[Spice-devel] [PATCH] spice_timer_queue: fix access after free

Thu Sep 3 01:21:04 PDT 2015

Do not access to timer after we call the associated function.
Some of these callbacks can free timer making the pointer pointing
to freed data.
This happen for instance when the client is disconnecting.
This does not cause memory corruption on current allocator
implementations as all freeing/accessing happen on a single thread quite
closely and allocators use different pools for different thread.

Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
---
 server/spice_timer_queue.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/server/spice_timer_queue.c b/server/spice_timer_queue.c
index d457845..300c8ac 100644
--- a/server/spice_timer_queue.c
+++ b/server/spice_timer_queue.c
@@ -261,8 +261,9 @@ void spice_timer_queue_cb(void)
         if (timer->expiry_time > now_ms) {
             break;
         } else {
-            timer->func(timer->opaque);
             spice_timer_cancel(timer);
+            timer->func(timer->opaque);
+// !!!! BUG accessing memory if callback free the timer
         }
     }
 }
-- 
2.4.3

