@@ -64,6 +64,8 @@ static void transfer_free(struct transfer *transfer)
g_obex_remove_request_function(transfer->obex,
transfer->abort_id);
+ g_obex_remove_responsefunc(transfer->obex);
+
g_obex_unref(transfer->obex);
g_free(transfer);
}
@@ -533,6 +533,12 @@ void g_obex_drop_tx_queue(GObex *obex)
pending_pkt_free(p);
}
+void g_obex_remove_responsefunc(GObex *obex)
+{
+ if (obex->pending_req)
+ obex->pending_req->rsp_func = NULL;
+}
+
static gboolean g_obex_send_internal(GObex *obex, struct pending_pkt *p,
GError **err)
{
@@ -51,6 +51,7 @@ void g_obex_suspend(GObex *obex);
void g_obex_resume(GObex *obex);
gboolean g_obex_srm_active(GObex *obex);
void g_obex_drop_tx_queue(GObex *obex);
+void g_obex_remove_responsefunc(GObex *obex);
GObex *g_obex_new(GIOChannel *io, GObexTransportType transport_type,
gssize rx_mtu, gssize tx_mtu);
Pointer is reused after release. After the transfer pointer is released, remove the response function in pending_pkg to avoid the 'p->rsp_func' is reused step: [obex]# connect 28:33:34:1E:96:98 Attempting to connect to 28:33:34:1E:96:98 [NEW] Session /org/bluez/obex/client/session2 [default] [NEW] ObjectPush /org/bluez/obex/client/session2 Connection successful [28:33:34:1E:96:98]# send /home/uos/Desktop/systemd.zip Attempting to send /home/uos/Desktop/systemd.zip [NEW] Transfer /org/bluez/obex/client/session2/transfer2 Transfer /org/bluez/obex/client/session2/transfer2 Status: queued Name: systemd.zip Size: 33466053 Filename: /home/uos/Desktop/systemd.zip Session: /org/bluez/obex/client/session2 [CHG] Transfer /org/bluez/obex/client/session2/transfer2 [CHG] Transfer /org/bluez/obex/client/session2/transfer2 [CHG] Transfer /org/bluez/obex/client/session2/transfer2 [CHG] Transfer /org/bluez/obex/client/session2/transfer2 [CHG] Transfer /org/bluez/obex/client/session2/transfer2 [CHG] Transfer /org/bluez/obex/client/session2/transfer2 [CHG] Transfer /org/bluez/obex/client/session2/transfer2 [CHG] Transfer /org/bluez/obex/client/session2/transfer2 [CHG] Transfer /org/bluez/obex/client/session2/transfer2 [CHG] Transfer /org/bluez/obex/client/session2/transfer2 [CHG] Transfer /org/bluez/obex/client/session2/transfer2 [CHG] Transfer /org/bluez/obex/client/session2/transfer2 er2 33:34:1E:96:98]# cancel /org/bluez/obex/client/sessi Attempting to cancel transfer /org/bluez/obex/client/s Cancel successful valgrind trace: ==11431== Invalid read of size 4 ==11431== at 0x12B442: transfer_response () ==11431== by 0x127764: req_timeout () ==11431== by 0x49B8922: ??? ( ) ==11431== by 0x49B7E97: g_main_context_dispatch () ==11431== by 0x49B8287: ??? (in ) ==11431== by 0x49B8581: g_main_loop_run () ==11431== by 0x121834: main (main.c:322) ==11431== Address 0x7344fa0 is 16 bytes inside a block of size ==11431== at 0x48369AB: free () ==11431== by 0x12B459: transfer_response () ==11431== by 0x127B3D: cancel_complete () ==11431== by 0x49B7E97: g_main_context_dispatch () ==11431== by 0x49B8287: ??? () ==11431== by 0x49B8581: g_main_loop_run () ==11431== by 0x121834: main (main.c:322) ==11431== Block was alloc'd at ==11431== at 0x4837B65: calloc () ==11431== by 0x49BD9D8: g_malloc0 () ==11431== by 0x12AB89: transfer_new () ==11431== by 0x12B732: g_obex_put_req_pkt () ==11431== by 0x12B732: g_obex_put_req_pkt () ==11431== by 0x146982: transfer_start_put () ==11431== by 0x146982: obc_transfer_start () ==11431== by 0x13C5A7: session_process_transfer () ==11431== by 0x13D248: session_process_queue () ==11431== by 0x13D248: session_process_queue () ==11431== by 0x13D2AF: session_process () ==11431== by 0x49B7E97: g_main_context_dispatch () ==11431== by 0x49B8287: ??? (i) ==11431== by 0x49B8581: g_main_loop_run () ==11431== by 0x121834: main () ==11431== ==11431== (action on error) vgdb me ... --- gobex/gobex-transfer.c | 2 ++ gobex/gobex.c | 6 ++++++ gobex/gobex.h | 1 + 3 files changed, 9 insertions(+)