From d2c386a2bc82a7e9677f94439ce8976a887ae3ff Mon Sep 17 00:00:00 2001 From: Dan Williams Date: Wed, 30 Jun 2010 11:51:40 -0700 Subject: [PATCH] libnm-glib: fix invalid memory access during property notification If an NMObject listened to property change notifications from other NMObjects and then in response to that queued up other property changes of it's own, those would get added to the property change list that was being iterated through already. Each name in the change list is freed after being notified, but the change list itself is actually freed when all properties have been notified. So an object that queues up another change notification ends up in _nm_object_queue_notify() which iterates the change list where half of the data elements are already freed... --- libnm-glib/nm-object.c | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/libnm-glib/nm-object.c b/libnm-glib/nm-object.c index 94bda26e56..72ea05005e 100644 --- a/libnm-glib/nm-object.c +++ b/libnm-glib/nm-object.c @@ -47,7 +47,7 @@ typedef struct { NMObject *parent; GSList *notify_props; - gulong notify_id; + guint32 notify_id; gboolean disposed; } NMObjectPrivate; @@ -255,18 +255,23 @@ deferred_notify_cb (gpointer data) { NMObject *object = NM_OBJECT (data); NMObjectPrivate *priv = NM_OBJECT_GET_PRIVATE (object); - GSList *iter; + GSList *props, *iter; priv->notify_id = 0; - priv->notify_props = g_slist_reverse (priv->notify_props); - for (iter = priv->notify_props; iter; iter = g_slist_next (iter)) { + /* Clear priv->notify_props early so that an NMObject subclass that + * listens to property changes can queue up other property changes + * during the g_object_notify() call separately from the property + * list we're iterating. + */ + props = g_slist_reverse (priv->notify_props); + priv->notify_props = NULL; + + for (iter = props; iter; iter = g_slist_next (iter)) { g_object_notify (G_OBJECT (object), (const char *) iter->data); g_free (iter->data); } - g_slist_free (priv->notify_props); - priv->notify_props = NULL; - + g_slist_free (props); return FALSE; }