spice_timer_queue: fix access after free

Do not access to timer after we call the associated function. Some of these callbacks can call spice_timer_remove making the pointer pointing to freed data. This happen for instance when the client is disconnecting. This does not cause memory corruption on current allocator implementations as all freeing/accessing happen on a single thread quite closely and allocators use different pools for different thread. Signed-off-by: Frediano Ziglio <fziglio@redhat.com> Acked-by: Christophe Fergeau <cfergeau@redhat.com>
2025-12-29 17:07:15 +00:00 · 2015-09-03 10:25:13 +01:00 · 2015-09-03 10:25:13 +01:00 · 83f507db4b
commit 83f507db4b
parent 2a09a5fa36
1 changed files with 6 additions and 1 deletions
--- a/server/spice_timer_queue.c
+++ b/server/spice_timer_queue.c
@ -261,8 +261,13 @@ void spice_timer_queue_cb(void)
        if (timer->expiry_time > now_ms) {
            break;
        } else {
-            timer->func(timer->opaque);
+            /* Remove active timer before calling the timer function.
+             * Timer function could delete the timer making the timer
+             * pointer point to freed data.
+             */
            spice_timer_cancel(timer);
+            timer->func(timer->opaque);
+            /* timer could now be invalid ! */
        }
    }
 }