bluetooth_legacy: Handle network removal in the middle of enabling

If a Bluetooth connect is in progress when the network gets removed the following may happen: connmand[5092]: Aborting (signal 11) [src/connmand] connmand[5092]: ++++++++ backtrace ++++++++ connmand[5092]: #0 0x7f4066b8a260 in /lib/x86_64-linux-gnu/libc.so.6 connmand[5092]: #1 0x438950 in connman_device_get_ident() at src/device.c:555 connmand[5092]: #2 0x447301 in connman_service_lookup_from_network() at src/service.c:6421 connmand[5092]: #3 0x43aeb8 in set_connect_error() at src/network.c:1296 connmand[5092]: #4 0x43b97d in connman_network_set_connected() at src/network.c:1396 connmand[5092]: #5 0x4245f5 in connect_reply() at plugins/bluetooth_legacy.c:150 connmand[5092]: #6 0x7f40679fc512 in /lib/x86_64-linux-gnu/libdbus-1.so.3 connmand[5092]: #7 0x7f40679ff741 in /lib/x86_64-linux-gnu/libdbus-1.so.3 connmand[5092]: #8 0x47bbc8 in message_dispatch() at gdbus/mainloop.c:76 (discriminator 1) connmand[5092]: #9 0x7f4067c7ea03 in /lib/x86_64-linux-gnu/libglib-2.0.so.0 connmand[5092]: #10 0x7f4067c7dea6 in /lib/x86_64-linux-gnu/libglib-2.0.so.0 connmand[5092]: #11 0x7f4067c7e1f8 in /lib/x86_64-linux-gnu/libglib-2.0.so.0 connmand[5092]: #12 0x7f4067c7e5fa in /lib/x86_64-linux-gnu/libglib-2.0.so.0 connmand[5092]: #13 0x40f7a7 in main() at src/main.c:694 connmand[5092]: #14 0x7f4066b76995 in /lib/x86_64-linux-gnu/libc.so.6 Fix this by supplying the D-Bus path to the callback and looking up the network instead of providing the whole structure which can have been freed at the time of the callback.
sailfishos · Dec 3, 2013 · 0e2ee70 · 0e2ee70
1 parent 363393c
commit 0e2ee70
Showing 1 changed file with 16 additions and 4 deletions.
diff --git a/plugins/bluetooth_legacy.c b/plugins/bluetooth_legacy.c
@@ -98,12 +98,17 @@ static void pan_remove(struct connman_network *network)
 
 static void connect_reply(DBusPendingCall *call, void *user_data)
 {
-	struct connman_network *network = user_data;
+	char *path = user_data;
+	struct connman_network *network;
 	DBusMessage *reply;
 	DBusError error;
 	const char *interface = NULL;
 	int index;
 
+	network = g_hash_table_lookup(bluetooth_networks, path);
+	if (!network)
+		return;
+
 	DBG("network %p", network);
 
 	reply = dbus_pending_call_steal_reply(call);
@@ -187,7 +192,8 @@ static int pan_connect(struct connman_network *network)
 		return -EINVAL;
 	}
 
-	dbus_pending_call_set_notify(call, connect_reply, network, NULL);
+	dbus_pending_call_set_notify(call, connect_reply, g_strdup(path),
+			g_free);
 
 	dbus_message_unref(message);
 
@@ -196,10 +202,15 @@ static int pan_connect(struct connman_network *network)
 
 static void disconnect_reply(DBusPendingCall *call, void *user_data)
 {
-	struct connman_network *network = user_data;
+	char *path = user_data;
+	struct connman_network *network;
 	DBusMessage *reply;
 	DBusError error;
 
+	network = g_hash_table_lookup(bluetooth_networks, path);
+	if (!network)
+		return;
+
 	DBG("network %p", network);
 
 	reply = dbus_pending_call_steal_reply(call);
@@ -268,7 +279,8 @@ static int pan_disconnect(struct connman_network *network)
 
 	connman_network_set_associating(network, false);
 
-	dbus_pending_call_set_notify(call, disconnect_reply, network, NULL);
+	dbus_pending_call_set_notify(call, disconnect_reply, g_strdup(path),
+			g_free);
 
 	dbus_message_unref(message);