From 6b3501a79456609dcdd0bab3bbea522dce214609 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Fri, 3 May 2013 15:19:55 +0300
Subject: [PATCH] network: Fix invalid read while removing device

Invalid read of size 8
   at 0x42F4B2: connection_unregister (connection.c:643)
   by 0x466CE6: service_shutdown (service.c:174)
   by 0x467B70: remove_service (device.c:963)
   by 0x32C3863CAC: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.3400.2)
   by 0x32C3863CCA: g_slist_free_full (in /usr/lib64/libglib-2.0.so.0.3400.2)
   by 0x46CABC: device_remove (device.c:2331)
   by 0x45E229: adapter_remove_device.constprop.44 (adapter.c:1049)
   by 0x45E31D: remove_device (adapter.c:2134)
   by 0x40CC80: process_message.isra.4 (object.c:258)
   by 0x32C641D9C4: ??? (in /usr/lib64/libdbus-1.so.3.7.2)
   by 0x32C640FC1F: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.7.2)
   by 0x40A807: message_dispatch (mainloop.c:76)
 Address 0x54e6e38 is 8 bytes inside a block of size 16 free'd
   at 0x4A077E6: free (vg_replace_malloc.c:446)
   by 0x32C384D79E: g_free (in /usr/lib64/libglib-2.0.so.0.3400.2)
   by 0x40DCA9: remove_interface (object.c:656)
   by 0x40DF09: g_dbus_unregister_interface (object.c:1413)
   by 0x466CE6: service_shutdown (service.c:174)
   by 0x467B70: remove_service (device.c:963)
   by 0x32C3863CAC: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.3400.2)
   by 0x32C3863CCA: g_slist_free_full (in /usr/lib64/libglib-2.0.so.0.3400.2)
   by 0x46CABC: device_remove (device.c:2331)
   by 0x45E229: adapter_remove_device.constprop.44 (adapter.c:1049)
   by 0x45E31D: remove_device (adapter.c:2134)
   by 0x40CC80: process_message.isra.4 (object.c:258)
---
 profiles/network/connection.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/profiles/network/connection.c b/profiles/network/connection.c
index 2d6c3633a..9481072da 100644
--- a/profiles/network/connection.c
+++ b/profiles/network/connection.c
@@ -640,8 +640,11 @@ void connection_unregister(struct btd_service *service)
 
 	DBG("%s id %u", device_get_path(device), id);
 
-	g_slist_free_full(peer->connections, connection_free);
-	peer->connections = NULL;
+	peer->connections = g_slist_remove(peer->connections, conn);
+	connection_free(conn);
+
+	if (peer->connections != NULL)
+		return;
 
 	g_dbus_unregister_interface(btd_get_dbus_connection(),
 						device_get_path(device),
-- 
2.47.3