From 38060b55e20bd3303c44d94cc830082bd5e5cdc7 Mon Sep 17 00:00:00 2001
From: Tobias Markmann <tm@ayena.de>
Date: Wed, 9 Dec 2015 15:23:16 +0100
Subject: Disconnect signals from in-flight IBB request

Canceling an IBB transfer in-flight caused an use-after-free
reported by ASAN. With this fix we keep a reference of the
current request around to be able to disconnect from its
signals on cancel.

Test-Information:

Transferred a file with Swift using the IBB method and canceled
the transfer. The previously error reported by ASAN is gone.

Change-Id: I240d3dbb59cddb6b91d49f268595a89ac8805f72

diff --git a/Swiften/FileTransfer/IBBSendSession.cpp b/Swiften/FileTransfer/IBBSendSession.cpp
index 04c3b5e..9f41532 100644
--- a/Swiften/FileTransfer/IBBSendSession.cpp
+++ b/Swiften/FileTransfer/IBBSendSession.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010-2013 Isode Limited.
+ * Copyright (c) 2010-2015 Isode Limited.
  * All rights reserved.
  * See the COPYING file for more information.
  */
@@ -10,9 +10,9 @@
 #include <boost/numeric/conversion/cast.hpp>
 
 #include <Swiften/Base/ByteArray.h>
-#include <Swiften/Queries/IQRouter.h>
-#include <Swiften/FileTransfer/IBBRequest.h>
 #include <Swiften/FileTransfer/BytestreamException.h>
+#include <Swiften/FileTransfer/IBBRequest.h>
+#include <Swiften/Queries/IQRouter.h>
 
 namespace Swift {
 
@@ -44,16 +44,22 @@ void IBBSendSession::start() {
 	request->onResponse.connect(boost::bind(&IBBSendSession::handleIBBResponse, this, _1, _2));
 	active = true;
 	request->send();
+	currentRequest = request;
 }
 
 void IBBSendSession::stop() {
 	if (active && router->isAvailable()) {
 		IBBRequest::create(from, to, IBB::createIBBClose(id), router)->send();
 	}
+	if (currentRequest) {
+		currentRequest->onResponse.disconnect(boost::bind(&IBBSendSession::handleIBBResponse, this, _1, _2));
+	}
 	finish(boost::optional<FileTransferError>());
 }
 
 void IBBSendSession::handleIBBResponse(IBB::ref, ErrorPayload::ref error) {
+	currentRequest.reset();
+
 	if (!error && active) {
 		if (!bytestream->isFinished()) {
 			sendMoreData();
@@ -76,6 +82,7 @@ void IBBSendSession::sendMoreData() {
 			sequenceNumber++;
 			request->onResponse.connect(boost::bind(&IBBSendSession::handleIBBResponse, this, _1, _2));
 			request->send();
+			currentRequest = request;
 			onBytesSent(data->size());
 		}
 		else {
diff --git a/Swiften/FileTransfer/IBBSendSession.h b/Swiften/FileTransfer/IBBSendSession.h
index 3b29c23..af8cc12 100644
--- a/Swiften/FileTransfer/IBBSendSession.h
+++ b/Swiften/FileTransfer/IBBSendSession.h
@@ -1,24 +1,25 @@
 /*
- * Copyright (c) 2010-2013 Isode Limited.
+ * Copyright (c) 2010-2015 Isode Limited.
  * All rights reserved.
  * See the COPYING file for more information.
  */
 
 #pragma once
 
-#include <boost/shared_ptr.hpp>
 #include <boost/optional.hpp>
+#include <boost/shared_ptr.hpp>
 
 #include <Swiften/Base/API.h>
 #include <Swiften/Base/boost_bsignals.h>
-#include <Swiften/FileTransfer/ReadBytestream.h>
-#include <Swiften/JID/JID.h>
-#include <Swiften/Elements/IBB.h>
 #include <Swiften/Elements/ErrorPayload.h>
+#include <Swiften/Elements/IBB.h>
 #include <Swiften/FileTransfer/FileTransferError.h>
+#include <Swiften/FileTransfer/ReadBytestream.h>
+#include <Swiften/JID/JID.h>
 
 namespace Swift {
 	class IQRouter;
+	class IBBRequest;
 
 	class SWIFTEN_API IBBSendSession {
 		public:
@@ -64,5 +65,6 @@ namespace Swift {
 			int sequenceNumber;
 			bool active;
 			bool waitingForData;
+			boost::shared_ptr<IBBRequest> currentRequest;
 	};
 }
-- 
cgit v0.10.2-6-g49f6