Possible free-memory-read of "name" string in name_vanished_handler callback
Submitted by Charles Kerr
Link to original bug (#696731)
Description
Created attachment 239988 One possible fix: in actually_do_call(), wrap the callbacks in client_ref(), client_unref()
g_bus_watch_name()'s name_vanished_callback includes a 'name' string in its argument list.
If client code implementing that callback includes a call to g_bus_unwatch_name(), gdbusnamewatching.c calls client_unref() which frees that 'name' string, meaning that any subsequent use of it in the client code's name_vanished_callback is a free-memory-read error.
One possible fix is to add client_ref() to the beginning of gdbusnamewatching.c's actually_do_call() and a balancing client_unref() to its end. I've tested this and it works.
Patch 239988, "One possible fix: in actually_do_call(), wrap the callbacks in client_ref(), client_unref()":
actually_do_call_ref.diff
Version: 2.36.x