aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAleksander Morgado <aleksander@aleksander.es>2016-10-28 00:30:45 +0200
committerAleksander Morgado <aleksander@aleksander.es>2016-10-28 00:37:49 +0200
commit0148e81aa978a5d94ef2e9ddf8adfefa7ce2ef3f (patch)
tree7ad89f5be456dd1339236110094342eff09fcb6e
parentc1442b3a7fedd8b713136cd2598a210549508cdf (diff)
libqmi-glib,device: make sure transaction ids are unique
Otherwise, we may end up with transactions timing out and segfaulting as they aren't found in the tracking table (e.g. if the replacing transaction finishes before the timeout of the replaced transaction is fired off). ==573== Command: /usr/libexec/qmi-proxy --no-exit --verbose ==573== Parent PID: 567 ==573== ==573== Invalid write of size 8 ==573== at 0x4E9A07A: transaction_timed_out (qmi-device.c:248) ==573== by 0x5D24EB2: ??? (in /usr/lib/libglib-2.0.so.0.5000.1) ==573== by 0x5D24439: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.5000.1) ==573== by 0x5D247EF: ??? (in /usr/lib/libglib-2.0.so.0.5000.1) ==573== by 0x5D24B11: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.5000.1) ==573== by 0x40139D: main (qmi-proxy.c:220) ==573== Address 0x10 is not stack'd, malloc'd or (recently) free'd ==573== ==573== ==573== Process terminating with default action of signal 11 (SIGSEGV): dumping core ==573== Access not within mapped region at address 0x10 ==573== at 0x4E9A07A: transaction_timed_out (qmi-device.c:248) ==573== by 0x5D24EB2: ??? (in /usr/lib/libglib-2.0.so.0.5000.1) ==573== by 0x5D24439: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.5000.1) ==573== by 0x5D247EF: ??? (in /usr/lib/libglib-2.0.so.0.5000.1) ==573== by 0x5D24B11: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.5000.1) ==573== by 0x40139D: main (qmi-proxy.c:220) ==573== If you believe this happened as a result of a stack ==573== overflow in your program's main thread (unlikely but ==573== possible), you can try to increase the size of the ==573== main thread stack using the --main-stacksize= flag. ==573== The main thread stack size used in this run was 8388608.
-rw-r--r--src/libqmi-glib/qmi-device.c19
1 files changed, 18 insertions, 1 deletions
diff --git a/src/libqmi-glib/qmi-device.c b/src/libqmi-glib/qmi-device.c
index c2f41c6..eb15626 100644
--- a/src/libqmi-glib/qmi-device.c
+++ b/src/libqmi-glib/qmi-device.c
@@ -281,7 +281,8 @@ device_store_transaction (QmiDevice *self,
guint timeout,
GError **error)
{
- gpointer key;
+ gpointer key;
+ Transaction *existing;
if (G_UNLIKELY (!self->priv->transactions))
self->priv->transactions = g_hash_table_new (g_direct_hash,
@@ -317,6 +318,22 @@ device_store_transaction (QmiDevice *self,
}
}
+ /* If we have already a transaction with the same ID complete the existing
+ * one with an error before the new one is added, or we'll end up with
+ * dangling timeouts and cancellation handlers that may be fired off later
+ * on. */
+ existing = device_release_transaction (self, key);
+ if (existing) {
+ GError *inner_error;
+
+ /* Complete transaction with an abort error */
+ inner_error = g_error_new (QMI_PROTOCOL_ERROR,
+ QMI_PROTOCOL_ERROR_ABORTED,
+ "Transaction overwritten");
+ transaction_complete_and_free (existing, NULL, inner_error);
+ g_error_free (inner_error);
+ }
+
/* Keep in the HT */
g_hash_table_insert (self->priv->transactions, key, tr);