[systemd-commits] 3 commits - src/libsystemd src/libsystemd-terminal

David Herrmann dvdhrm at kemper.freedesktop.org
Thu Aug 28 03:46:32 PDT 2014 

 src/libsystemd-terminal/idev-keyboard.c    |    1 +
 src/libsystemd-terminal/sysview-internal.h |    2 +-
 src/libsystemd-terminal/sysview.c          |    1 +
 src/libsystemd/sd-bus/sd-bus.c             |   12 +++++++++---
 4 files changed, 12 insertions(+), 4 deletions(-)

New commits:
commit d974ad0524942882f489914013d08ab16d147170
Author: David Herrmann <dh.herrmann at gmail.com>
Date:   Thu Aug 28 12:42:03 2014 +0200

    bus: fix use-after-free in slot-release
    
    We must not access slot->floating after we possible dropped the last
    reference to it. Fix all callback-invocations to first check
    slot->floating and possible disconnect the slot, then release the last
    reference.

diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c
index a204d67..8caa404 100644
--- a/src/libsystemd/sd-bus/sd-bus.c
+++ b/src/libsystemd/sd-bus/sd-bus.c
@@ -2107,7 +2107,7 @@ static int process_timeout(sd_bus *bus) {
         r = c->callback(bus, m, slot->userdata, &error_buffer);
         bus->current_userdata = NULL;
         bus->current_handler = NULL;
-        bus->current_slot = sd_bus_slot_unref(slot);
+        bus->current_slot = NULL;
         bus->current_message = NULL;
 
         if (slot->floating) {
@@ -2115,6 +2115,8 @@ static int process_timeout(sd_bus *bus) {
                 sd_bus_slot_unref(slot);
         }
 
+        sd_bus_slot_unref(slot);
+
         return bus_maybe_reply_error(m, r, &error_buffer);
 }
 
@@ -2203,13 +2205,15 @@ static int process_reply(sd_bus *bus, sd_bus_message *m) {
         r = c->callback(bus, m, slot->userdata, &error_buffer);
         bus->current_userdata = NULL;
         bus->current_handler = NULL;
-        bus->current_slot = sd_bus_slot_unref(slot);
+        bus->current_slot = NULL;
 
         if (slot->floating) {
                 bus_slot_disconnect(slot);
                 sd_bus_slot_unref(slot);
         }
 
+        sd_bus_slot_unref(slot);
+
         return bus_maybe_reply_error(m, r, &error_buffer);
 }
 
@@ -2529,7 +2533,7 @@ static int process_closing(sd_bus *bus, sd_bus_message **ret) {
                 r = c->callback(bus, m, slot->userdata, &error_buffer);
                 bus->current_userdata = NULL;
                 bus->current_handler = NULL;
-                bus->current_slot = sd_bus_slot_unref(slot);
+                bus->current_slot = NULL;
                 bus->current_message = NULL;
 
                 if (slot->floating) {
@@ -2537,6 +2541,8 @@ static int process_closing(sd_bus *bus, sd_bus_message **ret) {
                         sd_bus_slot_unref(slot);
                 }
 
+                sd_bus_slot_unref(slot);
+
                 return bus_maybe_reply_error(m, r, &error_buffer);
         }
 

commit fa9838ddd62ea31f8aea99757916a16d76b31cbc
Author: David Herrmann <dh.herrmann at gmail.com>
Date:   Thu Aug 28 12:25:58 2014 +0200

    terminal: free sysview-device names on destruction
    
    Don't leak the device-names during device destruction in sysview. Somehow,
    the device-name is "const char*", so make it "char*" first to avoid
    warnings when calling free() on it.

diff --git a/src/libsystemd-terminal/sysview-internal.h b/src/libsystemd-terminal/sysview-internal.h
index 5aee9f6..9299fab 100644
--- a/src/libsystemd-terminal/sysview-internal.h
+++ b/src/libsystemd-terminal/sysview-internal.h
@@ -39,7 +39,7 @@
 
 struct sysview_device {
         sysview_seat *seat;
-        const char *name;
+        char *name;
         unsigned int type;
 
         union {
diff --git a/src/libsystemd-terminal/sysview.c b/src/libsystemd-terminal/sysview.c
index f5363de..bd345fa 100644
--- a/src/libsystemd-terminal/sysview.c
+++ b/src/libsystemd-terminal/sysview.c
@@ -98,6 +98,7 @@ sysview_device *sysview_device_free(sysview_device *device) {
                 break;
         }
 
+        free(device->name);
         free(device);
 
         return NULL;

commit 200716a628b70fe723e7d4e09bb2ece10c10bdc0
Author: David Herrmann <dh.herrmann at gmail.com>
Date:   Thu Aug 28 12:21:33 2014 +0200

    terminal: free xkb state on keyboard destruction
    
    Fix leaking the xkb-state during keyboard destruction, leaking lots of xkb
    references into the wild.

diff --git a/src/libsystemd-terminal/idev-keyboard.c b/src/libsystemd-terminal/idev-keyboard.c
index 7ab4db2..03f54bb 100644
--- a/src/libsystemd-terminal/idev-keyboard.c
+++ b/src/libsystemd-terminal/idev-keyboard.c
@@ -550,6 +550,7 @@ int idev_keyboard_new(idev_device **out, idev_session *s, const char *name) {
 static void keyboard_free(idev_device *d) {
         idev_keyboard *k = keyboard_from_device(d);
 
+        xkb_state_unref(k->xkb_state);
         free(k->repdata.keyboard.codepoints);
         free(k->repdata.keyboard.keysyms);
         free(k->evdata.keyboard.codepoints);

More information about the systemd-commits mailing list