diff options
| author | Youness Alaoui <kakaroto@kakaroto.homelinux.net> | 2014-06-17 21:02:45 -0400 |
|---|---|---|
| committer | Youness Alaoui <youness.alaoui@collabora.co.uk> | 2014-07-22 20:45:34 -0400 |
| commit | 287f8a8be697c59acf9700df78eb5070c93d151a (patch) | |
| tree | bf2ba0970635c27b42507de1eb09b182ef3e8a0b /agent/agent.c | |
| parent | d420b495fe62abd85f2d811b8546d2654ae77a16 (diff) | |
| download | libnice-287f8a8be697c59acf9700df78eb5070c93d151a.tar.gz | |
Do not access component if it was destroyed when calling the io callback
When calling component_emit_io_callback, the agent mutex will be unlocked before
the callback is called, this can cause another thread to remove the
stream and thus destroying the component. We must verify that the
source was not destroyed after calling component_emit_io_callback
and avoid accessing the component in that case.
Bug report by Stephan Thamm in the mailing list.
Diffstat (limited to 'agent/agent.c')
| -rw-r--r-- | agent/agent.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/agent/agent.c b/agent/agent.c index 8bcb828..a9c4e78 100644 --- a/agent/agent.c +++ b/agent/agent.c @@ -4619,6 +4619,10 @@ component_io_cb (GSocket *gsocket, GIOCondition condition, gpointer user_data) if (retval == RECV_SUCCESS && local_message.length > 0) component_emit_io_callback (component, local_buf, local_message.length); + if (g_source_is_destroyed (g_main_current_source ())) { + nice_debug ("Component IO source disappeared during the callback"); + goto out; + } has_io_callback = component_has_io_callback (component); } } else if (component->recv_messages != NULL) { @@ -4670,6 +4674,11 @@ done: g_object_unref (agent); return !remove_source; + +out: + g_object_unref (agent); + agent_unlock_and_emit (agent); + return G_SOURCE_REMOVE; } NICEAPI_EXPORT gboolean |