* [PATCH BlueZ 1/3] Fix possible invalid read/free on manager.c
@ 2011-07-11 9:10 Luiz Augusto von Dentz
2011-07-11 9:10 ` [PATCH BlueZ 2/3] Fix possible invalid read/free on a2dp.c Luiz Augusto von Dentz
2011-07-11 9:10 ` [PATCH BlueZ 3/3] Fix possible invalid read/free on media.c Luiz Augusto von Dentz
0 siblings, 2 replies; 3+ messages in thread
From: Luiz Augusto von Dentz @ 2011-07-11 9:10 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
==6091== Invalid read of size 4
==6091== at 0x178A20: adapter_get_address (string3.h:52)
==6091== by 0x174C28: adapter_cmp (manager.c:324)
==6091== by 0x4EA95B0: g_slist_find_custom (in /lib64/libglib-2.0.so.0.2908.0)
==6091== by 0x174ED9: manager_find_adapter (manager.c:333)
==6091== by 0x16ABFA: sdp_record_remove (sdpd-database.c:270)
==6091== by 0x16A4D6: remove_record_from_server (sdpd-service.c:286)
==6091== by 0x12A947: avrcp_unregister (control.c:972)
==6091== by 0x1208CC: avrcp_server_remove (manager.c:1066)
==6091== by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
==6091== by 0x178985: adapter_remove (adapter.c:2326)
==6091== by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
==6091== by 0x4EA984A: g_slist_free_full (in /lib64/libglib-2.0.so.0.2908.0)
==6091== Address 0x603ccd0 is 16 bytes inside a block of size 448 free'd
==6091== at 0x4A055FE: free (vg_replace_malloc.c:366)
==6091== by 0x4E938F2: g_free (in /lib64/libglib-2.0.so.0.2908.0)
==6091== by 0x11EB59: remove_interface (object.c:563)
==6091== by 0x11F380: g_dbus_unregister_interface (object.c:715)
==6091== by 0x1787EC: btd_adapter_unref (adapter.c:2496)
==6091== by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
==6091== by 0x4EA984A: g_slist_free_full (in /lib64/libglib-2.0.so.0.2908.0)
==6091== by 0x174E96: manager_cleanup (manager.c:301)
==6091== by 0x11CCE8: main (main.c:305)
==6091==
==6091== Invalid read of size 2
==6091== at 0x178A25: adapter_get_address (string3.h:52)
==6091== by 0x174C28: adapter_cmp (manager.c:324)
==6091== by 0x4EA95B0: g_slist_find_custom (in /lib64/libglib-2.0.so.0.2908.0)
==6091== by 0x174ED9: manager_find_adapter (manager.c:333)
==6091== by 0x16ABFA: sdp_record_remove (sdpd-database.c:270)
==6091== by 0x16A4D6: remove_record_from_server (sdpd-service.c:286)
==6091== by 0x12A947: avrcp_unregister (control.c:972)
==6091== by 0x1208CC: avrcp_server_remove (manager.c:1066)
==6091== by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
==6091== by 0x178985: adapter_remove (adapter.c:2326)
==6091== by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
==6091== by 0x4EA984A: g_slist_free_full (in /lib64/libglib-2.0.so.0.2908.0)
==6091== Address 0x603ccd4 is 20 bytes inside a block of size 448 free'd
==6091== at 0x4A055FE: free (vg_replace_malloc.c:366)
==6091== by 0x4E938F2: g_free (in /lib64/libglib-2.0.so.0.2908.0)
==6091== by 0x11EB59: remove_interface (object.c:563)
==6091== by 0x11F380: g_dbus_unregister_interface (object.c:715)
==6091== by 0x1787EC: btd_adapter_unref (adapter.c:2496)
==6091== by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
==6091== by 0x4EA984A: g_slist_free_full (in /lib64/libglib-2.0.so.0.2908.0)
==6091== by 0x174E96: manager_cleanup (manager.c:301)
==6091== by 0x11CCE8: main (main.c:305)
---
src/manager.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/src/manager.c b/src/manager.c
index a725588..8dde48c 100644
--- a/src/manager.c
+++ b/src/manager.c
@@ -298,9 +298,11 @@ static void manager_remove_adapter(struct btd_adapter *adapter)
void manager_cleanup(DBusConnection *conn, const char *path)
{
- g_slist_free_full(adapters, (GDestroyNotify) adapter_remove);
+ GSList *l = adapters;
adapters = NULL;
+ g_slist_free_full(l, (GDestroyNotify) adapter_remove);
+
btd_start_exit_timer();
