spice_timer_queue: fix access after free

Do not access to timer after we call the associated function. Some of these callbacks can call spice_timer_remove making the pointer pointing to freed data. This happen for instance when the client is disconnecting. This does not cause memory corruption on current allocator implementations as all freeing/accessing happen on a single thread quite closely and allocators use different pools for different thread. Signed-off-by: Frediano Ziglio <fziglio@redhat.com> Acked-by: Christophe Fergeau <cfergeau@redhat.com>
author: Frediano Ziglio <fziglio@redhat.com> 2015-09-03 10:25:13 +0100
committer: Frediano Ziglio <fziglio@redhat.com> 2015-09-03 10:25:13 +0100
commit: 83f507db4bef97507feb92d8edcbbe12881de435 (patch)
tree: 662a502488a229224c06c1868c8e526eb14e5c44
parent: 2a09a5fa36763214fd0f03f57528eba9a878039f (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/server/spice_timer_queue.c b/server/spice_timer_queue.c
index d457845..c4f2f6e 100644
--- a/server/spice_timer_queue.c
+++ b/server/spice_timer_queue.c
@@ -261,8 +261,13 @@ void spice_timer_queue_cb(void)
         if (timer->expiry_time > now_ms) {
             break;
         } else {
-            timer->func(timer->opaque);
+            /* Remove active timer before calling the timer function.
+             * Timer function could delete the timer making the timer
+             * pointer point to freed data.
+             */
             spice_timer_cancel(timer);
+            timer->func(timer->opaque);
+            /* timer could now be invalid ! */
         }
     }
 }
author	Frediano Ziglio <fziglio@redhat.com>	2015-09-03 10:25:13 +0100
committer	Frediano Ziglio <fziglio@redhat.com>	2015-09-03 10:25:13 +0100
commit	83f507db4bef97507feb92d8edcbbe12881de435 (patch)
tree	662a502488a229224c06c1868c8e526eb14e5c44
parent	2a09a5fa36763214fd0f03f57528eba9a878039f (diff)