* [PATCH BlueZ 1/3] Fix possible invalid read/free on manager.c
@ 2011-07-11 9:10 Luiz Augusto von Dentz
2011-07-11 9:10 ` [PATCH BlueZ 2/3] Fix possible invalid read/free on a2dp.c Luiz Augusto von Dentz
2011-07-11 9:10 ` [PATCH BlueZ 3/3] Fix possible invalid read/free on media.c Luiz Augusto von Dentz
0 siblings, 2 replies; 3+ messages in thread
From: Luiz Augusto von Dentz @ 2011-07-11 9:10 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
==6091== Invalid read of size 4
==6091== at 0x178A20: adapter_get_address (string3.h:52)
==6091== by 0x174C28: adapter_cmp (manager.c:324)
==6091== by 0x4EA95B0: g_slist_find_custom (in /lib64/libglib-2.0.so.0.2908.0)
==6091== by 0x174ED9: manager_find_adapter (manager.c:333)
==6091== by 0x16ABFA: sdp_record_remove (sdpd-database.c:270)
==6091== by 0x16A4D6: remove_record_from_server (sdpd-service.c:286)
==6091== by 0x12A947: avrcp_unregister (control.c:972)
==6091== by 0x1208CC: avrcp_server_remove (manager.c:1066)
==6091== by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
==6091== by 0x178985: adapter_remove (adapter.c:2326)
==6091== by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
==6091== by 0x4EA984A: g_slist_free_full (in /lib64/libglib-2.0.so.0.2908.0)
==6091== Address 0x603ccd0 is 16 bytes inside a block of size 448 free'd
==6091== at 0x4A055FE: free (vg_replace_malloc.c:366)
==6091== by 0x4E938F2: g_free (in /lib64/libglib-2.0.so.0.2908.0)
==6091== by 0x11EB59: remove_interface (object.c:563)
==6091== by 0x11F380: g_dbus_unregister_interface (object.c:715)
==6091== by 0x1787EC: btd_adapter_unref (adapter.c:2496)
==6091== by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
==6091== by 0x4EA984A: g_slist_free_full (in /lib64/libglib-2.0.so.0.2908.0)
==6091== by 0x174E96: manager_cleanup (manager.c:301)
==6091== by 0x11CCE8: main (main.c:305)
==6091==
==6091== Invalid read of size 2
==6091== at 0x178A25: adapter_get_address (string3.h:52)
==6091== by 0x174C28: adapter_cmp (manager.c:324)
==6091== by 0x4EA95B0: g_slist_find_custom (in /lib64/libglib-2.0.so.0.2908.0)
==6091== by 0x174ED9: manager_find_adapter (manager.c:333)
==6091== by 0x16ABFA: sdp_record_remove (sdpd-database.c:270)
==6091== by 0x16A4D6: remove_record_from_server (sdpd-service.c:286)
==6091== by 0x12A947: avrcp_unregister (control.c:972)
==6091== by 0x1208CC: avrcp_server_remove (manager.c:1066)
==6091== by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
==6091== by 0x178985: adapter_remove (adapter.c:2326)
==6091== by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
==6091== by 0x4EA984A: g_slist_free_full (in /lib64/libglib-2.0.so.0.2908.0)
==6091== Address 0x603ccd4 is 20 bytes inside a block of size 448 free'd
==6091== at 0x4A055FE: free (vg_replace_malloc.c:366)
==6091== by 0x4E938F2: g_free (in /lib64/libglib-2.0.so.0.2908.0)
==6091== by 0x11EB59: remove_interface (object.c:563)
==6091== by 0x11F380: g_dbus_unregister_interface (object.c:715)
==6091== by 0x1787EC: btd_adapter_unref (adapter.c:2496)
==6091== by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
==6091== by 0x4EA984A: g_slist_free_full (in /lib64/libglib-2.0.so.0.2908.0)
==6091== by 0x174E96: manager_cleanup (manager.c:301)
==6091== by 0x11CCE8: main (main.c:305)
---
src/manager.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/src/manager.c b/src/manager.c
index a725588..8dde48c 100644
--- a/src/manager.c
+++ b/src/manager.c
@@ -298,9 +298,11 @@ static void manager_remove_adapter(struct btd_adapter *adapter)
void manager_cleanup(DBusConnection *conn, const char *path)
{
- g_slist_free_full(adapters, (GDestroyNotify) adapter_remove);
+ GSList *l = adapters;
adapters = NULL;
+ g_slist_free_full(l, (GDestroyNotify) adapter_remove);
+
btd_start_exit_timer();