g_dbus_unregister_interface(conn, "/", MANAGER_INTERFACE);
--
1.7.6
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH BlueZ 2/3] Fix possible invalid read/free on a2dp.c
2011-07-11 9:10 [PATCH BlueZ 1/3] Fix possible invalid read/free on manager.c Luiz Augusto von Dentz
@ 2011-07-11 9:10 ` Luiz Augusto von Dentz
2011-07-11 9:10 ` [PATCH BlueZ 3/3] Fix possible invalid read/free on media.c Luiz Augusto von Dentz
1 sibling, 0 replies; 3+ messages in thread
From: Luiz Augusto von Dentz @ 2011-07-11 9:10 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Invalid read of size 8
at 0x4EA8CC2: g_slice_free_chain_with_offset (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AEE3: path_free (media.c:412)
by 0x11EAF9: remove_interface (object.c:563)
by 0x11F320: g_dbus_unregister_interface (object.c:715)
by 0x120C09: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x178845: adapter_remove (adapter.c:2326)
by 0x17528F: btd_manager_unregister_adapter (manager.c:293)
by 0x153FE1: device_event (hciops.c:2643)
by 0x154321: io_stack_event (hciops.c:2763)
by 0x4E8C88C: g_main_context_dispatch (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4E8D087: ??? (in /lib64/libglib-2.0.so.0.2908.0)
Address 0x637fe18 is 8 bytes inside a block of size 16 free'd
at 0x4A055FE: free (vg_replace_malloc.c:366)
by 0x4E938F2: g_free (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA854E: g_slice_free1 (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA930C: g_slist_remove (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AE03: media_endpoint_remove (media.c:118)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA984A: g_slist_free_full (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AEE3: path_free (media.c:412)
by 0x11EAF9: remove_interface (object.c:563)
by 0x11F320: g_dbus_unregister_interface (object.c:715)
by 0x120C09: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
Invalid write of size 4
at 0x4A08D20: memset (mc_replace_strmem.c:751)
by 0x4EA8CAB: g_slice_free_chain_with_offset (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AEE3: path_free (media.c:412)
by 0x11EAF9: remove_interface (object.c:563)
by 0x11F320: g_dbus_unregister_interface (object.c:715)
by 0x120C09: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x178845: adapter_remove (adapter.c:2326)
by 0x17528F: btd_manager_unregister_adapter (manager.c:293)
by 0x153FE1: device_event (hciops.c:2643)
by 0x154321: io_stack_event (hciops.c:2763)
by 0x4E8C88C: g_main_context_dispatch (in /lib64/libglib-2.0.so.0.2908.0)
Address 0x637fe10 is 0 bytes inside a block of size 16 free'd
at 0x4A055FE: free (vg_replace_malloc.c:366)
by 0x4E938F2: g_free (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA854E: g_slice_free1 (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA930C: g_slist_remove (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AE03: media_endpoint_remove (media.c:118)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA984A: g_slist_free_full (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AEE3: path_free (media.c:412)
by 0x11EAF9: remove_interface (object.c:563)
by 0x11F320: g_dbus_unregister_interface (object.c:715)
by 0x120C09: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
Invalid write of size 4
at 0x4A08D2B: memset (mc_replace_strmem.c:751)
by 0x4EA8CAB: g_slice_free_chain_with_offset (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AEE3: path_free (media.c:412)
by 0x11EAF9: remove_interface (object.c:563)
by 0x11F320: g_dbus_unregister_interface (object.c:715)
by 0x120C09: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x178845: adapter_remove (adapter.c:2326)
by 0x17528F: btd_manager_unregister_adapter (manager.c:293)
by 0x153FE1: device_event (hciops.c:2643)
by 0x154321: io_stack_event (hciops.c:2763)
by 0x4E8C88C: g_main_context_dispatch (in /lib64/libglib-2.0.so.0.2908.0)
Address 0x637fe18 is 8 bytes inside a block of size 16 free'd
at 0x4A055FE: free (vg_replace_malloc.c:366)
by 0x4E938F2: g_free (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA854E: g_slice_free1 (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA930C: g_slist_remove (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AE03: media_endpoint_remove (media.c:118)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA984A: g_slist_free_full (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AEE3: path_free (media.c:412)
by 0x11EAF9: remove_interface (object.c:563)
by 0x11F320: g_dbus_unregister_interface (object.c:715)
by 0x120C09: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
Invalid free() / delete / delete[]
at 0x4A055FE: free (vg_replace_malloc.c:366)
by 0x4E938F2: g_free (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA8CB3: g_slice_free_chain_with_offset (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AEE3: path_free (media.c:412)
by 0x11EAF9: remove_interface (object.c:563)
by 0x11F320: g_dbus_unregister_interface (object.c:715)
by 0x120C09: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x178845: adapter_remove (adapter.c:2326)
by 0x17528F: btd_manager_unregister_adapter (manager.c:293)
by 0x153FE1: device_event (hciops.c:2643)
by 0x154321: io_stack_event (hciops.c:2763)
Address 0x637fe10 is 0 bytes inside a block of size 16 free'd
at 0x4A055FE: free (vg_replace_malloc.c:366)
by 0x4E938F2: g_free (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA854E: g_slice_free1 (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA930C: g_slist_remove (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AE03: media_endpoint_remove (media.c:118)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA984A: g_slist_free_full (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AEE3: path_free (media.c:412)
by 0x11EAF9: remove_interface (object.c:563)
by 0x11F320: g_dbus_unregister_interface (object.c:715)
by 0x120C09: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
---
audio/a2dp.c | 11 ++++++++---
1 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/audio/a2dp.c b/audio/a2dp.c
index 72a0df5..8f32fdb 100644
--- a/audio/a2dp.c
+++ b/audio/a2dp.c
@@ -1595,14 +1595,19 @@ static void a2dp_unregister_sep(struct a2dp_sep *sep)
void a2dp_unregister(const bdaddr_t *src)
{
struct a2dp_server *server;
+ GSList *sources, *sinks;
server = find_server(servers, src);
if (!server)
return;
- g_slist_free_full(server->sinks, (GDestroyNotify) a2dp_unregister_sep);
- g_slist_free_full(server->sources,
- (GDestroyNotify) a2dp_unregister_sep);
+ sinks = server->sinks;
+ server->sinks = NULL;
+ g_slist_free_full(sinks, (GDestroyNotify) a2dp_unregister_sep);
+
+ sources = server->sources;
+ server->sources = NULL;
+ g_slist_free_full(sources, (GDestroyNotify) a2dp_unregister_sep);
avdtp_exit(src);
--
1.7.6
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH BlueZ 3/3] Fix possible invalid read/free on media.c
2011-07-11 9:10 [PATCH BlueZ 1/3] Fix possible invalid read/free on manager.c Luiz Augusto von Dentz
2011-07-11 9:10 ` [PATCH BlueZ 2/3] Fix possible invalid read/free on a2dp.c Luiz Augusto von Dentz
@ 2011-07-11 9:10 ` Luiz Augusto von Dentz
1 sibling, 0 replies; 3+ messages in thread
From: Luiz Augusto von Dentz @ 2011-07-11 9:10 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Invalid read of size 8
at 0x4EA8CC2: g_slice_free_chain_with_offset (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AF33: path_free (media.c:417)
by 0x11EB39: remove_interface (object.c:563)
by 0x11F360: g_dbus_unregister_interface (object.c:715)
