Comment 20 for bug 128624

Revision history for this message
In , Simon McVittie (smcv) wrote :

On Bug #15589, Scott wrote this useful-looking summary of the bug:
> D-Bus relies on the userdb cache being enabled to be able to hold on to user
> info structures (which don't have refcounting).
>
> Test case:
> 1) disable the userdb cache
> 2) start a minimal dbus server
> 3) connect to it _from the same username_
>
> The server will have already looked up its own username, and will be holding on
> to the info for that (to compare it against users coming in, I suspect).
>
> When the new connection comes in, it will look up the username of *that*, which
> will invalidate the existing entry in the hash table. Then when it compares
> the new info with the info of its own user, you'll be reading from free'd
> memory.
>
> This could be partially fixed by not putting new info entries into the hash
> table, but then there'd be a memory leak for every time you looked one up,
> since it won't be clear who owns it.

Dropping priority and severity since this now only happens in a non-default compile-time configuration (you have to disable the userdb cache explicitly).