[PATCH] service: cancel agent requests prior to deleting wispr context

Slava Monich Wed, 25 Jun 2014 08:57:15 -0700

Calling __connman_wispr_stop() without connman_agent_cancel() allows pending
wispr requests to complete later which results in a read/write access to the
freed memory and a subsequent crash.


Calling connman_agent_cancel() without __connman_wispr_stop() stops the wispr
sequence which renders the wispr context useless. That makes no sense either.
---
 src/service.c | 2 +-
 src/wispr.c   | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/service.c b/src/service.c
index cbca669..1df9b57 100644
--- a/src/service.c
+++ b/src/service.c
@@ -6061,7 +6061,7 @@ int __connman_service_disconnect(struct connman_service 
*service)
        service->connect_reason = CONNMAN_SERVICE_CONNECT_REASON_NONE;
        service->proxy = CONNMAN_SERVICE_PROXY_METHOD_UNKNOWN;
 
-       connman_agent_cancel(service);
+       __connman_wispr_stop(service);
 
        reply_pending(service, ECONNABORTED);
 
diff --git a/src/wispr.c b/src/wispr.c
index dcce93c..e5a7ddc 100644
--- a/src/wispr.c
+++ b/src/wispr.c
@@ -29,6 +29,7 @@
 #include <gweb/gweb.h>
 
 #include "connman.h"
+#include "agent.h"
 
 #define STATUS_URL_IPV4  "http://ipv4.connman.net/online/status.html";
 #define STATUS_URL_IPV6  "http://ipv6.connman.net/online/status.html";
@@ -972,6 +973,7 @@ void __connman_wispr_stop(struct connman_service *service)
        if (index < 0)
                return;
 
+       connman_agent_cancel(service);
        g_hash_table_remove(wispr_portal_list, GINT_TO_POINTER(index));
 }
 
-- 
1.8.3.2

_______________________________________________
connman mailing list
connman@connman.net
https://lists.connman.net/mailman/listinfo/connman

[PATCH] service: cancel agent requests prior to deleting wispr context

Reply via email to