Fix the issue of heap-use-after-free

 - Use only the more accurate states than muse running
 - Remove muse running

Change-Id: If19b1beae1a2849876ee1acac3b83384e8132999

diff --git a/packaging/mused.spec b/packaging/mused.spec
index ffd1250..25bdaaf 100644 (file)
--- a/packaging/mused.spec
+++ b/packaging/mused.spec
@@ -1,6 +1,6 @@
 Name:       mused
 Summary:    A multimedia daemon
-Version:    0.3.83
+Version:    0.3.84
 Release:    0
 Group:      System/Libraries
 License:    Apache-2.0 and BSD-3-Clause

diff --git a/server/include/muse_server_private.h b/server/include/muse_server_private.h
index 5d08f94..8afed6c 100644 (file)
--- a/server/include/muse_server_private.h
+++ b/server/include/muse_server_private.h
@@ -113,8 +113,6 @@ void ms_deinit_bufmgr(void);
 void ms_cmd_dispatch_foreach_func(gpointer data, gpointer user_data);
 void ms_set_state(ms_state_e state);
 gboolean ms_is_server_ready(void);
-void ms_set_running(gboolean value);
-gboolean ms_is_running(void);
 
 #ifdef __cplusplus
 }

diff --git a/server/src/muse_server_ipc.c b/server/src/muse_server_ipc.c
index f70a4e5..3ab4484 100644 (file)
--- a/server/src/muse_server_ipc.c
+++ b/server/src/muse_server_ipc.c
@@ -142,7 +142,7 @@ static gpointer _ms_ipc_dispatch_worker(gpointer data)
 
                m->msg_offset = 0;
 
-               while (attempt_to_dispatch && m->msg_offset < len && ms_is_running()) {
+               while (attempt_to_dispatch && m->msg_offset < len && ms_is_server_ready()) {
                        jobj = muse_core_msg_object_new(m->recv_msg + m->msg_offset, &parse_len, NULL);
                        if (!jobj) {
                                LOGE("jobj is null");
@@ -365,7 +365,7 @@ gboolean ms_ipc_job_function(ms_workqueue_job_t *job)
 
        muse_return_val_if_fail(ms_get_instance(), FALSE);
        muse_return_val_if_fail(job, FALSE);
-       muse_return_val_if_fail(ms_is_running(), FALSE);
+       muse_return_val_if_fail(ms_is_server_ready(), FALSE);
 
        m = (muse_module_h)job->user_data;
        muse_return_val_if_fail(m, FALSE);
@@ -395,7 +395,7 @@ gboolean ms_ipc_data_job_function(ms_workqueue_job_t *job)
 
        muse_return_val_if_fail(ms_get_instance(), FALSE);
        muse_return_val_if_fail(job, FALSE);
-       muse_return_val_if_fail(ms_is_running(), FALSE);
+       muse_return_val_if_fail(ms_is_server_ready(), FALSE);
 
        m = (muse_module_h)job->user_data;
        muse_return_val_if_fail(m, FALSE);

diff --git a/server/src/muse_server_private.c b/server/src/muse_server_private.c
index 1c67a0a..aaa2fea 100644 (file)
--- a/server/src/muse_server_private.c
+++ b/server/src/muse_server_private.c
@@ -169,9 +169,6 @@ static void _ms_create_new_server_from_fd(int fd[], int type)
 
        gettimeofday(&muse_server->tv_s, NULL);
 
-       /*initiate server */
-       ms_set_running(TRUE);
-
        for (i = 0; i < MUSE_CHANNEL_MAX; i++) {
                if (!_ms_attach(fd[i], _ms_connection_handler, (gpointer)(intptr_t) i)) {
                        snprintf(err_msg, sizeof(err_msg), "Fail to attach server fd %d", fd[i]);
@@ -958,16 +955,3 @@ gboolean ms_is_server_ready(void)
        return muse_server->state == MUSE_SERVER_STATE_READY;
 }
 
-void ms_set_running(gboolean value)
-{
-       muse_return_if_fail(muse_server);
-
-       g_atomic_int_set(&muse_server->running, value);
-}
-
-gboolean ms_is_running(void)
-{
-       muse_return_val_if_fail(muse_server, FALSE);
-       return (gboolean)g_atomic_int_get(&muse_server->running);
-}
-

diff --git a/server/src/muse_server_signal.c b/server/src/muse_server_signal.c
index d76ea54..6010935 100644 (file)
--- a/server/src/muse_server_signal.c
+++ b/server/src/muse_server_signal.c
@@ -50,7 +50,7 @@ static void _ms_signal_handler(int signo)
 
        LOGD("signo(%d)", signo);
 
-       ms_set_running(FALSE);
+       ms_set_state(MUSE_SERVER_STATE_IDLE);
 
        switch (signo) {
        case SIGSEGV: