Mantis - obex-data-server
Расширенный вид
491 General авария всегда 2010-10-25 07:01 2010-10-25 08:44
ulidtko  
skirsdeda  
обычный  
назначен  
открыт  
нет    
нет  
0000491: Segmentation fault, caused by double-finalizing obex_t contexts in failed usb sessions
When `ods_obex_setup_usbtransport()` failes to bring up the interface, it `OBEX_Cleanup()`s the created OBEX context. Afterwards, when freeing the session in `ods_session_finalize()`, the context gets `OBEX_Cleanup()`ed again, resulting in double-frees and SIGSEGV.

The following patch is not a solution, but rather a workaround to avoid crashes. It relies on `OBEX_Cleanup()` handling NULLs gracefully.

Index: src/ods-obex.c
===================================================================
--- src/ods-obex.c (revision 3050)
+++ src/ods-obex.c (working copy)
@@ -429,7 +429,10 @@
 
 err:
     if (obex_context->obex_handle)
+ {
         OBEX_Cleanup (obex_context->obex_handle);
+ obex_context->obex_handle = NULL;
+ }
     return FALSE;
 }
Valgrind session, without the patch:

obex-data-server 0.4.6svn
Using Session bus
Session created by: :1.711
session_connect_result_cb
session closed
Removing listened DBUS name :1.711 (object: /org/openobex/session0)
Removed from listened DBUS names list
==32417== Invalid read of size 4
==32417== at 0x426BCE4: obex_transport_disconnect_request (obex_transport.c:244)
==32417== by 0x426598C: OBEX_Cleanup (obex.c:228)
==32417== by 0x8063315: ods_session_finalize (ods-session.c:1052)
==32417== by 0x4054653: g_object_unref (gobject.c:2695)
==32417== by 0x4058CB0: g_object_set_valist (gobject.c:1696)
==32417== by 0x4059075: g_object_set (gobject.c:1795)
==32417== by 0x805415D: ods_manager_create_usb_session (ods-manager.c:870)
==32417== by 0x41E2DDE: ??? (in /usr/lib/libdbus-glib-1.so.2.1.0)
==32417== by 0x41E338D: ??? (in /usr/lib/libdbus-glib-1.so.2.1.0)
==32417== by 0x4214F5D: ??? (in /lib/libdbus-1.so.3.5.2)
==32417== by 0x4206EB6: dbus_connection_dispatch (in /lib/libdbus-1.so.3.5.2)
==32417== by 0x41DF39C: ??? (in /usr/lib/libdbus-glib-1.so.2.1.0)
==32417== Address 0x458f794 is 52 bytes inside a block of size 252 free'd
==32417== at 0x40257ED: free (vg_replace_malloc.c:366)
==32417== by 0x42659DD: OBEX_Cleanup (obex.c:238)
==32417== by 0x8056D1E: ods_obex_setup_usbtransport (ods-obex.c:432)
==32417== by 0x80620C1: ods_session_set_property (ods-session.c:766)
==32417== by 0x4058959: g_object_set_valist (gobject.c:1174)
==32417== by 0x4059075: g_object_set (gobject.c:1795)
==32417== by 0x805415D: ods_manager_create_usb_session (ods-manager.c:870)
==32417== by 0x41E2DDE: ??? (in /usr/lib/libdbus-glib-1.so.2.1.0)
==32417== by 0x41E338D: ??? (in /usr/lib/libdbus-glib-1.so.2.1.0)
==32417== by 0x4214F5D: ??? (in /lib/libdbus-1.so.3.5.2)
==32417== by 0x4206EB6: dbus_connection_dispatch (in /lib/libdbus-1.so.3.5.2)
==32417== by 0x41DF39C: ??? (in /usr/lib/libdbus-glib-1.so.2.1.0)
==32417==
история
2010-10-25 07:01 ulidtko Новый вопрос
2010-10-25 07:05 ulidtko Отслеживать: ulidtko
2010-10-25 08:44 skirsdeda Комментарий добавлен: 0001389
2010-10-25 08:44 skirsdeda Состояние новый => назначен
2010-10-25 08:44 skirsdeda Ответственный => skirsdeda

Комментарии
(0001389)
skirsdeda   
2010-10-25 08:44   
Thanks for bug report. The solution seems fine, it should probably be applied to ods_obex_setup_fdtransport() as well.