From: Daniel Mack Date: Fri, 4 Apr 2014 18:35:32 +0000 (+0200) Subject: connection: check whether a reply exists before freeing it X-Git-Tag: upstream/0.20140911.160207utc~131 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=a5b637bf8cdad52888092fc85ab892c06098a23d;p=platform%2Fcore%2Fsystem%2Fkdbus-bus.git connection: check whether a reply exists before freeing it For KDBUS_RECV_DROP, Walk the list of pending replies and see if the one attached to this queue item is stil there. It might have been removed by an incoming reply, and we currently don't track reply entries in that direction in order to prevent potentially dangling pointers. At least atm, KDBUS_RECV_DROP is considered a rarely used operation, so we can live with that. --- diff --git a/connection.c b/connection.c index f14cedc..2d69f17 100644 --- a/connection.c +++ b/connection.c @@ -1024,9 +1024,29 @@ int kdbus_cmd_msg_recv(struct kdbus_conn *conn, /* just drop the message */ if (recv->flags & KDBUS_RECV_DROP) { - struct kdbus_conn_reply *reply = NULL; + struct kdbus_conn_reply *r, *reply = NULL; + bool reply_found = false; if (queue->reply) { + struct kdbus_conn_reply *r; + + /* + * Walk the list of pending replies and see if the + * one attached to this queue item is stil there. + * It might have been removed by an incoming reply, + * and we currently don't track reply entries in that + * direction in order to prevent potentially dangling + * pointers. + */ + list_for_each_entry(r, &conn->reply_list, entry) { + if (r == queue->reply) { + reply_found = true; + break; + } + } + } + + if (reply_found) { if (queue->reply->sync) { kdbus_conn_reply_sync(queue->reply, -EPIPE); } else {