[PATCH] ofono: Fix crash in modem_update_interfaces

Wed, 29 Apr 2015 05:34:02 -0700 

modem_update_interfaces could crash if "org.ofono.ConnectionManager"
interface is removed right after it has been added, before GetContext
call completes (or if it fails):

connmand[5141]: plugins/ofono.c:modem_changed() /ril_0 Interfaces 0x05
connmand[5141]: plugins/ofono.c:modem_update_interfaces() /ril_0
connmand[5141]: plugins/ofono.c:api_added() cm added
connmand[5141]: plugins/ofono.c:get_properties() /ril_0 path /ril_0 
org.ofono.ConnectionManager
connmand[5141]: plugins/ofono.c:cm_get_contexts() /ril_0
connmand[5141]: plugins/ofono.c:cm_update_attached() /ril_0 Attached 1
connmand[5141]: plugins/ofono.c:modem_changed() /ril_0 Interfaces 0x01
connmand[5141]: plugins/ofono.c:modem_update_interfaces() /ril_0
connmand[5141]: plugins/ofono.c:api_removed() cm removed
==5141== Invalid read of size 4
==5141==    at 0x31FB4: modem_update_interfaces (ofono.c:2147)
==5141==    by 0x326F3: modem_changed (ofono.c:2214)
==5141==    by 0x82C0B: signal_filter (watch.c:407)
==5141==    by 0x82A4F: message_filter (watch.c:557)
==5141==    by 0x497AF4F: dbus_connection_dispatch (in 
/usr/lib/libdbus-1.so.3.7.12)
==5141==    by 0x8197F: message_dispatch (mainloop.c:72)
==5141==    by 0x48ABA8B: g_idle_dispatch (gmain.c:5251)
==5141==    by 0x48AFB1F: g_main_dispatch (gmain.c:3066)
==5141==    by 0x48AFB1F: g_main_context_dispatch (gmain.c:3642)
==5141==    by 0x48AFE23: g_main_context_iterate.part.19 (gmain.c:3713)
==5141==    by 0x48B048B: g_main_loop_run (gmain.c:3906)
==5141==    by 0x149D3: main (main.c:779)
==5141==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==5141==
==5141==
==5141== Process terminating with default action of signal 11 (SIGSEGV): 
dumping core
==5141==  Access not within mapped region at address 0x0
==5141==    at 0x31FB4: modem_update_interfaces (ofono.c:2147)
==5141==    by 0x326F3: modem_changed (ofono.c:2214)
==5141==    by 0x82C0B: signal_filter (watch.c:407)
==5141==    by 0x82A4F: message_filter (watch.c:557)
==5141==    by 0x497AF4F: dbus_connection_dispatch (in 
/usr/lib/libdbus-1.so.3.7.12)
==5141==    by 0x8197F: message_dispatch (mainloop.c:72)
==5141==    by 0x48ABA8B: g_idle_dispatch (gmain.c:5251)
==5141==    by 0x48AFB1F: g_main_dispatch (gmain.c:3066)
==5141==    by 0x48AFB1F: g_main_context_dispatch (gmain.c:3642)
==5141==    by 0x48AFE23: g_main_context_iterate.part.19 (gmain.c:3713)
==5141==    by 0x48B048B: g_main_loop_run (gmain.c:3906)
==5141==    by 0x149D3: main (main.c:779)
---
 plugins/ofono.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/plugins/ofono.c b/plugins/ofono.c
index 5cd8302..267b3bd 100644
--- a/plugins/ofono.c
+++ b/plugins/ofono.c
@@ -2142,8 +2142,18 @@ static void modem_update_interfaces(struct modem_data 
*modem,
        if (api_added(old_ifaces, new_ifaces, OFONO_API_CDMA_NETREG))
                cdma_netreg_get_properties(modem);
 
-       if (api_removed(old_ifaces, new_ifaces, OFONO_API_CM))
-               remove_cm_context(modem, modem->context->path);
+       if (api_removed(old_ifaces, new_ifaces, OFONO_API_CM)) {
+               if (modem->call_get_contexts) {
+                       DBG("cancelling pending GetContexts call");
+                       dbus_pending_call_cancel(modem->call_get_contexts);
+                       dbus_pending_call_unref(modem->call_get_contexts);
+                       modem->call_get_contexts = NULL;
+               }
+               if (modem->context) {
+                       DBG("removing context %s", modem->context->path);
+                       remove_cm_context(modem, modem->context->path);
+               }
+       }
 
        if (api_removed(old_ifaces, new_ifaces, OFONO_API_CDMA_CM))
                remove_cm_context(modem, modem->context->path);
-- 
1.8.3.2

_______________________________________________
connman mailing list
connman@connman.net
https://lists.connman.net/mailman/listinfo/connman

Reply via email to