs
timo.teras at nokia.com
Wed Aug 10 02:02:53 EST 2005
Hi,
I just noticed that DBusError might refer to freed memory after some D-BUS
API calls. E.g.:
dbus_set_error() never duplicates the error.name field; it just does a
pointer assignment.
dbus_set_error_from_message() does dbus_set_error() with name pointer passed
from dbus_message_get_error_name(). So the DBusError is only valid as long
as the original DBusMessage object exists.
dbus_connection_send_with_reply_and_block() in cases on error does
dbus_set_error_from_message() and immediately dbus_message_unref(), thus all
errors returned by _send_with_reply_and_block() will refer to already
freed memory. Most propably dbus_set_error_from_message() is misused in a
lot of other places too (e.g. applications using libdbus).
How this should be fixed? Modify DBusError to duplicate/free the .name field
as well? Or maybe dbus_set_error_from_message() could add a refcount to the
message?
Cheers,
Timo
More information about the dbus
mailing list