by 0x120C49: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x178915: adapter_remove (adapter.c:2326)
by 0x17535F: btd_manager_unregister_adapter (manager.c:293)
by 0x154081: device_event (hciops.c:2643)
by 0x1543C1: io_stack_event (hciops.c:2763)
by 0x4E8C88C: g_main_context_dispatch (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4E8D087: ??? (in /lib64/libglib-2.0.so.0.2908.0)
Address 0x63f6638 is 8 bytes inside a block of size 16 free'd
at 0x4A055FE: free (vg_replace_malloc.c:366)
by 0x4E938F2: g_free (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA854E: g_slice_free1 (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA930C: g_slist_remove (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AE53: media_endpoint_remove (media.c:118)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA984A: g_slist_free_full (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AF33: path_free (media.c:417)
by 0x11EB39: remove_interface (object.c:563)
by 0x11F360: g_dbus_unregister_interface (object.c:715)
by 0x120C49: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
Invalid write of size 4
at 0x4A08D20: memset (mc_replace_strmem.c:751)
by 0x4EA8CAB: g_slice_free_chain_with_offset (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AF33: path_free (media.c:417)
by 0x11EB39: remove_interface (object.c:563)
by 0x11F360: g_dbus_unregister_interface (object.c:715)
by 0x120C49: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x178915: adapter_remove (adapter.c:2326)
by 0x17535F: btd_manager_unregister_adapter (manager.c:293)
by 0x154081: device_event (hciops.c:2643)
by 0x1543C1: io_stack_event (hciops.c:2763)
by 0x4E8C88C: g_main_context_dispatch (in /lib64/libglib-2.0.so.0.2908.0)
Address 0x63f6630 is 0 bytes inside a block of size 16 free'd
at 0x4A055FE: free (vg_replace_malloc.c:366)
by 0x4E938F2: g_free (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA854E: g_slice_free1 (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA930C: g_slist_remove (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AE53: media_endpoint_remove (media.c:118)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA984A: g_slist_free_full (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AF33: path_free (media.c:417)
by 0x11EB39: remove_interface (object.c:563)
by 0x11F360: g_dbus_unregister_interface (object.c:715)
by 0x120C49: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
Invalid write of size 4
at 0x4A08D2B: memset (mc_replace_strmem.c:751)
by 0x4EA8CAB: g_slice_free_chain_with_offset (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AF33: path_free (media.c:417)
by 0x11EB39: remove_interface (object.c:563)
by 0x11F360: g_dbus_unregister_interface (object.c:715)
by 0x120C49: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x178915: adapter_remove (adapter.c:2326)
by 0x17535F: btd_manager_unregister_adapter (manager.c:293)
by 0x154081: device_event (hciops.c:2643)
by 0x1543C1: io_stack_event (hciops.c:2763)
by 0x4E8C88C: g_main_context_dispatch (in /lib64/libglib-2.0.so.0.2908.0)
Address 0x63f6638 is 8 bytes inside a block of size 16 free'd
at 0x4A055FE: free (vg_replace_malloc.c:366)
by 0x4E938F2: g_free (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA854E: g_slice_free1 (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA930C: g_slist_remove (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AE53: media_endpoint_remove (media.c:118)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA984A: g_slist_free_full (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AF33: path_free (media.c:417)
by 0x11EB39: remove_interface (object.c:563)
by 0x11F360: g_dbus_unregister_interface (object.c:715)
by 0x120C49: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
Invalid free() / delete / delete[]
at 0x4A055FE: free (vg_replace_malloc.c:366)
