From 190b6aad5ce340441ad86fe9566caee65b6208e1 Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Fri, 11 Mar 2016 10:00:43 +0100 Subject: [PATCH] polkitagent: Fix access after dereference on hashtable If an authentication is going on while the agent listener is going away, then we access memory that has been freed. g_hash_table_lookup_node: assertion failed: (hash_table->ref_count > 0)' https://bugs.freedesktop.org/show_bug.cgi?id=94486 --- src/polkitagent/polkitagentlistener.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/polkitagent/polkitagentlistener.c b/src/polkitagent/polkitagentlistener.c index ccccd45..cb79b39 100644 --- a/src/polkitagent/polkitagentlistener.c +++ b/src/polkitagent/polkitagentlistener.c @@ -570,8 +570,8 @@ polkit_agent_register_listener (PolkitAgentListener *listener, typedef struct { - Server *server; gchar *cookie; + GHashTable *cookie_to_pending_auth; GDBusMethodInvocation *invocation; GCancellable *cancellable; } AuthData; @@ -582,6 +582,7 @@ auth_data_free (AuthData *data) g_free (data->cookie); g_object_unref (data->invocation); g_object_unref (data->cancellable); + g_hash_table_unref (data->cookie_to_pending_auth); g_free (data); } @@ -608,7 +609,7 @@ auth_cb (GObject *source_object, g_dbus_method_invocation_return_value (data->invocation, NULL); } - g_hash_table_remove (data->server->cookie_to_pending_auth, data->cookie); + g_hash_table_remove (data->cookie_to_pending_auth, data->cookie); auth_data_free (data); } @@ -669,7 +670,7 @@ auth_agent_handle_begin_authentication (Server *server, identities = g_list_reverse (identities); data = g_new0 (AuthData, 1); - data->server = server; + data->cookie_to_pending_auth = g_hash_table_ref (server->cookie_to_pending_auth); data->cookie = g_strdup (cookie); data->invocation = g_object_ref (invocation); data->cancellable = g_cancellable_new (); -- 2.5.0