libnm-glib: fix invalid memory access during property notification

If an NMObject listened to property change notifications from other NMObjects and then in response to that queued up other property changes of it's own, those would get added to the property change list that was being iterated through already. Each name in the change list is freed after being notified, but the change list itself is actually freed when all properties have been notified. So an object that queues up another change notification ends up in _nm_object_queue_notify() which iterates the change list where half of the data elements are already freed...
2024-07-23 11:14:29 +00:00 · 2010-06-30 11:51:40 -07:00 · 2010-06-30 11:51:40 -07:00 · 4eea398b06
parent 2412792cfd
commit 4eea398b06
1 changed files with 12 additions and 7 deletions
--- a/libnm-glib/nm-object.c
+++ b/libnm-glib/nm-object.c
@ -47,7 +47,7 @@ typedef struct {
 	NMObject *parent;

 	GSList *notify_props;
-	gulong notify_id;
+	guint32 notify_id;
 	gboolean disposed;
 } NMObjectPrivate;

@ -255,18 +255,23 @@ deferred_notify_cb (gpointer data)
 {
 	NMObject *object = NM_OBJECT (data);
 	NMObjectPrivate *priv = NM_OBJECT_GET_PRIVATE (object);
-	GSList *iter;
+	GSList *props, *iter;

 	priv->notify_id = 0;

-	priv->notify_props = g_slist_reverse (priv->notify_props);
-	for (iter = priv->notify_props; iter; iter = g_slist_next (iter)) {
+	/* Clear priv->notify_props early so that an NMObject subclass that
+	 * listens to property changes can queue up other property changes
+	 * during the g_object_notify() call separately from the property
+	 * list we're iterating.
+	 */
+	props = g_slist_reverse (priv->notify_props);
+	priv->notify_props = NULL;
+
+	for (iter = props; iter; iter = g_slist_next (iter)) {
 		g_object_notify (G_OBJECT (object), (const char *) iter->data);
 		g_free (iter->data);
 	}
-	g_slist_free (priv->notify_props);
-	priv->notify_props = NULL;
-
+	g_slist_free (props);
 	return FALSE;
 }