[Spice-devel] [PATCH] spice_timer_queue: fix access after free
Frediano Ziglio
fziglio at redhat.com
Thu Sep 3 01:22:46 PDT 2015
>
> Do not access to timer after we call the associated function.
> Some of these callbacks can free timer making the pointer pointing
> to freed data.
> This happen for instance when the client is disconnecting.
> This does not cause memory corruption on current allocator
> implementations as all freeing/accessing happen on a single thread quite
> closely and allocators use different pools for different thread.
>
> Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
> ---
> server/spice_timer_queue.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/server/spice_timer_queue.c b/server/spice_timer_queue.c
> index d457845..300c8ac 100644
> --- a/server/spice_timer_queue.c
> +++ b/server/spice_timer_queue.c
> @@ -261,8 +261,9 @@ void spice_timer_queue_cb(void)
> if (timer->expiry_time > now_ms) {
> break;
> } else {
> - timer->func(timer->opaque);
> spice_timer_cancel(timer);
> + timer->func(timer->opaque);
> +// !!!! BUG accessing memory if callback free the timer
> }
> }
> }
> --
> 2.4.3
>
>
Sorry, forgot to update code comment
Frediano
More information about the Spice-devel
mailing list