Possible Race condition in dbus_timeout_handle
Submitted by bal..@..il.com
Assigned to D-Bus Maintainers
Hi all, We are using libdbus for our IPC. We have implemented the main loop thread, which calls dbus_connection_dispatch() when dispatch status as changed and dbus_watch_handle when any event has occured. We have registered callback function for add_timeout, remove_timeout, toggle_timeout. I have observed one race condition which is bit hard to reproduce.
Thread 1 [application thread]: call dbus_connection_send_with_reply_and_block() time out is set to 10 seconds.
Thread 2 [main loop]: select() // waiting for reply on the fd
Thread 3 [Alarm expired callback]: call dbus_timeout_handle(dbus_time_out);
When the timout has expired, the remove_timeout was called by dbus_connection_send_with_reply_and_block(), at the same time alarm callback is fired which makes calls to dbus_timeout_handle. Since the DBusTimeout is freed by dbus_connection_send_with_reply_and_block, when calling dbus_timeout_handle() with freed timeout handle heap gets corrupted.
Kindly let me know your suggestion.