From 28419bdc2fd093bcbc68b629b9c7b8c295260c57 Mon Sep 17 00:00:00 2001

From: Szymon Janc <szymon.janc@gmail.com>

Date: Mon, 9 Dec 2013 20:20:55 +0100

Subject: [PATCH 5/5] core: Fix crash due to agent callback freeing the agent

Similar fix was provided for simple_agent_reply in a2f5d438 but missed

pincode_reply case.

Fix following:

src/agent.c:agent_disconnect() Agent :1.48 disconnected

src/agent.c:set_default_agent() Default agent cleared

src/agent.c:agent_destroy() agent :1.48

src/agent.c:agent_unref() 0x4701c68: ref=1

Agent /org/bluez/agent replied with an error:

    org.freedesktop.DBus.Error.NoReply, Message did not receive a reply

    (timeout by message bus)

src/adapter.c:btd_adapter_pincode_reply() hci0 addr 6C:0E:0D:DB:D1:16

    pinlen 0

src/agent.c:agent_unref() 0x4701c68: ref=0

src/adapter.c:btd_adapter_pincode_reply() hci0 addr 6C:0E:0D:DB:D1:16

    pinlen 0

src/agent.c:agent_unref() 0x4701c68: ref=-1

src/adapter.c:btd_adapter_pincode_reply() hci0 addr 6C:0E:0D:DB:D1:16

    pinlen 0

src/agent.c:agent_unref() 0x4701c68: ref=-2

...

---

 src/agent.c | 4 ++++

 1 file changed, 4 insertions(+)

diff --git a/src/agent.c b/src/agent.c

index b292881..2ec3183 100644

--- a/src/agent.c

+++ b/src/agent.c

@@ -428,6 +428,9 @@ static void pincode_reply(DBusPendingCall *call, void *user_data)

 	 * is only called after a reply has been received */

 	message = dbus_pending_call_steal_reply(call);

+	/* Protect from the callback freeing the agent */

+	agent_ref(agent);

+

 	dbus_error_init(&err;;

 	if (dbus_set_error_from_message(&err, message)) {

 		error("Agent %s replied with an error: %s, %s",

@@ -467,6 +470,7 @@ done:

 	dbus_pending_call_cancel(req->call);

 	agent->request = NULL;

 	agent_request_free(req, TRUE);

+	agent_unref(agent);

 }

 static int pincode_request_new(struct agent_request *req, const char *device_path,

-- 

1.8.4.2