From 0148e81aa978a5d94ef2e9ddf8adfefa7ce2ef3f Mon Sep 17 00:00:00 2001
From: Aleksander Morgado <aleksander@aleksander.es>
Date: Fri, 28 Oct 2016 00:30:45 +0200
Subject: libqmi-glib,device: make sure transaction ids are unique

Otherwise, we may end up with transactions timing out and segfaulting as they
aren't found in the tracking table (e.g. if the replacing transaction finishes
before the timeout of the replaced transaction is fired off).

    ==573== Command: /usr/libexec/qmi-proxy --no-exit --verbose
    ==573== Parent PID: 567
    ==573==
    ==573== Invalid write of size 8
    ==573==    at 0x4E9A07A: transaction_timed_out (qmi-device.c:248)
    ==573==    by 0x5D24EB2: ??? (in /usr/lib/libglib-2.0.so.0.5000.1)
    ==573==    by 0x5D24439: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.5000.1)
    ==573==    by 0x5D247EF: ??? (in /usr/lib/libglib-2.0.so.0.5000.1)
    ==573==    by 0x5D24B11: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.5000.1)
    ==573==    by 0x40139D: main (qmi-proxy.c:220)
    ==573==  Address 0x10 is not stack'd, malloc'd or (recently) free'd
    ==573==
    ==573==
    ==573== Process terminating with default action of signal 11 (SIGSEGV): dumping core
    ==573==  Access not within mapped region at address 0x10
    ==573==    at 0x4E9A07A: transaction_timed_out (qmi-device.c:248)
    ==573==    by 0x5D24EB2: ??? (in /usr/lib/libglib-2.0.so.0.5000.1)
    ==573==    by 0x5D24439: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.5000.1)
    ==573==    by 0x5D247EF: ??? (in /usr/lib/libglib-2.0.so.0.5000.1)
    ==573==    by 0x5D24B11: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.5000.1)
    ==573==    by 0x40139D: main (qmi-proxy.c:220)
    ==573==  If you believe this happened as a result of a stack
    ==573==  overflow in your program's main thread (unlikely but
    ==573==  possible), you can try to increase the size of the
    ==573==  main thread stack using the --main-stacksize= flag.
    ==573==  The main thread stack size used in this run was 8388608.
---
 src/libqmi-glib/qmi-device.c | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/src/libqmi-glib/qmi-device.c b/src/libqmi-glib/qmi-device.c
index c2f41c6..eb15626 100644
--- a/src/libqmi-glib/qmi-device.c
+++ b/src/libqmi-glib/qmi-device.c
@@ -281,7 +281,8 @@ device_store_transaction (QmiDevice *self,
                           guint timeout,
                           GError **error)
 {
-    gpointer key;
+    gpointer     key;
+    Transaction *existing;
 
     if (G_UNLIKELY (!self->priv->transactions))
         self->priv->transactions = g_hash_table_new (g_direct_hash,
@@ -317,6 +318,22 @@ device_store_transaction (QmiDevice *self,
         }
     }
 
+    /* If we have already a transaction with the same ID complete the existing
+     * one with an error before the new one is added, or we'll end up with
+     * dangling timeouts and cancellation handlers that may be fired off later
+     * on. */
+    existing = device_release_transaction (self, key);
+    if (existing) {
+        GError *inner_error;
+
+        /* Complete transaction with an abort error */
+        inner_error = g_error_new (QMI_PROTOCOL_ERROR,
+                                   QMI_PROTOCOL_ERROR_ABORTED,
+                                   "Transaction overwritten");
+        transaction_complete_and_free (existing, NULL, inner_error);
+        g_error_free (inner_error);
+    }
+
     /* Keep in the HT */
     g_hash_table_insert (self->priv->transactions, key, tr);
 
-- 
cgit v1.2.3