From efb9e2bc6b354d189da34fab07e79db1bf162cb1 Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Wed, 3 Oct 2018 15:41:29 +0200 Subject: [PATCH] ndisc: keep NMNDisc instance alive while processing IO in event_ready() event_ready() calls ndp_callall_eventfd_handler(), which invokes our own callback, which may invoke change notification. At that point, it's not guaranteed that the signal handler won't destroy the ndisc instance, which means, the "struct ndp" gets destroyed while invoking callbacks. That's bad, because libndp is not robust against that. Ensure the object stays alive long enough. (cherry picked from commit 9aa628cedb707e9c4f0e0dba437ec22375a0032e) --- src/ndisc/nm-lndp-ndisc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/ndisc/nm-lndp-ndisc.c b/src/ndisc/nm-lndp-ndisc.c index c0a0cd4096..8d237e86c7 100644 --- a/src/ndisc/nm-lndp-ndisc.c +++ b/src/ndisc/nm-lndp-ndisc.c @@ -491,6 +491,7 @@ receive_rs (struct ndp *ndp, struct ndp_msg *msg, gpointer user_data) static gboolean event_ready (GIOChannel *source, GIOCondition condition, NMNDisc *ndisc) { + gs_unref_object NMNDisc *ndisc_keep_alive = g_object_ref (ndisc); nm_auto_pop_netns NMPNetns *netns = NULL; NMLndpNDiscPrivate *priv = NM_LNDP_NDISC_GET_PRIVATE ((NMLndpNDisc *) ndisc);