From b36dd5203e355c9f3e14523821a4c6c6ee0c0499 Mon Sep 17 00:00:00 2001 From: Denis Kenzior Date: Thu, 11 May 2017 19:48:07 -0500 Subject: [PATCH] network: Sort out reference counting Agent implementation inside agent.c takes a reference of the trigger message associated with the request. When the callback is called, the message is passed as an argument. The callback is responsible for taking the message reference if necessary. Once the callback returns, agent releases its reference. For error paths, our code was using dbus_pending_reply which in turn uses dbus_message_unref. This caused the agent to try an unref operation on an already freed object. --- src/network.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/network.c b/src/network.c index ed947a2f..f3bab3ca 100644 --- a/src/network.c +++ b/src/network.c @@ -514,6 +514,13 @@ static void passphrase_callback(enum agent_result result, network->agent_request = 0; + /* + * agent will release its reference to message after invoking this + * callback. So if we want this message, we need to take a reference + * to it + */ + l_dbus_message_ref(message); + if (result != AGENT_RESULT_OK) { dbus_pending_reply(&message, dbus_error_aborted(message)); goto err; @@ -549,6 +556,7 @@ static void passphrase_callback(enum agent_result result, network->update_psk = true; device_connect_network(network->device, network, bss, message); + l_dbus_message_unref(message); return; err: