git.ipfire.org Git - thirdparty/systemd.git/commit

resolved: disable event sources before unreffing them

We generally operate on the assumption that a source is "gone" as soon
as we unref it. This is generally true because we have the only reference.
But if something else holds the reference, our unref doesn't really stop
the source and it could fire again.

In particular, on_query_timeout() is called with DnsQuery* as userdata, and
it calls dns_query_stop() which invalidates that pointer. If it was ever
called again, we'd be accessing already-freed memory.

I don't see what would hold the reference. sd-event takes a temporary reference,
but on the sd_event object, not on the individual sources. And our sources
are non-floating, so there is no reference from the sd_event object to the
sources.

For #18427.

author	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Mon, 1 Mar 2021 22:10:06 +0000 (23:10 +0100)
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Mon, 1 Mar 2021 22:12:51 +0000 (23:12 +0100)
commit	97935302283729c9206b84f5e00b1aff0f78ad19
tree	8ed7489e5a8aef4ecfcacc5d7f61cabf77b3d07c	tree \| snapshot
parent	f2ec080ef2763b691f8346121ce92cdcb05b150c	commit \| diff

src/resolve/resolved-dns-query.c		diff \| blob \| blame \| history
src/resolve/resolved-dns-scope.c		diff \| blob \| blame \| history
src/resolve/resolved-dns-stream.c		diff \| blob \| blame \| history
src/resolve/resolved-dns-stub.c		diff \| blob \| blame \| history
src/resolve/resolved-dns-transaction.c		diff \| blob \| blame \| history
src/resolve/resolved-llmnr.c		diff \| blob \| blame \| history
src/resolve/resolved-manager.c		diff \| blob \| blame \| history
src/resolve/resolved-mdns.c		diff \| blob \| blame \| history
src/resolve/resolved-socket-graveyard.c		diff \| blob \| blame \| history