[Pidgin] #12387: Pidgin crashes if MSN direct connections are enabled.
Pidgin
trac at pidgin.im
Tue Dec 28 00:44:11 EST 2010
#12387: Pidgin crashes if MSN direct connections are enabled.
---------------------+------------------------------------------------------
Reporter: superyo | Owner:
Type: defect | Status: new
Milestone: | Component: libpurple
Version: 2.7.4 | Resolution:
Keywords: |
---------------------+------------------------------------------------------
Comment(by darkrain42 at pidgin.im):
(In [8febed9408d870efdef757d67f9a3631e1d6d494]):[[BR]]
upnp: Asynch-ronize the callbacks from UPnP to calling code. Refs #12387
I have no idea if this will resolve the crashes, but with the help of the
packet capture, I /think/ these are correct.
Short summary: it's possible for the callback to fire (and ar be freed)
before
the top-level function (purple_upnp_cancel_port_mapping) returns, even
though
cancel_port_mapping returns the now-invalid ar (which may lead to a
subsequent
use-after-free).
At least one call path through the code that I think leads to this (backed
up by one of the debug logs I looked at):
purple_upnp_cancel_port_mapping(...)
do_port_mapping_cb (has_control_mapping == TRUE, ar->add == FALSE)
purple_upnp_generate_action_message_and_send(...,
done_port_mapping_cb, ar)
/* We fail to parse the URL (see some debug logs)
*/
done_port_mapping_cb
ar->cb(FALSE, cbdata)
return;
return;
return;
return ar;
...and something which calls:
do_port_mapping_cb(has_control_mapping == TRUE, ar->add == TRUE)
ar->cb(FALSE, cbdata)
g_free(ar)
return;
--
Ticket URL: <http://developer.pidgin.im/ticket/12387#comment:37>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list