URL: https://github.com/SSSD/sssd/pull/5828 Author: pbrezina Title: #5828: sbus: maintain correct refcount before sending a reply Action: opened
PR body: """ `sbus_reply` decreases the refcount of `@reply`. This usuall means that refcount drops to zero and the message is freed. However, under special circumstances the refcount is increased inside libdbus, the refcount will be 1 when we leave the function and we drop it to zero in `talloc_free(state)` later in this function. This will leave an invalid message to be send inside dbus connection and eventually crash. Increasing the refcount here makes sure that the refcount is always correct. Resolves: https://github.com/SSSD/sssd/issues/5672 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/5828/head:pr5828 git checkout pr5828
From 42afe9b0b6ace3249d8021e077216d46c47dc728 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Wed, 29 Sep 2021 12:11:08 +0200 Subject: [PATCH] sbus: maintain correct refcount before sending a reply sbus_reply decreases the refcount of @reply. This usuall means that refcount drops to zero and the message is freed. However, under special circumstances the refcount is increased inside libdbus, the refcount will be 1 when we leave the function and we drop it to zero in talloc_free(state) later in this function. This will leave an invalid message to be send inside dbus connection and eventually crash. Increasing the refcount here makes sure that the refcount is always correct. Resolves: https://github.com/SSSD/sssd/issues/5672 --- src/sbus/router/sbus_router_handler.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/sbus/router/sbus_router_handler.c b/src/sbus/router/sbus_router_handler.c index d9a374b414..7b6c2441f1 100644 --- a/src/sbus/router/sbus_router_handler.c +++ b/src/sbus/router/sbus_router_handler.c @@ -160,6 +160,17 @@ static void sbus_issue_request_done(struct tevent_req *subreq) } if (ret == EOK) { + /* sbus_reply decreases the refcount of @reply. This usuall means that + * refcount drops to zero and the message is freed. However, under + * special circumstances the refcount is increased inside libdbus, + * the refcount will be 1 when we leave the function and we drop it + * to zero in talloc_free(state) later in this function. This will + * leave an invalid message to be send inside dbus connection and + * eventually crash. + * + * Increasing the refcount here makes sure that the refcount is always + * correct. */ + dbus_message_ref(reply); sbus_reply(state->conn, reply); } else { sbus_errno_to_error(state, ret, &error_name, &error_msg);
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