g_dbus_unregister_interface(conn, "/", MANAGER_INTERFACE);
--
1.7.6
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH BlueZ 2/3] Fix possible invalid read/free on a2dp.c
2011-07-11 9:10 [PATCH BlueZ 1/3] Fix possible invalid read/free on manager.c Luiz Augusto von Dentz
@ 2011-07-11 9:10 ` Luiz Augusto von Dentz
2011-07-11 9:10 ` [PATCH BlueZ 3/3] Fix possible invalid read/free on media.c Luiz Augusto von Dentz
1 sibling, 0 replies; 3+ messages in thread
From: Luiz Augusto von Dentz @ 2011-07-11 9:10 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Invalid read of size 8
at 0x4EA8CC2: g_slice_free_chain_with_offset (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AEE3: path_free (media.c:412)
by 0x11EAF9: remove_interface (object.c:563)
by 0x11F320: g_dbus_unregister_interface (object.c:715)
by 0x120C09: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x178845: adapter_remove (adapter.c:2326)
by 0x17528F: btd_manager_unregister_adapter (manager.c:293)
by 0x153FE1: device_event (hciops.c:2643)
by 0x154321: io_stack_event (hciops.c:2763)
by 0x4E8C88C: g_main_context_dispatch (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4E8D087: ??? (in /lib64/libglib-2.0.so.0.2908.0)
Address 0x637fe18 is 8 bytes inside a block of size 16 free'd
at 0x4A055FE: free (vg_replace_malloc.c:366)
by 0x4E938F2: g_free (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA854E: g_slice_free1 (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA930C: g_slist_remove (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AE03: media_endpoint_remove (media.c:118)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA984A: g_slist_free_full (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AEE3: path_free (media.c:412)
by 0x11EAF9: remove_interface (object.c:563)
by 0x11F320: g_dbus_unregister_interface (object.c:715)
by 0x120C09: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
Invalid write of size 4
at 0x4A08D20: memset (mc_replace_strmem.c:751)
by 0x4EA8CAB: g_slice_free_chain_with_offset (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AEE3: path_free (media.c:412)
by 0x11EAF9: remove_interface (object.c:563)
by 0x11F320: g_dbus_unregister_interface (object.c:715)
by 0x120C09: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x178845: adapter_remove (adapter.c:2326)
by 0x17528F: btd_manager_unregister_adapter (manager.c:293)
by 0x153FE1: device_event (hciops.c:2643)
by 0x154321: io_stack_event (hciops.c:2763)
by 0x4E8C88C: g_main_context_dispatch (in /lib64/libglib-2.0.so.0.2908.0)
Address 0x637fe10 is 0 bytes inside a block of size 16 free'd
at 0x4A055FE: free (vg_replace_malloc.c:366)
by 0x4E938F2: g_free (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA854E: g_slice_free1 (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA930C: g_slist_remove (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AE03: media_endpoint_remove (media.c:118)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA984A: g_slist_free_full (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AEE3: path_free (media.c:412)
by 0x11EAF9: remove_interface (object.c:563)
by 0x11F320: g_dbus_unregister_interface (object.c:715)
by 0x120C09: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
Invalid write of size 4
at 0x4A08D2B: memset (mc_replace_strmem.c:751)
by 0x4EA8CAB: g_slice_free_chain_with_offset (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AEE3: path_free (media.c:412)
by 0x11EAF9: remove_interface (object.c:563)
by 0x11F320: g_dbus_unregister_interface (object.c:715)
by 0x120C09: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x178845: adapter_remove (adapter.c:2326)
by 0x17528F: btd_manager_unregister_adapter (manager.c:293)
by 0x153FE1: device_event (hciops.c:2643)