by 0x4E938F2: g_free (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA8CB3: g_slice_free_chain_with_offset (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AF33: path_free (media.c:417)
by 0x11EB39: remove_interface (object.c:563)
by 0x11F360: g_dbus_unregister_interface (object.c:715)
by 0x120C49: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x178915: adapter_remove (adapter.c:2326)
by 0x17535F: btd_manager_unregister_adapter (manager.c:293)
by 0x154081: device_event (hciops.c:2643)
by 0x1543C1: io_stack_event (hciops.c:2763)
Address 0x63f6630 is 0 bytes inside a block of size 16 free'd
at 0x4A055FE: free (vg_replace_malloc.c:366)
by 0x4E938F2: g_free (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA854E: g_slice_free1 (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA930C: g_slist_remove (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AE53: media_endpoint_remove (media.c:118)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
by 0x4EA984A: g_slist_free_full (in /lib64/libglib-2.0.so.0.2908.0)
by 0x13AF33: path_free (media.c:417)
by 0x11EB39: remove_interface (object.c:563)
by 0x11F360: g_dbus_unregister_interface (object.c:715)
by 0x120C49: media_server_remove (manager.c:1098)
by 0x4EA9826: g_slist_foreach (in /lib64/libglib-2.0.so.0.2908.0)
---
audio/media.c | 34 ++++++++++++++++++++++++----------
1 files changed, 24 insertions(+), 10 deletions(-)
diff --git a/audio/media.c b/audio/media.c
index 57bf7c9..7f93dfe 100644
--- a/audio/media.c
+++ b/audio/media.c
@@ -105,17 +105,11 @@ static void media_endpoint_cancel(struct media_endpoint *endpoint)
endpoint->request = NULL;
}
-static void media_endpoint_remove(struct media_endpoint *endpoint)
+static void media_endpoint_destroy(struct media_endpoint *endpoint)
{
struct media_adapter *adapter = endpoint->adapter;
- if (g_slist_find(adapter->endpoints, endpoint) == NULL)
- return;
-
- info("Endpoint unregistered: sender=%s path=%s", endpoint->sender,
- endpoint->path);
-
- adapter->endpoints = g_slist_remove(adapter->endpoints, endpoint);
+ DBG("sender=%s path=%s", endpoint->sender, endpoint->path);
if (endpoint->sep)
a2dp_remove_sep(endpoint->sep);
@@ -137,6 +131,23 @@ static void media_endpoint_remove(struct media_endpoint *endpoint)
g_free(endpoint);
}
+static void media_endpoint_remove(struct media_endpoint *endpoint)
+{
+ struct media_adapter *adapter = endpoint->adapter;
+
+ if (g_slist_find(adapter->endpoints, endpoint) == NULL) {
+ media_endpoint_destroy(endpoint);
+ return;
+ }
+
+ info("Endpoint unregistered: sender=%s path=%s", endpoint->sender,
+ endpoint->path);
+
+ adapter->endpoints = g_slist_remove(adapter->endpoints, endpoint);
+
+ media_endpoint_destroy(endpoint);
+}
+
static void media_endpoint_exit(DBusConnection *connection, void *user_data)
{
struct media_endpoint *endpoint = user_data;
@@ -413,9 +424,12 @@ static GDBusMethodTable media_methods[] = {
static void path_free(void *data)
{
struct media_adapter *adapter = data;
+ GSList *endpoints;
+
+ endpoints = adapter->endpoints;
+ adapter->endpoints = NULL;
- g_slist_free_full(adapter->endpoints,
- (GDestroyNotify) media_endpoint_release);
+ g_slist_free_full(endpoints, (GDestroyNotify) media_endpoint_release);
dbus_connection_unref(adapter->conn);
--
1.7.6
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-07-11 9:10 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-07-11 9:10 [PATCH BlueZ 1/3] Fix possible invalid read/free on manager.c Luiz Augusto von Dentz
2011-07-11 9:10 ` [PATCH BlueZ 2/3] Fix possible invalid read/free on a2dp.c Luiz Augusto von Dentz
2011-07-11 9:10 ` [PATCH BlueZ 3/3] Fix possible invalid read/free on media.c Luiz Augusto von Dentz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).