On Wed, 2014-06-25 at 18:56 +0300, Slava Monich wrote: > Calling __connman_wispr_stop() without connman_agent_cancel() allows pending > wispr requests to complete later which results in a read/write access to the > freed memory and a subsequent crash.
Which freed memory is accessed here? > Calling connman_agent_cancel() without __connman_wispr_stop() stops the wispr > sequence which renders the wispr context useless. That makes no sense either. > --- > src/service.c | 2 +- > src/wispr.c | 2 ++ > 2 files changed, 3 insertions(+), 1 deletion(-) > > diff --git a/src/service.c b/src/service.c > index cbca669..1df9b57 100644 > --- a/src/service.c > +++ b/src/service.c > @@ -6061,7 +6061,7 @@ int __connman_service_disconnect(struct connman_service > *service) > service->connect_reason = CONNMAN_SERVICE_CONNECT_REASON_NONE; > service->proxy = CONNMAN_SERVICE_PROXY_METHOD_UNKNOWN; > > - connman_agent_cancel(service); > + __connman_wispr_stop(service); Cancelling the agent shall happen from service.c, do we have a wispr stop missing or in the wrong call path here? > reply_pending(service, ECONNABORTED); > > diff --git a/src/wispr.c b/src/wispr.c > index dcce93c..e5a7ddc 100644 > --- a/src/wispr.c > +++ b/src/wispr.c > @@ -29,6 +29,7 @@ > #include <gweb/gweb.h> > > #include "connman.h" > +#include "agent.h" > > #define STATUS_URL_IPV4 "http://ipv4.connman.net/online/status.html"; > #define STATUS_URL_IPV6 "http://ipv6.connman.net/online/status.html"; > @@ -972,6 +973,7 @@ void __connman_wispr_stop(struct connman_service *service) > if (index < 0) > return; > > + connman_agent_cancel(service); > g_hash_table_remove(wispr_portal_list, GINT_TO_POINTER(index)); > } No, we're not to call agent cancel from within wispr code. Cheers, Patrik _______________________________________________ connman mailing list [email protected] https://lists.connman.net/mailman/listinfo/connman
