rpms/sssd
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
306f2f008c
sssd/0007-sbus-maintain-correct-refcount-before-sending-a-repl.patch
Pavel Březina 306f2f008c sssd-2.6.0-2: pull latest upstream code
2021-11-01 19:10:28 +01:00

49 lines
2.0 KiB
Diff
Raw Blame History

From 8db2485cd28e0af74bd008251ba49b6d6e3a73a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Wed, 29 Sep 2021 12:11:08 +0200
Subject: [PATCH 08/17] sbus: maintain correct refcount before sending a reply
sbus_reply decreases the refcount of @reply. This usuall means that
refcount drops to zero and the message is freed. However, under
special circumstances the refcount is increased inside libdbus,
the refcount will be 1 when we leave the function and we drop it
to zero in talloc_free(state) later in this function. This will
leave an invalid message to be send inside dbus connection and
eventually crash.
Increasing the refcount here makes sure that the refcount is always
correct.
Resolves: https://github.com/SSSD/sssd/issues/5672
Reviewed-by: Pawel Polawski <ppolawsk@redhat.com>
---
src/sbus/router/sbus_router_handler.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/src/sbus/router/sbus_router_handler.c b/src/sbus/router/sbus_router_handler.c
index d9a374b41411d7e4451c2d84d3ab1589e256a29a..7b6c2441f16af20b6d4fa27ae17225756a9d387a 100644
--- a/src/sbus/router/sbus_router_handler.c
+++ b/src/sbus/router/sbus_router_handler.c
@@ -160,6 +160,17 @@ static void sbus_issue_request_done(struct tevent_req *subreq)
}
if (ret == EOK) {
+ /* sbus_reply decreases the refcount of @reply. This usuall means that
+ * refcount drops to zero and the message is freed. However, under
+ * special circumstances the refcount is increased inside libdbus,
+ * the refcount will be 1 when we leave the function and we drop it
+ * to zero in talloc_free(state) later in this function. This will
+ * leave an invalid message to be send inside dbus connection and
+ * eventually crash.
+ *
+ * Increasing the refcount here makes sure that the refcount is always
+ * correct. */
+ dbus_message_ref(reply);
sbus_reply(state->conn, reply);
} else {
sbus_errno_to_error(state, ret, &error_name, &error_msg);
--
2.31.1
Reference in New Issue View Git Blame Copy Permalink