by 0x154321: io_stack_event (hciops.c:2763)
by 0x4E8C88C: g_main_context_dispatch (in /lib64/libglib-2.0.so.0.2908.0)
Address 0x637fe18 is 8 bytes inside a block of size 16 free'd
at 0x4A055FE: free (vg_replace_malloc.c:366)
by 0x4E938F2: g_free (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA854E: g_slice_free1 (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA930C: g_slist_remove (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AE03: media_endpoint_remove (media.c:118)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA984A: g_slist_free_full (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AEE3: path_free (media.c:412)
by 0x11EAF9: remove_interface (object.c:563)
by 0x11F320: g_dbus_unregister_interface (object.c:715)
by 0x120C09: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
Invalid free() / delete / delete[]
at 0x4A055FE: free (vg_replace_malloc.c:366)
by 0x4E938F2: g_free (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA8CB3: g_slice_free_chain_with_offset (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AEE3: path_free (media.c:412)
by 0x11EAF9: remove_interface (object.c:563)
by 0x11F320: g_dbus_unregister_interface (object.c:715)
by 0x120C09: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x178845: adapter_remove (adapter.c:2326)
by 0x17528F: btd_manager_unregister_adapter (manager.c:293)
by 0x153FE1: device_event (hciops.c:2643)
by 0x154321: io_stack_event (hciops.c:2763)
Address 0x637fe10 is 0 bytes inside a block of size 16 free'd
at 0x4A055FE: free (vg_replace_malloc.c:366)
by 0x4E938F2: g_free (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA854E: g_slice_free1 (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA930C: g_slist_remove (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AE03: media_endpoint_remove (media.c:118)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA984A: g_slist_free_full (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AEE3: path_free (media.c:412)
by 0x11EAF9: remove_interface (object.c:563)
by 0x11F320: g_dbus_unregister_interface (object.c:715)
by 0x120C09: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
---
audio/a2dp.c | 11 ++++++++---
1 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/audio/a2dp.c b/audio/a2dp.c
index 72a0df5..8f32fdb 100644
--- a/audio/a2dp.c
+++ b/audio/a2dp.c
@@ -1595,14 +1595,19 @@ static void a2dp_unregister_sep(struct a2dp_sep *sep)
void a2dp_unregister(const bdaddr_t *src)
{
struct a2dp_server *server;
+ GSList *sources, *sinks;
server = find_server(servers, src);
if (!server)
return;
- g_slist_free_full(server->sinks, (GDestroyNotify) a2dp_unregister_sep);
- g_slist_free_full(server->sources,
- (GDestroyNotify) a2dp_unregister_sep);
+ sinks = server->sinks;
+ server->sinks = NULL;
+ g_slist_free_full(sinks, (GDestroyNotify) a2dp_unregister_sep);
+
+ sources = server->sources;
+ server->sources = NULL;
+ g_slist_free_full(sources, (GDestroyNotify) a2dp_unregister_sep);
avdtp_exit(src);
--
1.7.6
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH BlueZ 3/3] Fix possible invalid read/free on media.c
2011-07-11 9:10 [PATCH BlueZ 1/3] Fix possible invalid read/free on manager.c Luiz Augusto von Dentz
2011-07-11 9:10 ` [PATCH BlueZ 2/3] Fix possible invalid read/free on a2dp.c Luiz Augusto von Dentz
@ 2011-07-11 9:10 ` Luiz Augusto von Dentz
1 sibling, 0 replies; 3+ messages in thread
From: Luiz Augusto von Dentz @ 2011-07-11 9:10 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Invalid read of size 8
at 0x4EA8CC2: g_slice_free_chain_with_offset (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AF33: path_free (media.c:417)
by 0x11EB39: remove_interface (object.c:563)
by 0x11F360: g_dbus_unregister_interface (object.c:715)
