[PW_SID:655654] obexd: fix crashed after cancel the on-going transfer

[BluezTestBot]

There is a use after released.transfer->req_id different
obex->pending_req->id,See the following log,
The packages is removd in cancel_complete func
are not the same package in req_timeout func,
but transfer pointer is released.

log:
g_obex_cancel_req()
transfer->req_id 23 id 22 obex->pending_req(0x55b642c3e100)

g_obex_cancel_req()
match->data (0x55b642c344a0)

g_obex_ref() ref 4

cancel_complete()
pending req timeout 176 id 22 obex(0x55b642c3e100)

transfer_response()
obex 0x55b642c36480 transfer(0x55b642c3d000)

g_obex_drop_tx_queue()

g_obex_unref() obex 0x55b642c36480
g_obex_unref() ref 3

transfer_free()
obex 0x55b642c36480 transfer 0x55b642c3d000

g_obex_unref() obex 0x55b642c36480
g_obex_unref() ref 2

pending_pkt_free()
timeout_id 0 pending_pkt (0x55b642c344a0)

step:
[obex]# connect 28:33:34:1E:96:98
Attempting to connect to 28:33:34:1E:96:98
[NEW] Session /org/bluez/obex/client/session2 [default]
[NEW] ObjectPush /org/bluez/obex/client/session2
Connection successful
[28:33:34:1E:96:98]# send /home/uos/Desktop/systemd.zip
Attempting to send /home/uos/Desktop/systemd.zip
[NEW] Transfer /org/bluez/obex/client/session2/transfer2
Transfer /org/bluez/obex/client/session2/transfer2
Status: queued
Name: systemd.zip
Size: 33466053
Filename: /home/uos/Desktop/systemd.zip
Session: /org/bluez/obex/client/session2
[CHG] Transfer /org/bluez/obex/client/session2/transfer2
[CHG] Transfer /org/bluez/obex/client/session2/transfer2
[CHG] Transfer /org/bluez/obex/client/session2/transfer2
[CHG] Transfer /org/bluez/obex/client/session2/transfer2
[CHG] Transfer /org/bluez/obex/client/session2/transfer2
[CHG] Transfer /org/bluez/obex/client/session2/transfer2
[CHG] Transfer /org/bluez/obex/client/session2/transfer2
[CHG] Transfer /org/bluez/obex/client/session2/transfer2
[CHG] Transfer /org/bluez/obex/client/session2/transfer2
[CHG] Transfer /org/bluez/obex/client/session2/transfer2
[CHG] Transfer /org/bluez/obex/client/session2/transfer2
[CHG] Transfer /org/bluez/obex/client/session2/transfer2
er2 33:34:1E:96:98]# cancel /org/bluez/obex/client/sessi
Attempting to cancel transfer /org/bluez/obex/client/s
Cancel successful

valgrind trace:
==11431== Invalid read of size 4
==11431== at 0x12B442: transfer_response ()
==11431== by 0x127764: req_timeout ()
==11431== by 0x49B8922: ??? ( )
==11431== by 0x49B7E97: g_main_context_dispatch ()
==11431== by 0x49B8287: ??? (in )
==11431== by 0x49B8581: g_main_loop_run ()
==11431== by 0x121834: main (main.c:322)
==11431== Address 0x7344fa0 is 16 bytes inside a block of size
==11431== at 0x48369AB: free ()
==11431== by 0x12B459: transfer_response ()
==11431== by 0x127B3D: cancel_complete ()
==11431== by 0x49B7E97: g_main_context_dispatch ()
==11431== by 0x49B8287: ??? ()
==11431== by 0x49B8581: g_main_loop_run ()
==11431== by 0x121834: main (main.c:322)
==11431== Block was alloc'd at
==11431== at 0x4837B65: calloc ()
==11431== by 0x49BD9D8: g_malloc0 ()
==11431== by 0x12AB89: transfer_new ()
==11431== by 0x12B732: g_obex_put_req_pkt ()
==11431== by 0x12B732: g_obex_put_req_pkt ()
==11431== by 0x146982: transfer_start_put ()
==11431== by 0x146982: obc_transfer_start ()
==11431== by 0x13C5A7: session_process_transfer ()
==11431== by 0x13D248: session_process_queue ()
==11431== by 0x13D248: session_process_queue ()
==11431== by 0x13D2AF: session_process ()
==11431== by 0x49B7E97: g_main_context_dispatch ()
==11431== by 0x49B8287: ??? (i)
==11431== by 0x49B8581: g_main_loop_run ()
==11431== by 0x121834: main ()
==11431==
==11431== (action on error) vgdb me ...

gobex/gobex-transfer.c | 20 ++++++++------------
1 file changed, 8 insertions(+), 12 deletions(-)

[BluezTestBot]

CheckPatch
Test ID: checkpatch
Desc: Run checkpatch.pl script with rule in .checkpatch.conf
Duration: 1.71 seconds
Result: PASS

[BluezTestBot]

GitLint
Test ID: gitlint
Desc: Run gitlint with rule in .gitlint
Duration: 1.07 seconds
Result: PASS

[BluezTestBot]

Prep - Setup ELL
Test ID: setupell
Desc: Clone, build, and install ELL
Duration: 27.14 seconds
Result: PASS

