From 7490bebbfd823a5d86c4ae285c3bba1555b2a6d9 Mon Sep 17 00:00:00 2001
From: Hyunho Kang <hhstark.kang@samsung.com>
Date: Tue, 20 Sep 2016 16:47:05 +0900
Subject: [PATCH] Fix callback info management bug

When first callback info removed by socket disconnect(sender die)
callback info hash value will reference freed address and it cause crash

Change-Id: Ia50713ab8198270316c1b1ee8369464d47229bb2
Signed-off-by: Hyunho Kang <hhstark.kang@samsung.com>
---
 src/message-port.c | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/src/message-port.c b/src/message-port.c
index 15f94be..2e54cff 100755
--- a/src/message-port.c
+++ b/src/message-port.c
@@ -141,7 +141,7 @@ static void __callback_info_free(gpointer data)
 		return;
 
 	if (callback_info->remote_app_id)
-		free(callback_info->remote_app_id);
+		FREE_AND_NULL(callback_info->remote_app_id);
 
 	if (callback_info->gio_read != NULL) {
 		g_io_channel_shutdown(callback_info->gio_read, TRUE, &error);
@@ -158,12 +158,11 @@ static void __callback_info_free(gpointer data)
 		callback_info->g_src_id = 0;
 	}
 
-	free(callback_info);
+	FREE_AND_NULL(callback_info);
 }
 
 static void __callback_info_free_by_info(message_port_callback_info_s *callback_info)
 {
-
 	GList *callback_info_list = g_hash_table_lookup(__callback_info_hash, GUINT_TO_POINTER(callback_info->local_id));
 	GList *find_list;
 
@@ -176,6 +175,7 @@ static void __callback_info_free_by_info(message_port_callback_info_s *callback_
 
 	callback_info_list = g_list_remove_link(callback_info_list, find_list);
 	__callback_info_free(callback_info);
+	g_list_free(find_list);
 }
 
 static void __hash_destroy_callback_info(gpointer data)
@@ -742,6 +742,7 @@ static bool send_message(GVariant *parameters, GDBusMethodInvocation *invocation
 	message_port_local_port_info_s *mi;
 	int local_reg_id = 0;
 	message_port_callback_info_s *callback_info;
+	message_port_callback_info_s *head_callback_info;
 	GList *callback_info_list = NULL;
 
 	char buf[1024];
@@ -842,6 +843,18 @@ static bool send_message(GVariant *parameters, GDBusMethodInvocation *invocation
 
 			callback_info_list = g_hash_table_lookup(__callback_info_hash, GUINT_TO_POINTER(mi->local_id));
 			if (callback_info_list == NULL) {
+				head_callback_info = (message_port_callback_info_s *)calloc(1, sizeof(message_port_callback_info_s));
+				if (head_callback_info == NULL) {
+					_LOGE("fail to alloc head_callback_info");
+					__callback_info_free(callback_info);
+					return -1;
+				}
+				head_callback_info->local_id = 0;
+				head_callback_info->remote_app_id = NULL;
+				head_callback_info->callback = NULL;
+				head_callback_info->gio_read = NULL;
+				head_callback_info->g_src_id = 0;
+				callback_info_list = g_list_append(callback_info_list, head_callback_info);
 				callback_info_list = g_list_append(callback_info_list, callback_info);
 				g_hash_table_insert(__callback_info_hash, GUINT_TO_POINTER(mi->local_id), callback_info_list);
 			} else {
-- 
2.7.4