by 0x120C49: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x178915: adapter_remove (adapter.c:2326)
by 0x17535F: btd_manager_unregister_adapter (manager.c:293)
by 0x154081: device_event (hciops.c:2643)
by 0x1543C1: io_stack_event (hciops.c:2763)
by 0x4E8C88C: g_main_context_dispatch (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4E8D087: ??? (in /lib64/libglib-2.0.so.0.2908.0)
Address 0x63f6638 is 8 bytes inside a block of size 16 free'd
at 0x4A055FE: free (vg_replace_malloc.c:366)
by 0x4E938F2: g_free (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA854E: g_slice_free1 (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA930C: g_slist_remove (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AE53: media_endpoint_remove (media.c:118)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA984A: g_slist_free_full (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AF33: path_free (media.c:417)
by 0x11EB39: remove_interface (object.c:563)
by 0x11F360: g_dbus_unregister_interface (object.c:715)
by 0x120C49: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
Invalid write of size 4
at 0x4A08D20: memset (mc_replace_strmem.c:751)
by 0x4EA8CAB: g_slice_free_chain_with_offset (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AF33: path_free (media.c:417)
by 0x11EB39: remove_interface (object.c:563)
by 0x11F360: g_dbus_unregister_interface (object.c:715)
by 0x120C49: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x178915: adapter_remove (adapter.c:2326)
by 0x17535F: btd_manager_unregister_adapter (manager.c:293)
by 0x154081: device_event (hciops.c:2643)
by 0x1543C1: io_stack_event (hciops.c:2763)
by 0x4E8C88C: g_main_context_dispatch (in /lib64/libglib-2.0.so.0.2908.0)
Address 0x63f6630 is 0 bytes inside a block of size 16 free'd
at 0x4A055FE: free (vg_replace_malloc.c:366)
by 0x4E938F2: g_free (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA854E: g_slice_free1 (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA930C: g_slist_remove (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AE53: media_endpoint_remove (media.c:118)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA984A: g_slist_free_full (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AF33: path_free (media.c:417)
by 0x11EB39: remove_interface (object.c:563)
by 0x11F360: g_dbus_unregister_interface (object.c:715)
by 0x120C49: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
Invalid write of size 4
at 0x4A08D2B: memset (mc_replace_strmem.c:751)
by 0x4EA8CAB: g_slice_free_chain_with_offset (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AF33: path_free (media.c:417)
by 0x11EB39: remove_interface (object.c:563)
by 0x11F360: g_dbus_unregister_interface (object.c:715)
by 0x120C49: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x178915: adapter_remove (adapter.c:2326)
by 0x17535F: btd_manager_unregister_adapter (manager.c:293)
by 0x154081: device_event (hciops.c:2643)
by 0x1543C1: io_stack_event (hciops.c:2763)
by 0x4E8C88C: g_main_context_dispatch (in /lib64/libglib-2.0.so.0.2908.0)
Address 0x63f6638 is 8 bytes inside a block of size 16 free'd
at 0x4A055FE: free (vg_replace_malloc.c:366)
by 0x4E938F2: g_free (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA854E: g_slice_free1 (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA930C: g_slist_remove (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AE53: media_endpoint_remove (media.c:118)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA984A: g_slist_free_full (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AF33: path_free (media.c:417)
by 0x11EB39: remove_interface (object.c:563)
by 0x11F360: g_dbus_unregister_interface (object.c:715)
by 0x120C49: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
Invalid free() / delete / delete[]