[BluezTestBot]

Build - Prep
Test ID: buildprep
Desc: Prepare environment for build
Duration: 0.80 seconds
Result: PASS

[BluezTestBot]

Build - Configure
Test ID: build
Desc: Configure the BlueZ source tree
Duration: 8.53 seconds
Result: PASS

[BluezTestBot]

Build - Make
Test ID: buildmake
Desc: Build the BlueZ source tree
Duration: 96.42 seconds
Result: FAIL

Output:

tools/mgmt-tester.c: In function ‘main’:
tools/mgmt-tester.c:12426:5: note: variable tracking size limit exceeded with ‘-fvar-tracking-assignments’, retrying without
12426 | int main(int argc, char *argv[])
      |     ^~~~
gobex/gobex-transfer.c: In function ‘transfer_complete’:
gobex/gobex-transfer.c:97:2: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement]
   97 |  guint id = transfer->id;
      |  ^~~~~
gobex/gobex-transfer.c: In function ‘transfer_response’:
gobex/gobex-transfer.c:187:8: error: unused variable ‘id’ [-Werror=unused-variable]
  187 |  guint id;
      |        ^~
cc1: all warnings being treated as errors
make[1]: *** [Makefile:8801: gobex/obexd-gobex-transfer.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:4324: all] Error 2

[BluezTestBot]

Make Check
Test ID: makecheck
Desc: Run 'make check'
Duration: 173.46 seconds
Result: FAIL

Output:

gobex/gobex-transfer.c: In function ‘transfer_complete’:
gobex/gobex-transfer.c:97:2: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement]
   97 |  guint id = transfer->id;
      |  ^~~~~
gobex/gobex-transfer.c: In function ‘transfer_response’:
gobex/gobex-transfer.c:187:8: error: unused variable ‘id’ [-Werror=unused-variable]
  187 |  guint id;
      |        ^~
cc1: all warnings being treated as errors
make[1]: *** [Makefile:7300: gobex/gobex-transfer.o] Error 1
make: *** [Makefile:11320: check] Error 2

[BluezTestBot]

Make Check w/Valgrind
Test ID: makecheckvalgrind
Desc: Run 'make check' with Valgrind
Duration: 77.25 seconds
Result: FAIL

Output:

tools/mgmt-tester.c: In function ‘main’:
tools/mgmt-tester.c:12426:5: note: variable tracking size limit exceeded with ‘-fvar-tracking-assignments’, retrying without
12426 | int main(int argc, char *argv[])
      |     ^~~~
gobex/gobex-transfer.c: In function ‘transfer_complete’:
gobex/gobex-transfer.c:97:2: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement]
   97 |  guint id = transfer->id;
      |  ^~~~~
gobex/gobex-transfer.c: In function ‘transfer_response’:
gobex/gobex-transfer.c:187:8: error: unused variable ‘id’ [-Werror=unused-variable]
  187 |  guint id;
      |        ^~
cc1: all warnings being treated as errors
make[1]: *** [Makefile:8801: gobex/obexd-gobex-transfer.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:4324: all] Error 2

[BluezTestBot]

Make Distcheck
Test ID: makedistcheck
Desc: Run distcheck to check the distribution
Duration: 229.35 seconds
Result: PASS

[BluezTestBot]

Build w/ext ELL - Configure
Test ID: build_extell
Desc: Configure BlueZ source with '--enable-external-ell' configuration
Duration: 8.55 seconds
Result: PASS

[BluezTestBot]

Build w/ext ELL - Make
Test ID: build_extell_make
Desc: Build BlueZ source with '--enable-external-ell' configuration
Duration: 34.65 seconds
Result: FAIL

Output:

gobex/gobex-transfer.c: In function ‘transfer_complete’:
gobex/gobex-transfer.c:97:2: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement]
   97 |  guint id = transfer->id;
      |  ^~~~~
gobex/gobex-transfer.c: In function ‘transfer_response’:
gobex/gobex-transfer.c:187:8: error: unused variable ‘id’ [-Werror=unused-variable]
  187 |  guint id;
      |        ^~
cc1: all warnings being treated as errors
make[1]: *** [Makefile:8801: gobex/obexd-gobex-transfer.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:4324: all] Error 2

[BluezTestBot]

Incremental Build w/ patches
Test ID: incremental_build
Desc: Incremental build per patch in the series
Duration: 0.00 seconds
Result: PASS

[BluezTestBot]

Scan Build
Test ID: scan_build
Desc: Run Scan Build with patches
Duration: 466.61 seconds
Result: FAIL

Output:

gobex/gobex-transfer.c: In function ‘transfer_complete’:
gobex/gobex-transfer.c:97:2: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement]
   97 |  guint id = transfer->id;
      |  ^~~~~
gobex/gobex-transfer.c: In function ‘transfer_response’:
gobex/gobex-transfer.c:187:8: error: unused variable ‘id’ [-Werror=unused-variable]
  187 |  guint id;
      |        ^~
cc1: all warnings being treated as errors
make[1]: *** [Makefile:7300: gobex/gobex-transfer.o] Error 1
make: *** [Makefile:4324: all] Error 2