undroidwish
commented
6 months ago Here's a patch which fixes the double free of the SessionData struct:
--- a/src/xdmcp-server.c 2019-05-17 06:54:08.000000000 +0200
+++ b/src/xdmcp-server.c 2024-01-09 14:18:31.579502477 +0100
@@ -160,16 +160,16 @@
g_free (data);
}
-G_DEFINE_AUTOPTR_CLEANUP_FUNC (SessionData, session_data_free)
-
static gboolean
session_timeout_cb (gpointer user_data)
{
- g_autoptr(SessionData) data = user_data;
+ SessionData *data = user_data;
XDMCPServerPrivate *priv = xdmcp_server_get_instance_private (data->server);
+ guint16 id = xdmcp_session_get_id (data->session);
- g_debug ("Timing out unmanaged session %d", xdmcp_session_get_id (data->session));
- g_hash_table_remove (priv->sessions, GINT_TO_POINTER ((gint) xdmcp_session_get_id (data->session)));
+ data->timeout_source = 0;
+ g_debug ("Timing out unmanaged session %d", id);
+ g_hash_table_remove (priv->sessions, GINT_TO_POINTER ((gint) id));
return G_SOURCE_REMOVE;
}
The bug is present since almost five years and even in the current main branch.
On Rocky 9.3 with lightdm 1.30 I'm observing a crash of the lightdm master process when an XDMCP Request with an IP address is to be serviced, which cannot be connected to. After about two minutes (>= 126 seconds?) the lightdm master process crashes with these lines in the log:
All active sessions are terminated, too, since all children of the master process are following into Hades.
See the attached minimum C program which exercises this bug by sending the two required XDMCP packets of annihilation.
lightdmkill.c.txt