Hi,
I ran into a nasty bug today.
Call OBEX_FreeInterfaces multiple times and it will try to free the
memory each time. That results in a "double free SEGV".
OBEX_FindInterfaces calls OBEX_FreeInterfaces to clear out old entries.
So if you free the struct returned from find when you are done with it
(like a good programmer will do) the next call to find will fail horribly.
Pointers to already freed memory are dangerous always.
With the patch OBEX_FreeInterfaces will set the pointer to NULL after
freeing the memory.
Both lacked parameter checking, too.
The patch is already applied to CVS.
cu,
Christian
Index: lib/obex.c
===================================================================
RCS file: /cvsroot/openobex/openobex/lib/obex.c,v
retrieving revision 1.46
retrieving revision 1.47
diff -u -r1.46 -r1.47
--- lib/obex.c 4 May 2006 11:24:21 -0000 1.46
+++ lib/obex.c 25 May 2006 18:09:41 -0000 1.47
@@ -6,7 +6,7 @@
* Status: Stable.
* Author: Dag Brattli <[EMAIL PROTECTED]>
* Created at: Sat Apr 17 16:50:25 1999
- * CVS ID: $Id: obex.c,v 1.46 2006/05/04 11:24:21 holtmann Exp $
+ * CVS ID: $Id: obex.c,v 1.47 2006/05/25 18:09:41 zany Exp $
*
* Copyright (c) 1999, 2000 Dag Brattli, All Rights Reserved.
* Copyright (c) 1999, 2000 Pontus Fuchs, All Rights Reserved.
@@ -1137,6 +1137,9 @@
int OBEX_FindInterfaces(obex_t *self, obex_interface_t **interfaces)
{
DEBUG(4, "\n");
+
+ obex_return_val_if_fail(self != NULL, -1);
+
OBEX_FreeInterfaces(self);
switch (self->trans.type) {
case OBEX_TRANS_USB:
@@ -1147,7 +1150,8 @@
default:
break;
}
- *interfaces = self->interfaces;
+ if (interfaces)
+ *interfaces = self->interfaces;
return self->interfaces_number;
}
@@ -1160,10 +1164,15 @@
*/
void OBEX_FreeInterfaces(obex_t *self)
{
+ DEBUG(4, "\n");
+
+ obex_return_if_fail(self != NULL);
+
switch (self->trans.type) {
case OBEX_TRANS_USB:
#ifdef HAVE_USB
usbobex_free_interfaces(self->interfaces_number,
self->interfaces);
+ self->interfaces = NULL;
#endif
break;
default:
