Fix possible invalid read/free when using g_slist_free_full This is probably a glib bug on g_slist_free_full which doesn't handle the case where the list is modified inside the callback: Invalid read of size 8 at 0x50AD5B2: g_slice_free_chain_with_offset (in /usr/lib64/libglib-2.0.so.0.2800.8) by 0x13057B: a2dp_unregister (a2dp.c:1550) by 0x12144C: a2dp_server_remove (manager.c:1032) by 0x50ADF16: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.2800.8) by 0x178B55: adapter_remove (adapter.c:2326) by 0x175205: manager_remove_adapter (manager.c:290) by 0x50ADF16: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.2800.8) by 0x50ADF3A: g_slist_free_full (in /usr/lib64/libglib-2.0.so.0.2800.8) by 0x175086: manager_cleanup (manager.c:298) by 0x11D7A8: main (main.c:305) Address 0x637a5e8 is 8 bytes inside a block of size 16 free'd at 0x4C27D6E: free (vg_replace_malloc.c:366) by 0x50AD9FC: g_slist_remove (in /usr/lib64/libglib-2.0.so.0.2800.8) by 0x12E5C6: a2dp_remove_sep (a2dp.c:1667) by 0x50ADF16: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.2800.8) by 0x50ADF3A: g_slist_free_full (in /usr/lib64/libglib-2.0.so.0.2800.8) by 0x13057B: a2dp_unregister (a2dp.c:1550) by 0x12144C: a2dp_server_remove (manager.c:1032) by 0x50ADF16: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.2800.8) by 0x178B55: adapter_remove (adapter.c:2326) by 0x175205: manager_remove_adapter (manager.c:290) by 0x50ADF16: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.2800.8) by 0x50ADF3A: g_slist_free_full (in /usr/lib64/libglib-2.0.so.0.2800.8) Invalid free() / delete / delete[] at 0x4C27D6E: free (vg_replace_malloc.c:366) by 0x50AD5A3: g_slice_free_chain_with_offset (in /usr/lib64/libglib-2.0.so.0.2800.8) by 0x13057B: a2dp_unregister (a2dp.c:1550) by 0x12144C: a2dp_server_remove (manager.c:1032) by 0x50ADF16: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.2800.8) by 0x178B55: adapter_remove (adapter.c:2326) by 0x175205: manager_remove_adapter (manager.c:290) by 0x50ADF16: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.2800.8) by 0x50ADF3A: g_slist_free_full (in /usr/lib64/libglib-2.0.so.0.2800.8) by 0x175086: manager_cleanup (manager.c:298) by 0x11D7A8: main (main.c:305) Address 0x637a5e0 is 0 bytes inside a block of size 16 free'd at 0x4C27D6E: free (vg_replace_malloc.c:366) by 0x50AD9FC: g_slist_remove (in /usr/lib64/libglib-2.0.so.0.2800.8) by 0x12E5C6: a2dp_remove_sep (a2dp.c:1667) by 0x50ADF16: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.2800.8) by 0x50ADF3A: g_slist_free_full (in /usr/lib64/libglib-2.0.so.0.2800.8) by 0x13057B: a2dp_unregister (a2dp.c:1550) by 0x12144C: a2dp_server_remove (manager.c:1032) by 0x50ADF16: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.2800.8) by 0x178B55: adapter_remove (adapter.c:2326) by 0x175205: manager_remove_adapter (manager.c:290) by 0x50ADF16: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.2800.8) by 0x50ADF3A: g_slist_free_full (in /usr/lib64/libglib-2.0.so.0.2800.8) Invalid read of size 8 at 0x50AD5B2: g_slice_free_chain_with_offset (in /usr/lib64/libglib-2.0.so.0.2800.8) by 0x175086: manager_cleanup (manager.c:298) by 0x11D7A8: main (main.c:305) Address 0x62b7ea8 is 8 bytes inside a block of size 16 free'd at 0x4C27D6E: free (vg_replace_malloc.c:366) by 0x50AD9FC: g_slist_remove (in /usr/lib64/libglib-2.0.so.0.2800.8) by 0x1751AE: manager_remove_adapter (manager.c:275) by 0x50ADF16: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.2800.8) by 0x50ADF3A: g_slist_free_full (in /usr/lib64/libglib-2.0.so.0.2800.8) by 0x175086: manager_cleanup (manager.c:298) by 0x11D7A8: main (main.c:305) Invalid free() / delete / delete[] at 0x4C27D6E: free (vg_replace_malloc.c:366) by 0x50AD5A3: g_slice_free_chain_with_offset (in /usr/lib64/libglib-2.0.so.0.2800.8) by 0x175086: manager_cleanup (manager.c:298) by 0x11D7A8: main (main.c:305) Address 0x62b7ea0 is 0 bytes inside a block of size 16 free'd at 0x4C27D6E: free (vg_replace_malloc.c:366) by 0x50AD9FC: g_slist_remove (in /usr/lib64/libglib-2.0.so.0.2800.8) by 0x1751AE: manager_remove_adapter (manager.c:275) by 0x50ADF16: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.2800.8) by 0x50ADF3A: g_slist_free_full (in /usr/lib64/libglib-2.0.so.0.2800.8) by 0x175086: manager_cleanup (manager.c:298) by 0x11D7A8: main (main.c:305) To fix this now adapter_remove and a2dp_unregister_sep are passed directly as a callbacks so g_slist_remove is not triggered.

Diffstat

2 files changed, 14 insertions(+), 3 deletions(-)