frontend: Disconnect dbus signals to avoid use-after-free (#90)

aleasto · web-flow · commit 33a9e804a0e3 · 2026-03-12T16:58:13.000+01:00
cpdbDeletePrinterObj() free's the struct passed to the GDBus signal handlers
without making sure that these are not going to be called anymore.

g_dbus_connection_close_sync() is not enough because there may have bene
signals already received and awaiting to be dispatched in the next iteration
of the mainloop.
diff --git a/cpdb/cpdb-frontend.c b/cpdb/cpdb-frontend.c
@@ -183,14 +183,15 @@ GDBusConnection *cpdbGetDbusConnection()
 void cpdbConnectToDBus(cpdb_frontend_obj_t *f)
 {
     GError *error = NULL;
+    guint id;
 
     if ((f->connection = cpdbGetDbusConnection()) == NULL)
     {
         loginfo("Couldn't connect to DBus\n");
         return;
     }
     
-    g_dbus_connection_signal_subscribe(f->connection,
+    id = g_dbus_connection_signal_subscribe(f->connection,
                                        NULL,                            //Sender name
                                        "org.openprinting.PrintBackend", //Sender interface
                                        CPDB_SIGNAL_PRINTER_ADDED,       //Signal name
@@ -200,8 +201,9 @@ void cpdbConnectToDBus(cpdb_frontend_obj_t *f)
                                        cpdbOnPrinterAdded,                //callback
                                        f,                            //user_data
                                        NULL);
+    f->dbus_subscriptions = g_slist_prepend(f->dbus_subscriptions, GUINT_TO_POINTER(id));
 
-    g_dbus_connection_signal_subscribe(f->connection,
+    id = g_dbus_connection_signal_subscribe(f->connection,
                                        NULL,                            //Sender name
                                        "org.openprinting.PrintBackend", //Sender interface
                                        CPDB_SIGNAL_PRINTER_REMOVED,     //Signal name
@@ -211,7 +213,9 @@ void cpdbConnectToDBus(cpdb_frontend_obj_t *f)
                                        cpdbOnPrinterRemoved,              //callback
                                        f,                            //user_data
                                        NULL);
-    g_dbus_connection_signal_subscribe(f->connection,
+    f->dbus_subscriptions = g_slist_prepend(f->dbus_subscriptions, GUINT_TO_POINTER(id));
+
+    id = g_dbus_connection_signal_subscribe(f->connection,
                                        NULL,                                //Sender name
                                        "org.openprinting.PrintBackend",     //Sender interface
                                        CPDB_SIGNAL_PRINTER_STATE_CHANGED,   //Signal name
@@ -221,6 +225,7 @@ void cpdbConnectToDBus(cpdb_frontend_obj_t *f)
                                        cpdbOnPrinterStateChanged,            //callback
                                        f,                                //user_data
                                        NULL);
+    f->dbus_subscriptions = g_slist_prepend(f->dbus_subscriptions, GUINT_TO_POINTER(id));
 
 
     if (error)
@@ -250,6 +255,10 @@ void cpdbDisconnectFromDBus(cpdb_frontend_obj_t *f)
         logwarn("Already disconnected from DBus\n");
         return;
     }
+
+    for (GSList *sub = f->dbus_subscriptions; sub; sub = sub->next)
+        g_dbus_connection_signal_unsubscribe (f->connection, GPOINTER_TO_UINT(sub->data));
+    g_clear_pointer(&f->dbus_subscriptions, g_slist_free);
     g_hash_table_foreach(f->backend, stopListingLookup, NULL);
     g_dbus_connection_flush_sync(f->connection, NULL, NULL);
     g_dbus_connection_close_sync(f->connection, NULL, NULL);
diff --git a/cpdb/cpdb-frontend.h b/cpdb/cpdb-frontend.h
@@ -88,6 +88,7 @@ struct cpdb_frontend_obj_s
     cpdb_settings_t *last_saved_settings; /** The last saved settings to disk */
 
     GThread *background_thread;
+    GSList *dbus_subscriptions;
 };
 
 /**
