Crash authentication_agent_new with invalid object path in RegisterAuthenticationAgent

Tavis Ormandy taviso at
Fri May 29 11:08:35 PDT 2015

Hello, I've noticed polkitd dumps core if you set an invalid object
path when calling RegisterAuthenticationAgent. It looks like this code
doesn't check if error was set before dereferencing it:

if (agent->proxy == NULL) {
    g_warning ("Error constructing proxy for agent: %s", error->message);
    g_error_free (error);
    /* TODO: Make authentication_agent_new() return NULL and set a GError */

Compile the attached testcase to verify.

$ gcc polkit.c $(pkg-config --cflags --libs glib-2.0,gio-2.0)
$ ./a.out
Type:    error
Flags:   no-reply-expected
Version: 0
Serial:  3
  error-name -> 'org.freedesktop.DBus.Error.NoReply'
  reply-serial -> uint32 2
  destination -> ':1.76335'
  sender -> 'org.freedesktop.DBus'
  signature -> signature 's'
Body: ('Message did not receive a reply (timeout by message bus)',)
UNIX File Descriptors:

Thanks, Tavis.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: polkit.c
Type: text/x-csrc
Size: 1287 bytes
Desc: not available
URL: <>

More information about the polkit-devel mailing list