at 0x4A055FE: free (vg_replace_malloc.c:366)
by 0x4E938F2: g_free (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA8CB3: g_slice_free_chain_with_offset (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AF33: path_free (media.c:417)
by 0x11EB39: remove_interface (object.c:563)
by 0x11F360: g_dbus_unregister_interface (object.c:715)
by 0x120C49: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x178915: adapter_remove (adapter.c:2326)
by 0x17535F: btd_manager_unregister_adapter (manager.c:293)
by 0x154081: device_event (hciops.c:2643)
by 0x1543C1: io_stack_event (hciops.c:2763)
Address 0x63f6630 is 0 bytes inside a block of size 16 free'd
at 0x4A055FE: free (vg_replace_malloc.c:366)
by 0x4E938F2: g_free (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA854E: g_slice_free1 (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA930C: g_slist_remove (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AE53: media_endpoint_remove (media.c:118)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA984A: g_slist_free_full (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AF33: path_free (media.c:417)
by 0x11EB39: remove_interface (object.c:563)
by 0x11F360: g_dbus_unregister_interface (object.c:715)
by 0x120C49: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
---
audio/media.c | 34 ++++++++++++++++++++++++----------
1 files changed, 24 insertions(+), 10 deletions(-)
diff --git a/audio/media.c b/audio/media.c
index 57bf7c9..7f93dfe 100644
--- a/audio/media.c
+++ b/audio/media.c
@@ -105,17 +105,11 @@ static void media_endpoint_cancel(struct media_endpoint *endpoint)
endpoint->request = NULL;
}
-static void media_endpoint_remove(struct media_endpoint *endpoint)
+static void media_endpoint_destroy(struct media_endpoint *endpoint)
{
struct media_adapter *adapter = endpoint->adapter;
- if (g_slist_find(adapter->endpoints, endpoint) == NULL)
- return;
-
- info("Endpoint unregistered: sender=%s path=%s", endpoint->sender,
- endpoint->path);
-
- adapter->endpoints = g_slist_remove(adapter->endpoints, endpoint);
+ DBG("sender=%s path=%s", endpoint->sender, endpoint->path);
if (endpoint->sep)
a2dp_remove_sep(endpoint->sep);
@@ -137,6 +131,23 @@ static void media_endpoint_remove(struct media_endpoint *endpoint)
g_free(endpoint);
}
+static void media_endpoint_remove(struct media_endpoint *endpoint)
+{
+ struct media_adapter *adapter = endpoint->adapter;
+
+ if (g_slist_find(adapter->endpoints, endpoint) == NULL) {
+ media_endpoint_destroy(endpoint);
+ return;
+ }
+
+ info("Endpoint unregistered: sender=%s path=%s", endpoint->sender,
+ endpoint->path);
+
+ adapter->endpoints = g_slist_remove(adapter->endpoints, endpoint);
+
+ media_endpoint_destroy(endpoint);
+}
+
static void media_endpoint_exit(DBusConnection *connection, void *user_data)
{
struct media_endpoint *endpoint = user_data;
@@ -413,9 +424,12 @@ static GDBusMethodTable media_methods[] = {
static void path_free(void *data)
{
struct media_adapter *adapter = data;
+ GSList *endpoints;
+
+ endpoints = adapter->endpoints;
+ adapter->endpoints = NULL;
- g_slist_free_full(adapter->endpoints,
- (GDestroyNotify) media_endpoint_release);
+ g_slist_free_full(endpoints, (GDestroyNotify) media_endpoint_release);
dbus_connection_unref(adapter->conn);
--
1.7.6
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-07-11 9:10 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-07-11 9:10 [PATCH BlueZ 1/3] Fix possible invalid read/free on manager.c Luiz Augusto von Dentz
2011-07-11 9:10 ` [PATCH BlueZ 2/3] Fix possible invalid read/free on a2dp.c Luiz Augusto von Dentz
2011-07-11 9:10 ` [PATCH BlueZ 3/3] Fix possible invalid read/free on media.c Luiz Augusto von Dentz
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.