[Spice-commits] server/spice_timer_queue.c

[Frediano Ziglio]

 server/spice_timer_queue.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

New commits:
commit 83f507db4bef97507feb92d8edcbbe12881de435
Author: Frediano Ziglio <fziglio at redhat.com>
Date:   Thu Sep 3 10:25:13 2015 +0100

    spice_timer_queue: fix access after free
    
    Do not access to timer after we call the associated function.
    Some of these callbacks can call spice_timer_remove making the pointer
    pointing to freed data.
    This happen for instance when the client is disconnecting.
    This does not cause memory corruption on current allocator
    implementations as all freeing/accessing happen on a single thread quite
    closely and allocators use different pools for different thread.
    
    Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
    Acked-by: Christophe Fergeau <cfergeau at redhat.com>

diff --git a/server/spice_timer_queue.c b/server/spice_timer_queue.c
index d457845..c4f2f6e 100644
--- a/server/spice_timer_queue.c
+++ b/server/spice_timer_queue.c
@@ -261,8 +261,13 @@ void spice_timer_queue_cb(void)
         if (timer->expiry_time > now_ms) {
             break;
         } else {
-            timer->func(timer->opaque);
+            /* Remove active timer before calling the timer function.
+             * Timer function could delete the timer making the timer
+             * pointer point to freed data.
+             */
             spice_timer_cancel(timer);
+            timer->func(timer->opaque);
+            /* timer could now be invalid ! */
         }
     }
 }