Conditional jump or move depends on uninitialised value(s)
at 0x42C1AF: obex_put_stream_start (obex.c:869)
by 0x428D1A: mns_put (mns.c:148)
by 0x42B521: cmd_put (obex.c:982)
by 0x419FB5: incoming_data (gobex.c:1022)
by 0x3F31A47A54: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
by 0x3F31A47D87: ??? (in /usr/lib64/libglib-2.0.so.0.3400.2)
by 0x3F31A48181: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2)
by 0x40DEE2: main (main.c:319)
Uninitialised value was created by a stack allocation
at 0x42C160: obex_put_stream_start (obex.c:862)
The MAP specification allows to reuse one MNS server instance for all
local MAS client instances. This dispatching of event reports to the
correct MAS client instance is done by the MAS instance id and the
device address.
The dispatcher component allows MAS client instances to register a
notification handler. Events reports are forwarded by the MNS server using
map_dispatch_event.
The remote address used for dispatching the MAP notifications is
initialized when the MNS is connected. Therefore it needs to be freed
when the session is destroyed and not after receiving an event report.
Trace:
0 0x00007ffff6a6a1c9 in raise () from /usr/lib/libc.so.6
1 0x00007ffff6a6b5c8 in abort () from /usr/lib/libc.so.6
2 0x00007ffff6aa8037 in __libc_message () from /usr/lib/libc.so.6
3 0x00007ffff6aad8ae in malloc_printerr () from /usr/lib/libc.so.6
4 0x00007ffff6aae587 in _int_free () from /usr/lib/libc.so.6
5 0x00000000004273b0 in event_report_close (obj=0x69a5b0)
at obexd/client/mns.c:295
6 0x0000000000429549 in os_reset_session (os=0x69c210)
at obexd/src/obex.c:199
7 0x000000000041bec6 in transfer_complete (transfer=0x69a9d0, err=0x0)
at gobex/gobex-transfer.c:103
8 0x000000000041c20c in transfer_put_req (obex=0x69b470,
req=<optimized out>, user_data=0x69a9d0) at
gobex/gobex-transfer.c:407
9 0x000000000041988d in handle_request (req=0x69f3d0, obex=0x69b470)
at gobex/gobex.c:1022
10 incoming_data (io=<optimized out>, cond=<optimized out>,
user_data=0x69b470) at gobex/gobex.c:1194
11 0x00007ffff702de46 in g_main_context_dispatch ()
from /usr/lib/libglib-2.0.so.0
12 0x00007ffff702e198 in ?? () from /usr/lib/libglib-2.0.so.0
13 0x00007ffff702e59a in g_main_loop_run () from
/usr/lib/libglib-2.0.so.0
14 0x000000000040dead in main (argc=1, argv=0x7fffffffddc8)
at obexd/src/main.c:319
The function obc_session_mkdir needs to use file_op_complete as
callback.
0 0x00007ffff72f7553 in ?? () from /usr/lib/libdbus-1.so.3
1 0x00007ffff72f7dff in ?? () from /usr/lib/libdbus-1.so.3
2 0x00007ffff72fef9a in dbus_message_get_sender ()
from /usr/lib/libdbus-1.so.3
3 0x00007ffff72feff9 in dbus_message_new_method_return ()
from /usr/lib/libdbus-1.so.3
4 0x000000000043c93f in async_cb (session=0x6a9d30, transfer=0x0,
err=0x0,
user_data=0x675660) at obexd/client/ftp.c:65
5 0x0000000000438c7c in async_cb (obex=0x6aa980, err=0x0,
rsp=0x67a690,
user_data=0x67ced0) at obexd/client/session.c:1035
6 0x000000000041cbcc in handle_response (obex=0x6aa980, err=0x0,
rsp=0x67a690) at gobex/gobex.c:949
7 0x000000000041d49f in incoming_data (io=0x67d0f0, cond=G_IO_IN,
user_data=0x6aa980) at gobex/gobex.c:1192
8 0x00007ffff702de46 in g_main_context_dispatch ()
from /usr/lib/libglib-2.0.so.0
9 0x00007ffff702e198 in ?? () from /usr/lib/libglib-2.0.so.0
10 0x00007ffff702e59a in g_main_loop_run () from
/usr/lib/libglib-2.0.so.0
11 0x0000000000430a09 in main (argc=1, argv=0x7fffffffddc8)
at obexd/src/main.c:319
The file_op_complete callback added for the OBEX session command queuing
is called with a file_data parameter and not with a pending_request.
This fixes a crash when calling one of the file commands (like delete).
0 0x0000000000438cd6 in file_op_complete (session=0x6a9d30,
transfer=0x0,
err=0x0, user_data=0x6762e0) at obexd/client/session.c:1054
1 0x0000000000438c64 in async_cb (obex=0x6aa980, err=0x0,
rsp=0x67a710,
user_data=0x6ac2c0) at obexd/client/session.c:1035
2 0x000000000041cbcc in handle_response (obex=0x6aa980, err=0x0,
rsp=0x67a710) at gobex/gobex.c:949
3 0x000000000041d49f in incoming_data (io=0x67d0f0, cond=G_IO_IN,
user_data=0x6aa980) at gobex/gobex.c:1192
4 0x00007ffff702de46 in g_main_context_dispatch ()
from /usr/lib/libglib-2.0.so.0
5 0x00007ffff702e198 in ?? () from /usr/lib/libglib-2.0.so.0
6 0x00007ffff702e59a in g_main_loop_run () from
/usr/lib/libglib-2.0.so.0
7 0x00000000004309f0 in main (argc=1, argv=0x7fffffffddc8)
at obexd/src/main.c:319
The function setpath_complete has to be called with a pending_request as
user_data. In one possible error case, the current code calls it
incorrectly with setpath_data.
