diff options
| author | Aleksander Morgado <aleksander@lanedo.com> | 2012-07-20 12:34:22 +0200 |
|---|---|---|
| committer | Aleksander Morgado <aleksander@lanedo.com> | 2012-08-06 20:07:26 +0200 |
| commit | 93252f39ef75dbca4e7e238032c5065727464a85 (patch) | |
| tree | 49f91f39a5fc6e19b2993f119588803d387d7900 | |
| parent | 40730b115e3aa7f744f6e0c72772c8a4f1872695 (diff) | |
icera: avoid highly unlikely use of already unref-ed bearer
In the connection and disconnection sequences, we make sure that the Bearer
object is valid by keeping a reference in the Dial3gppContext and
Disconnect3gppContext (actually, another one kept by the GSimpleAsyncResult as
well). But we are considering here the case where the context is completed and
freed by an unsolicited message handler before we get the reply to the AT
command, so to properly ensure that the bearer object is still valid when we try
to check if the context is in the priv struct, we need to keep an extra ref
around.
| -rw-r--r-- | plugins/icera/mm-broadband-bearer-icera.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/plugins/icera/mm-broadband-bearer-icera.c b/plugins/icera/mm-broadband-bearer-icera.c index 066f3a19..1eb590d8 100644 --- a/plugins/icera/mm-broadband-bearer-icera.c +++ b/plugins/icera/mm-broadband-bearer-icera.c @@ -345,6 +345,10 @@ disconnect_ipdpact_ready (MMBaseModem *modem, /* Try to recover the disconnection context. If none found, it means the * context was already completed and we have nothing else to do. */ ctx = self->priv->disconnect_pending; + + /* Balance refcount with the extra ref we passed to command_full() */ + g_object_unref (self); + if (!ctx) { mm_dbg ("Disconnection context was finished already by an unsolicited message"); @@ -407,7 +411,7 @@ disconnect_3gpp (MMBroadbandBearer *bearer, FALSE, NULL, /* cancellable */ (GAsyncReadyCallback)disconnect_ipdpact_ready, - ctx->self); /* we pass the bearer object! */ + g_object_ref (ctx->self)); /* we pass the bearer object! */ g_free (command); } @@ -680,6 +684,10 @@ activate_ready (MMBaseModem *modem, /* Try to recover the connection context. If none found, it means the * context was already completed and we have nothing else to do. */ ctx = self->priv->connect_pending; + + /* Balance refcount with the extra ref we passed to command_full() */ + g_object_unref (self); + if (!ctx) { mm_dbg ("Connection context was finished already by an unsolicited message"); @@ -743,7 +751,7 @@ deactivate_ready (MMBaseModem *modem, FALSE, NULL, /* cancellable */ (GAsyncReadyCallback)activate_ready, - ctx->self); /* we pass the bearer object! */ + g_object_ref (ctx->self)); /* we pass the bearer object! */ g_free (command); } |