From: Simon McVittie <smcv@collabora.com>
Date: Thu, 20 Feb 2020 00:36:53 +0000 (+0000)
Subject: bus: Don't explicitly clear BusConnections.monitors
X-Git-Tag: dbus-1.13.14~12^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b034b83b;p=thirdparty%2Fdbus.git

bus: Don't explicitly clear BusConnections.monitors

Each connection that is an active monitor holds a pointer to its own
link in this list, via BusConnectionData.link_in_monitors. We can't
validly free the list while these pointers exist: that would be a
use-after-free, when each connection gets disconnected and tries to
remove itself from the list.

Instead, let each connection remove itself from the list, then assert
that the list has become empty.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Resolves: https://gitlab.freedesktop.org/dbus/dbus/issues/291
---

diff --git a/bus/connection.c b/bus/connection.c
index b1b6bdd5b..add1c8b82 100644
--- a/bus/connection.c
+++ b/bus/connection.c
@@ -543,9 +543,6 @@ bus_connections_unref (BusConnections *connections)
 
       _dbus_assert (connections->n_incomplete == 0);
 
-      /* drop all monitors */
-      _dbus_list_clear (&connections->monitors);
-
       /* drop all real connections */
       while (connections->completed != NULL)
         {
@@ -561,6 +558,10 @@ bus_connections_unref (BusConnections *connections)
 
       _dbus_assert (connections->n_completed == 0);
 
+      /* disconnecting all the connections should have emptied the list of
+       * monitors (each link is removed in bus_connection_disconnected) */
+      _dbus_assert (connections->monitors == NULL);
+
       bus_expire_list_free (connections->pending_replies);
       
       _dbus_loop_remove_timeout (bus_context_get_loop (connections->context),