Calling __connman_wispr_stop() without connman_agent_cancel() allows pending
wispr requests to complete later which results in a read/write access to the
freed memory and a subsequent crash.
Calling connman_agent_cancel() without __connman_wispr_stop() stops the wispr
sequence which renders the wispr context useless. That makes no sense either.
---
src/service.c | 2 +-
src/wispr.c | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/service.c b/src/service.c
index cbca669..1df9b57 100644
--- a/src/service.c
+++ b/src/service.c
@@ -6061,7 +6061,7 @@ int __connman_service_disconnect(struct connman_service
*service)
service->connect_reason = CONNMAN_SERVICE_CONNECT_REASON_NONE;
service->proxy = CONNMAN_SERVICE_PROXY_METHOD_UNKNOWN;
- connman_agent_cancel(service);
+ __connman_wispr_stop(service);
reply_pending(service, ECONNABORTED);
diff --git a/src/wispr.c b/src/wispr.c
index dcce93c..e5a7ddc 100644
--- a/src/wispr.c
+++ b/src/wispr.c
@@ -29,6 +29,7 @@
#include <gweb/gweb.h>
#include "connman.h"
+#include "agent.h"
#define STATUS_URL_IPV4 "http://ipv4.connman.net/online/status.html";
#define STATUS_URL_IPV6 "http://ipv6.connman.net/online/status.html";
@@ -972,6 +973,7 @@ void __connman_wispr_stop(struct connman_service *service)
if (index < 0)
return;
+ connman_agent_cancel(service);
g_hash_table_remove(wispr_portal_list, GINT_TO_POINTER(index));
}
--
1.8.3.2
_______________________________________________
connman mailing list
[email protected]
https://lists.connman.net/mailman/listinfo/connman
