From f6b4ab7d3b86739198ab73db180aed01dfb1c65b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ji=C5=99=C3=AD=20Klime=C5=A1?= <jklimes@redhat.com>
Date: Thu, 28 Aug 2014 09:10:37 +0200
Subject: [PATCH] settings: fix a crash in emit_updated() accessing invalid
 pointer

by disconnecting signal handlers in dispose().

Commit 6a19e68a moved nm_connection_clear_secrets() from plugins' finalize() to
NMSettingsConnection's dispose(). But clearing secrets emits "changed" signal
which cause changed_cb() to be called and emit_updated() scheduled. And
emit_updated() was called later after finalize() on released object.

The crash can be invoked by having two keyfile connection files with the same
uuid in them.

Backtrace:
 (NetworkManager:12262): GLib-GObject-WARNING **: attempt to retrieve private data for invalid type 'NMSettingsConnection'
 Program received signal SIGSEGV, Segmentation fault.
 emit_updated (self=0xf38dd0 [NMSettingConnection]) at settings/nm-settings-connection.c:401
 401		NM_SETTINGS_CONNECTION_GET_PRIVATE (self)->updated_idle_id = 0;
 (gdb) bt
 #0  emit_updated (self=0xf38dd0 [NMSettingConnection]) at settings/nm-settings-connection.c:401
 #1  0x0000003c49647825 in g_main_dispatch (context=0x785970) at gmain.c:2539
 #2  g_main_context_dispatch (context=context@entry=0x785970) at gmain.c:3075
 #3  0x0000003c49647b58 in g_main_context_iterate (context=0x785970, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3146
 #4  0x0000003c49647f52 in g_main_loop_run (loop=0x7857c0) at gmain.c:3340
 #5  0x000000000042d4e9 in main (argc=1, argv=0x7fffffffe508) at main.c:679
---
 src/settings/nm-settings-connection.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/settings/nm-settings-connection.c b/src/settings/nm-settings-connection.c
index 3a2b5ac20e..c534461959 100644
--- a/src/settings/nm-settings-connection.c
+++ b/src/settings/nm-settings-connection.c
@@ -2044,6 +2044,13 @@ dispose (GObject *object)
 		priv->updated_idle_id = 0;
 	}
 
+	/* Disconnect handlers.
+	 * changed_cb() has to be disconnected *before* nm_connection_clear_secrets(),
+	 * because nm_connection_clear_secrets() emits NM_CONNECTION_CHANGED signal.
+	 */
+	g_signal_handlers_disconnect_by_func (self, G_CALLBACK (secrets_cleared_cb), NULL);
+	g_signal_handlers_disconnect_by_func (self, G_CALLBACK (changed_cb), GUINT_TO_POINTER (TRUE));
+
 	nm_connection_clear_secrets (NM_CONNECTION (self));
 	g_clear_object (&priv->system_secrets);
 	g_clear_object (&priv->agent_secrets);