This adds a setpath_op_complete callback, that unpacks the user data and
finally calls the user callback. The callback is now used for success and error
cases.
The previous implementation was using setpath_complete which did not
work for error cases, because it was called with incorrect user data.
This was leading to a crash, that can be reproduced by disconnecting PBAP
after trying to select a non existing phone book.
0 setpath_complete (session=0x66bd90, transfer=0x0, err=0x69b370,
user_data=0x69a810) at obexd/client/session.c:912
1 0x000000000042d100 in obc_session_shutdown (session=0x66bd90)
at obexd/client/session.c:537
2 0x000000000040f227 in service_filter (connection=0x664b20,
message=<optimized out>, user_data=0x66bed0) at gdbus/watch.c:486
3 0x000000000040f49b in message_filter (connection=0x664b20,
message=0x66ba30, user_data=<optimized out>) at gdbus/watch.c:554
4 0x00007ffff72f40a6 in dbus_connection_dispatch ()
from /usr/lib/libdbus-1.so.3
5 0x000000000040e148 in message_dispatch (data=0x664b20)
at gdbus/mainloop.c:76
6 0x00007ffff702e9a3 in ?? () from /usr/lib/libglib-2.0.so.0
7 0x00007ffff702de46 in g_main_context_dispatch ()
from /usr/lib/libglib-2.0.so.0
8 0x00007ffff702e198 in ?? () from /usr/lib/libglib-2.0.so.0
9 0x00007ffff702e59a in g_main_loop_run () from
/usr/lib/libglib-2.0.so.0
10 0x000000000040dd72 in main (argc=1, argv=0x7fffffffddc8)
at obexd/src/main.c:319
The fd needs to be checked as it may not be valid which cause the
following warnings:
==8162== Warning: invalid file descriptor 1031 in syscall fcntl(DUPFD_CLOEXEC)()
(obexd:8162): GLib-WARNING **: giounix.c:412Error while getting flags for FD: Bad file descriptor (9)
Invalid read of size 8
at 0x42A570: manager_emit_transfer_completed (manager.c:863)
by 0x42A76A: os_reset_session (obex.c:206)
by 0x42A8BB: disconn_func (obex.c:1085)
by 0x419C55: incoming_data (gobex.c:1224)
by 0x3F31A47A54: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
by 0x3F31A47D87: ??? (in /usr/lib64/libglib-2.0.so.0.3400.2)
by 0x3F31A48181: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2)
by 0x40DDB2: main (main.c:319)
Address 0x10 is not stack'd, malloc'd or (recently) free'd
Invalid read of size 1
at 0x42A231: manager_unregister_transfer (manager.c:672)
by 0x420F8B: opp_disconnect (opp.c:158)
by 0x42A8EC: disconn_func (obex.c:1088)
by 0x419C55: incoming_data (gobex.c:1224)
by 0x3F31A47A54: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
by 0x3F31A47D87: ??? (in /usr/lib64/libglib-2.0.so.0.3400.2)
by 0x3F31A48181: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2)
by 0x40DDB2: main (main.c:319)
Address 0x0 is not stack'd, malloc'd or (recently) free'd
The path used for unregistering is wrong so the Session interface is
still reachable after the object is destroyed which can cause crashes
such as the following:
invalid read of size 8
at 0x4297C4: get_destination (manager.c:286)
by 0x41130B: properties_get (object.c:800)
by 0x410710: process_message.isra.4 (object.c:258)
by 0x3F3461D9C4: ??? (in /usr/lib64/libdbus-1.so.3.7.2)
by 0x3F3460FC1F: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.7.2)
by 0x40E207: message_dispatch (mainloop.c:76)
by 0x3F31A485DA: ??? (in /usr/lib64/libglib-2.0.so.0.3400.2)
by 0x3F31A47A54: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
by 0x3F31A47D87: ??? (in /usr/lib64/libglib-2.0.so.0.3400.2)
by 0x3F31A48181: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2)
by 0x40DDB2: main (main.c:319)
This adds a common file_data struct and related free and complete callbacks
to the session. This will be used for queuing the file related commands
mkdir, copy, move and delete.
This adds a process callback and a data destroy callback to the session's
pending_request structure.
This is needed as preparation of queuing all OBEX session commands.
Parse the service attributes mas_instance_id and supported_message_types
from the transport's service attributes as soon as a connection is
established.
This automatically establishes the MNS connection when the MAS client
session is started and terminates the MNS connection when the MAS client
session is closed.
The MAP client controls the notification channel using the
SetNotificationRegistration function. The MSE will connect/disconnect
the MNS connection accordingly.
This implements the server role of the MAP Message Notification Service
(MNS) which is part of the MAP Client Equipment (MCE) device.
After successful registration, the MNS will receive event reports,
notifying about state changes on the server side.
Possible events are: NewMessages, DeliverySuccess, SendingSuccess,
DeliveryFailure, SendingFailure, MemoryFull, MemoryAvailable,
MessageDeleted, MessageShift
g_atomic_* end up using G_STATIC_ASSERT, causing gcc 4.8 to yell due to
-Wunused-local-typedefs.
/usr/include/glib-2.0/glib/gmacros.h:162:53: error: typedef ‘_GStaticAssertCompileTimeAssertion_2’ locally defined but not used [-Werror=unused-local-typedefs]
#define G_STATIC_ASSERT(expr) typedef char G_PASTE (_GStaticAssertCompileTimeAssertion_, __COUNTER__)[(expr) ? 1 : -1]
Most of the uses of atomic operations were wrong. They were fixed as
well. If we are using atomic operations, reading the variable again
later for logging is not an option, we should use the return of the
atomic function used to fetch the variable.
