commit 77b4c2b5cae4081118edb7e678e0156d47d0efcb
author Alex Vakulenko <avakulenko@chromium.org> Fri May 22 15:38:42 2015 -0700
committer ChromeOS Commit Bot <chromeos-commit-bot@chromium.org> Sat May 23 02:41:35 2015 +0000
tree 6ed940346363a61ba8bcab78c6faaa485ef98616
parent 8841b5c974bd09546f8ac02536e88e5e7b373774

webserver: Fix heap use after free error

Server::Disconnect() destroys objects in a wrong order. Some maps,
such as |protocol_handlers_names_| contain D-Bus object proxies owned
by |object_manager_|. Because of this, the object manager must be
freed *after* the maps containing pointers to D-Bus object proxies
are freed.

Processes linking libwebserv library (e.g. privetd, leaderd) would
crash at shut-down.

BUG=chromium:473271,chromium:488291
TEST=`USE="clang asan" emerge-link webserver privetd`

Change-Id: Ibc7528504808624374e0b45da07bdb4ee19b7dbf
Reviewed-on: https://chromium-review.googlesource.com/272958
Trybot-Ready: Alex Vakulenko <avakulenko@chromium.org>
Tested-by: Alex Vakulenko <avakulenko@chromium.org>
Reviewed-by: Vitaly Buka <vitalybuka@chromium.org>
Commit-Queue: Vitaly Buka <vitalybuka@chromium.org>

libwebserv/server.cc

diff --git a/libwebserv/server.cc b/libwebserv/server.cc
index ed38988..408852e 100644
--- a/libwebserv/server.cc
+++ b/libwebserv/server.cc
@@ -124,12 +124,15 @@
 }
 
 void Server::Disconnect() {
-  object_manager_.reset();
   on_server_offline_.Reset();
   on_server_online_.Reset();
-  dbus_object_.reset();
   protocol_handlers_ids_.clear();
   protocol_handlers_names_.clear();
+  // Release D-Bus object manager proxy after all the dependent maps are freed
+  // (e.g. |protocol_handlers_names_| contains pointers to ProtocolHandlerProxy,
+  // instances of which are owned by the D-Bus object manager).
+  object_manager_.reset();
+  dbus_object_.reset();
 }
 
 void Server::Online(org::chromium::WebServer::ServerProxy* server) {