[PATCH obexd] Fix crash on error in agent_request

linux-bluetooth.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH obexd] Fix crash on error in agent_request_reply
@ 2011-10-28 10:21 Slawomir Bochenski
  2011-10-28 11:07 ` Johan Hedberg
  0 siblings, 1 reply; 2+ messages in thread
From: Slawomir Bochenski @ 2011-10-28 10:21 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: Slawomir Bochenski

This fixes regression introduced by
63becff48820dc50a30ae495e286e858a886d9dd, causing obex-client to crash
in cases of e.g. remote site rejecting pushed file.

The req->function set by user of agent API may request agent object
deletion. This in turn checks if agent->pending is set and if it is,
it tries to cancel the pending call and frees pending call data. As at
this point we are already handling call response and we are going to
free this pending call data, agent->pending can be set to NULL prior to
calling req->function, thus preventing premature freeing of later
dereferenced req.
---
 client/agent.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/client/agent.c b/client/agent.c
index aa93db3..929a05f 100644
--- a/client/agent.c
+++ b/client/agent.c
@@ -114,11 +114,12 @@ static void agent_request_reply(DBusPendingCall *call, void *user_data)
 	struct obc_agent *agent = user_data;
 	struct pending_request *req = agent->pending;
 
+	agent->pending = NULL;
+
 	if (req->function)
 		req->function(call, req->data);
 
 	pending_request_free(req);
-	agent->pending = NULL;
 }
 
 int obc_agent_request(struct obc_agent *agent, const char *path,
-- 
1.7.4.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH obexd] Fix crash on error in agent_request_reply
  2011-10-28 10:21 [PATCH obexd] Fix crash on error in agent_request_reply Slawomir Bochenski
@ 2011-10-28 11:07 ` Johan Hedberg
  0 siblings, 0 replies; 2+ messages in thread
From: Johan Hedberg @ 2011-10-28 11:07 UTC (permalink / raw)
  To: Slawomir Bochenski; +Cc: linux-bluetooth

Hi Slawek,

On Fri, Oct 28, 2011, Slawomir Bochenski wrote:
> This fixes regression introduced by
> 63becff48820dc50a30ae495e286e858a886d9dd, causing obex-client to crash
> in cases of e.g. remote site rejecting pushed file.
> 
> The req->function set by user of agent API may request agent object
> deletion. This in turn checks if agent->pending is set and if it is,
> it tries to cancel the pending call and frees pending call data. As at
> this point we are already handling call response and we are going to
> free this pending call data, agent->pending can be set to NULL prior to
> calling req->function, thus preventing premature freeing of later
> dereferenced req.
> ---
>  client/agent.c |    3 ++-
>  1 files changed, 2 insertions(+), 1 deletions(-)

Applied. Thanks.

Johan

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2011-10-28 11:07 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-10-28 10:21 [PATCH obexd] Fix crash on error in agent_request_reply Slawomir Bochenski
2011-10-28 11:07 ` Johan Hedberg

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).