From 3215508293c26e9e8531c2482def598ef1bbbefd Mon Sep 17 00:00:00 2001
From: Thomas Haller <thaller@redhat.com>
Date: Sun, 23 Apr 2017 19:14:19 +0200
Subject: [PATCH] policy: fix memleak in lookup_callback() and cancelling

When the operation is cancelled, we must not touch user_data. Note that
NM_POLICY_GET_PRIVATE() theoretically doesn't dereference the pointer
(does it?) but doing pointer arithmetic on a dangling pointer is a very
ugly thing to do.

And of course, the memleak.

Fixes: 5c716c8af8ddca1d3f7510494754d875b01a8889
Fixes: a2cdf632045d60b26f7aff470dedb56c1f9b938d
---
 src/nm-policy.c | 24 +++++++++++-------------
 1 file changed, 11 insertions(+), 13 deletions(-)

diff --git a/src/nm-policy.c b/src/nm-policy.c
index f82260f97f..7c74a6b412 100644
--- a/src/nm-policy.c
+++ b/src/nm-policy.c
@@ -560,26 +560,24 @@ lookup_callback (GObject *source,
                  GAsyncResult *result,
                  gpointer user_data)
 {
-	NMPolicy *self = (NMPolicy *) user_data;
-	NMPolicyPrivate *priv = NM_POLICY_GET_PRIVATE (self);
-	const char *hostname;
-	GError *error = NULL;
+	NMPolicy *self;
+	NMPolicyPrivate *priv;
+	gs_free char *hostname = NULL;
+	gs_free_error GError *error = NULL;
 
 	hostname = g_resolver_lookup_by_address_finish (G_RESOLVER (source), result, &error);
-	if (g_error_matches (error, G_IO_ERROR, G_IO_ERROR_CANCELLED)) {
-		/* Don't touch policy; it may have been freed already */
-		g_error_free (error);
+	if (g_error_matches (error, G_IO_ERROR, G_IO_ERROR_CANCELLED))
 		return;
-	}
+
+	self = user_data;
+	priv = NM_POLICY_GET_PRIVATE (self);
+
+	g_clear_object (&priv->lookup_cancellable);
 
 	if (hostname)
 		_set_hostname (self, hostname, "from address lookup");
-	else {
+	else
 		_set_hostname (self, NULL, error->message);
-		g_error_free (error);
-	}
-
-	g_clear_object (&priv->lookup_cancellable);
 }
 
 static void