Calling __connman_wispr_stop() without connman_agent_cancel() allows pending wispr requests to complete later which results in a read/write access to the freed memory and a subsequent crash.
Calling connman_agent_cancel() without __connman_wispr_stop() stops the wispr sequence which renders the wispr context useless. That makes no sense either. --- src/service.c | 2 +- src/wispr.c | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/service.c b/src/service.c index cbca669..1df9b57 100644 --- a/src/service.c +++ b/src/service.c @@ -6061,7 +6061,7 @@ int __connman_service_disconnect(struct connman_service *service) service->connect_reason = CONNMAN_SERVICE_CONNECT_REASON_NONE; service->proxy = CONNMAN_SERVICE_PROXY_METHOD_UNKNOWN; - connman_agent_cancel(service); + __connman_wispr_stop(service); reply_pending(service, ECONNABORTED); diff --git a/src/wispr.c b/src/wispr.c index dcce93c..e5a7ddc 100644 --- a/src/wispr.c +++ b/src/wispr.c @@ -29,6 +29,7 @@ #include <gweb/gweb.h> #include "connman.h" +#include "agent.h" #define STATUS_URL_IPV4 "http://ipv4.connman.net/online/status.html" #define STATUS_URL_IPV6 "http://ipv6.connman.net/online/status.html" @@ -972,6 +973,7 @@ void __connman_wispr_stop(struct connman_service *service) if (index < 0) return; + connman_agent_cancel(service); g_hash_table_remove(wispr_portal_list, GINT_TO_POINTER(index)); } -- 1.8.3.2 _______________________________________________ connman mailing list connman@connman.net https://lists.connman.net/mailman/listinfo/connman