From 765fc36308c8d806a597bb9eae13bdff82e081d8 Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Wed, 27 Aug 2014 15:39:02 +0300 Subject: [PATCH] obexd/client: Fix crash while disconnecting In case the transport is disconnected while disconnect command is pending the session is freed on disconnect_complete but disconnect callback is still valid causing the following crash: Invalid read of size 4 at 0x42682A: obc_session_ref (session.c:132) by 0x42797B: obc_session_shutdown (session.c:580) by 0x4139DA: incoming_data (gobex.c:1406) by 0x59712A5: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3800.2) by 0x5971627: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2) by 0x5971A39: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3800.2) by 0x40D78C: main (main.c:320) Address 0x728d814 is 4 bytes inside a block of size 120 free'd at 0x4C28577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x5976F7E: g_free (in /usr/lib64/libglib-2.0.so.0.3800.2) by 0x4134B9: handle_response (gobex.c:1129) by 0x4139BD: incoming_data (gobex.c:1403) by 0x59712A5: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3800.2) by 0x5971627: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2) by 0x5971A39: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3800.2) by 0x40D78C: main (main.c:320) --- obexd/client/session.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/obexd/client/session.c b/obexd/client/session.c index cb176e4ad..9bba6c68d 100644 --- a/obexd/client/session.c +++ b/obexd/client/session.c @@ -225,8 +225,10 @@ static void session_free(struct obc_session *session) if (session->watch) g_dbus_remove_watch(session->conn, session->watch); - if (session->obex != NULL) + if (session->obex) { + g_obex_set_disconnect_function(session->obex, NULL, NULL); g_obex_unref(session->obex); + } if (session->id > 0 && session->transport != NULL) session->transport->disconnect(session->id); -- 2.47.3