-
Adrian Szyndela authored
The overall problem here is that DBusCounter is indirectly linked to a DBusConnection, but is not actually guaranteed to be protected by that connection's mutex; and a DBusMessage can carry a reference to the DBusCounter, resulting in freeing that DBusMessage having an effect on the DBusCounter. Making the refcount atomic would not be a sufficient fix, since it would not protect the notify function: _dbus_counter_notify() could be called indirectly by dbus_message_unref(), in an arbitrary thread that does not hold the DBusConnection's lock, at the same time that the holder of the DBusConnection lock calls _dbus_transport_set_max_message_size(). [smcv: added commit message] Bug: https://bugs.freedesktop.org/show_bug.cgi?id=89297 Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
bbef8e40