secret-file-backend: Fix use-after-free in flatpakwip/mcrha/flatpak-use-after-free-fix

The on_portal_retrieve_secret() can connect a GCancellable, but it doesn't disconnect from it (only when the cancellable is cancelled), which means when the cancellable is cancelled later, when the GTask is gone, the callback is called with already freed data.
author: Milan Crha <mcrha@redhat.com> 2020-03-19 09:24:52 +0100
committer: Milan Crha <mcrha@redhat.com> 2020-03-19 09:24:52 +0100
commit: 523fe32b65f1561352986f186f3cd0eb4698a8b3 (patch)
tree: 0c29e869a7310008e90c01e68eda4939738cd0e9
parent: eb4f967e9f18d5e2fa18f00d863d9193e1f0aa7d (diff)
download: libsecret-523fe32b65f1561352986f186f3cd0eb4698a8b3.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/libsecret/secret-file-backend.c b/libsecret/secret-file-backend.c
index e69c319..649ef0d 100644
--- a/libsecret/secret-file-backend.c
+++ b/libsecret/secret-file-backend.c
@@ -231,6 +231,11 @@ on_portal_response (GDBusConnection *connection,
 	InitClosure *init = g_task_get_task_data (task);
 	guint32 response;
 
+	if (init->cancellable_signal_id) {
+		g_cancellable_disconnect (g_task_get_cancellable (task), init->cancellable_signal_id);
+		init->cancellable_signal_id = 0;
+	}
+
 	g_dbus_connection_signal_unsubscribe (connection,
 					      init->portal_signal_id);
 
@@ -303,6 +308,7 @@ on_portal_cancel (GCancellable *cancellable,
 				task);
 
 	g_cancellable_disconnect (cancellable, init->cancellable_signal_id);
+	init->cancellable_signal_id = 0;
 }
 
 static void
author	Milan Crha <mcrha@redhat.com>	2020-03-19 09:24:52 +0100
committer	Milan Crha <mcrha@redhat.com>	2020-03-19 09:24:52 +0100
commit	523fe32b65f1561352986f186f3cd0eb4698a8b3 (patch)
tree	0c29e869a7310008e90c01e68eda4939738cd0e9
parent	eb4f967e9f18d5e2fa18f00d863d9193e1f0aa7d (diff)
download	libsecret-523fe32b65f1561352986f186f3cd0eb4698a8b3.tar.gz