From bf5f4242a2639e1d6e1a20be97a2e177fd12baba Mon Sep 17 00:00:00 2001 From: Slava Monich Date: Tue, 24 Oct 2017 00:05:36 +0300 Subject: [PATCH] gatmux: Remove write watch source at shutdown Otherwise write_watcher_destroy_notify can be invoked after GAtMux has been deallocated which results in write after free: ==3952== Invalid write of size 4 ==3952== at 0xABF54: write_watcher_destroy_notify (gatmux.c:285) ==3952== by 0x4AF21E7: g_source_callback_unref (gmain.c:1561) ==3952== by 0x4AF2E53: g_source_destroy_internal.constprop.8 (gmain.c:1207) ==3952== by 0x4AF61CF: g_main_dispatch (gmain.c:3177) ==3952== by 0x4AF61CF: g_main_context_dispatch (gmain.c:3769) ==3952== by 0x4AF658F: g_main_loop_run (gmain.c:4034) ==3952== by 0xBDDBB: main (main.c:261) ==3952== Address 0x50c6cb0 is 8 bytes inside a block of size 4,396 free'd ==3952== at 0x4840B28: free (vg_replace_malloc.c:530) ==3952== by 0xACB53: g_at_mux_unref (gatmux.c:642) ==3952== Block was alloc'd at ==3952== at 0x4841BF0: calloc (vg_replace_malloc.c:711) ==3952== by 0xAC9DF: g_at_mux_new (gatmux.c:603) ==3952== by 0xADF2F: g_at_mux_new_gsm0710_basic (gatmux.c:1160) --- gatchat/gatmux.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/gatchat/gatmux.c b/gatchat/gatmux.c index 909eca62..d492edb5 100644 --- a/gatchat/gatmux.c +++ b/gatchat/gatmux.c @@ -684,6 +684,9 @@ gboolean g_at_mux_shutdown(GAtMux *mux) if (mux->read_watch > 0) g_source_remove(mux->read_watch); + if (mux->write_watch > 0) + g_source_remove(mux->write_watch); + for (i = 0; i < MAX_CHANNELS; i++) { if (mux->dlcs[i] == NULL) continue;