If a Bluetooth connect is in progress when the network gets removed
the following may happen:
connmand[5092]: Aborting (signal 11) [src/connmand]
connmand[5092]: ++++++++ backtrace ++++++++
connmand[5092]: #0 0x7f4066b8a260 in /lib/x86_64-linux-gnu/libc.so.6
connmand[5092]: #1 0x438950 in connman_device_get_ident() at src/device.c:555
connmand[5092]: #2 0x447301 in connman_service_lookup_from_network() at
src/service.c:6421
connmand[5092]: #3 0x43aeb8 in set_connect_error() at src/network.c:1296
connmand[5092]: #4 0x43b97d in connman_network_set_connected() at
src/network.c:1396
connmand[5092]: #5 0x4245f5 in connect_reply() at
plugins/bluetooth_legacy.c:150
connmand[5092]: #6 0x7f40679fc512 in /lib/x86_64-linux-gnu/libdbus-1.so.3
connmand[5092]: #7 0x7f40679ff741 in /lib/x86_64-linux-gnu/libdbus-1.so.3
connmand[5092]: #8 0x47bbc8 in message_dispatch() at gdbus/mainloop.c:76
(discriminator 1)
connmand[5092]: #9 0x7f4067c7ea03 in /lib/x86_64-linux-gnu/libglib-2.0.so.0
connmand[5092]: #10 0x7f4067c7dea6 in /lib/x86_64-linux-gnu/libglib-2.0.so.0
connmand[5092]: #11 0x7f4067c7e1f8 in /lib/x86_64-linux-gnu/libglib-2.0.so.0
connmand[5092]: #12 0x7f4067c7e5fa in /lib/x86_64-linux-gnu/libglib-2.0.so.0
connmand[5092]: #13 0x40f7a7 in main() at src/main.c:694
connmand[5092]: #14 0x7f4066b76995 in /lib/x86_64-linux-gnu/libc.so.6
Fix this by supplying the D-Bus path to the callback and looking up the
network instead of providing the whole structure which can have been freed
at the time of the callback.
---
plugins/bluetooth_legacy.c | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/plugins/bluetooth_legacy.c b/plugins/bluetooth_legacy.c
index c1c9fbd..c61356c 100644
--- a/plugins/bluetooth_legacy.c
+++ b/plugins/bluetooth_legacy.c
@@ -98,12 +98,17 @@ static void pan_remove(struct connman_network *network)
static void connect_reply(DBusPendingCall *call, void *user_data)
{
- struct connman_network *network = user_data;
+ char *path = user_data;
+ struct connman_network *network;
DBusMessage *reply;
DBusError error;
const char *interface = NULL;
int index;
+ network = g_hash_table_lookup(bluetooth_networks, path);
+ if (!network)
+ return;
+
DBG("network %p", network);
reply = dbus_pending_call_steal_reply(call);
@@ -187,7 +192,8 @@ static int pan_connect(struct connman_network *network)
return -EINVAL;
}
- dbus_pending_call_set_notify(call, connect_reply, network, NULL);
+ dbus_pending_call_set_notify(call, connect_reply, g_strdup(path),
+ g_free);
dbus_message_unref(message);
@@ -196,10 +202,15 @@ static int pan_connect(struct connman_network *network)
static void disconnect_reply(DBusPendingCall *call, void *user_data)
{
- struct connman_network *network = user_data;
+ char *path = user_data;
+ struct connman_network *network;
DBusMessage *reply;
DBusError error;
+ network = g_hash_table_lookup(bluetooth_networks, path);
+ if (!network)
+ return;
+
DBG("network %p", network);
reply = dbus_pending_call_steal_reply(call);
@@ -268,7 +279,8 @@ static int pan_disconnect(struct connman_network *network)
connman_network_set_associating(network, false);
- dbus_pending_call_set_notify(call, disconnect_reply, network, NULL);
+ dbus_pending_call_set_notify(call, disconnect_reply, g_strdup(path),
+ g_free);
dbus_message_unref(message);
--
1.7.10.4
_______________________________________________
connman mailing list
[email protected]
https://lists.connman.net/mailman/listinfo/connman
