From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Thu, 3 Oct 2013 11:18:21 +0000 (+0300)
Subject: obexd/session: Fix crash while processing command queue
X-Git-Tag: android-x86-4.4-r3~7531
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=27bb25c130cad091192c062176448272ad4b1988;p=android-x86%2Fexternal-bluetooth-bluez.git

obexd/session: Fix crash while processing command queue

session_process_queue can call a callback which can cause the session to
be freed:
Invalid write of size 4
   at 0x4265C9: session_process (session.c:716)
   by 0x3D46047E05: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3600.3)
   by 0x3D46048157: ??? (in /usr/lib64/libglib-2.0.so.0.3600.3)
   by 0x3D46048559: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3600.3)
   by 0x40D55C: main (main.c:319)
 Address 0x4d658a8 is 104 bytes inside a block of size 120 free'd
   at 0x4A074C4: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x3D4604D9AE: g_free (in /usr/lib64/libglib-2.0.so.0.3600.3)
   by 0x4265B1: session_process_queue (session.c:794)
   by 0x4265C8: session_process (session.c:714)
   by 0x3D46047E05: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3600.3)
   by 0x3D46048157: ??? (in /usr/lib64/libglib-2.0.so.0.3600.3)
   by 0x3D46048559: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3600.3)
   by 0x40D55C: main (main.c:319)
---

diff --git a/obexd/client/session.c b/obexd/client/session.c
index 331d23d15..48016c446 100644
--- a/obexd/client/session.c
+++ b/obexd/client/session.c
@@ -711,10 +711,10 @@ static gboolean session_process(gpointer data)
 {
 	struct obc_session *session = data;
 
-	session_process_queue(session);
-
 	session->process_id = 0;
 
+	session_process_queue(session);
+
 	return FALSE;
 }