We don't want e.g. an array that has some printable ASCII bytes, then
NUL bytes and then some more printable ASCII bytes. We require a totally
valid ASCII string, suffixed with NUL bytes if the string is shorter
than 16 bytes.
Plus, we avoid g_str_is_ascii(), which is only available in GLib 2.40.0.
qmicli-pdc.c: In function 'load_config_input_create_chunk':
qmicli-pdc.c:1022:14: error: format '%lu' expects argument of type 'long unsigned int', but argument 4 has type 'gsize {aka unsigned int}' [-Werror=format=]
g_debug ("Uploaded %lu of %lu\n", config_file->offset, full_size);
Otherwise, we may end up with transactions timing out and segfaulting as they
aren't found in the tracking table (e.g. if the replacing transaction finishes
before the timeout of the replaced transaction is fired off).
==573== Command: /usr/libexec/qmi-proxy --no-exit --verbose
==573== Parent PID: 567
==573==
==573== Invalid write of size 8
==573== at 0x4E9A07A: transaction_timed_out (qmi-device.c:248)
==573== by 0x5D24EB2: ??? (in /usr/lib/libglib-2.0.so.0.5000.1)
==573== by 0x5D24439: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.5000.1)
==573== by 0x5D247EF: ??? (in /usr/lib/libglib-2.0.so.0.5000.1)
==573== by 0x5D24B11: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.5000.1)
==573== by 0x40139D: main (qmi-proxy.c:220)
==573== Address 0x10 is not stack'd, malloc'd or (recently) free'd
==573==
==573==
==573== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==573== Access not within mapped region at address 0x10
==573== at 0x4E9A07A: transaction_timed_out (qmi-device.c:248)
==573== by 0x5D24EB2: ??? (in /usr/lib/libglib-2.0.so.0.5000.1)
==573== by 0x5D24439: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.5000.1)
==573== by 0x5D247EF: ??? (in /usr/lib/libglib-2.0.so.0.5000.1)
==573== by 0x5D24B11: g_main_loop_run (in /usr/lib/libglib-2.0.so.0.5000.1)
==573== by 0x40139D: main (qmi-proxy.c:220)
==573== If you believe this happened as a result of a stack
==573== overflow in your program's main thread (unlikely but
==573== possible), you can try to increase the size of the
==573== main thread stack using the --main-stacksize= flag.
==573== The main thread stack size used in this run was 8388608.
If the client which originated the request exits (e.g. HUP received in its
socket) before the actual response from the QmiDevice arrives, we'll end up
trying to access the Client info (as kept in request->client) even if it has
already been freed.
Fix that, by making the Client a ref-counted object, and passing around full
references of the Client where needed, e.g.:
* In the async callbacks where Client is passed as data.
* Inside each Request.
Doing this we make sure each operation has a totally valid Client until the
operation finishes, even if the client gets disconnected in between.
==311== Invalid read of size 8
==311== at 0x4E9381C: track_cid (qmi-proxy.c:443)
==311== by 0x4E93A45: device_command_ready (qmi-proxy.c:492)
==311== by 0x52BEC18: g_simple_async_result_complete (gsimpleasyncresult.c:777)
==311== by 0x52BEC4E: complete_in_idle_cb (gsimpleasyncresult.c:789)
==311== by 0x583FA6D: g_idle_dispatch (gmain.c:5250)
==311== by 0x583D47A: g_main_dispatch (gmain.c:3065)
==311== by 0x583E237: g_main_context_dispatch (gmain.c:3641)
==311== by 0x583E463: g_main_context_iterate (gmain.c:3712)
==311== by 0x583E79C: g_main_loop_run (gmain.c:3906)
==311== by 0x401411: main (qmi-proxy.c:220)
==311== Address 0x87c7450 is 48 bytes inside a block of size 64 free'd
==311== at 0x4C2A0C0: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==311== by 0x584519E: g_free (gmem.c:197)
==311== by 0x585BBF6: g_slice_free1 (gslice.c:1124)
==311== by 0x4E92CC5: client_free (qmi-proxy.c:149)
==311== by 0x4E92DD4: connection_close (qmi-proxy.c:177)
==311== by 0x4E93CFF: connection_readable_cb (qmi-proxy.c:586)
==311== by 0x52C2A4D: socket_source_dispatch (gsocket.c:3264)
==311== by 0x583D47A: g_main_dispatch (gmain.c:3065)
==311== by 0x583E237: g_main_context_dispatch (gmain.c:3641)
==311== by 0x583E463: g_main_context_iterate (gmain.c:3712)
==311== by 0x583E79C: g_main_loop_run (gmain.c:3906)
==311== by 0x401411: main (qmi-proxy.c:220)
==311== Block was alloc'd at
==311== at 0x4C2B3D0: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==311== by 0x584502D: g_malloc (gmem.c:104)
==311== by 0x585B990: g_slice_alloc (gslice.c:1016)
==311== by 0x585B9D4: g_slice_alloc0 (gslice.c:1042)
==311== by 0x4E93FC5: incoming_cb (qmi-proxy.c:655)
==311== by 0x60F2A4B: ffi_call_unix64 (unix64.S:75)
==311== by 0x60F24B8: ffi_call (ffi64.c:492)
==311== by 0x55BB773: g_cclosure_marshal_generic (gclosure.c:1454)
==311== by 0x55BA093: g_closure_invoke (gclosure.c:777)
==311== by 0x55D1B45: signal_emit_unlocked_R (gsignal.c:3586)
==311== by 0x55D0F00: g_signal_emit_valist (gsignal.c:3340)
==311== by 0x55D1383: g_signal_emit (gsignal.c:3386)
and:
==9308== Invalid read of size 8
==9308== at 0x4E93641: device_new_ready (qmi-proxy.c:348)
==9308== by 0x52BEC18: g_simple_async_result_complete (gsimpleasyncresult.c:777)
==9308== by 0x52BEC4E: complete_in_idle_cb (gsimpleasyncresult.c:789)
==9308== by 0x583FA6D: g_idle_dispatch (gmain.c:5250)
==9308== by 0x583D47A: g_main_dispatch (gmain.c:3065)
==9308== by 0x583E237: g_main_context_dispatch (gmain.c:3641)
==9308== by 0x583E463: g_main_context_iterate (gmain.c:3712)
==9308== by 0x583E79C: g_main_loop_run (gmain.c:3906)
==9308== by 0x401411: main (qmi-proxy.c:220)
==9308== Address 0x8d04930 is 32 bytes inside a block of size 72 free'd
==9308== at 0x4C2A0C0: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==9308== by 0x584519E: g_free (gmem.c:197)
==9308== by 0x585BBF6: g_slice_free1 (gslice.c:1124)
==9308== by 0x4E92EAB: client_free (qmi-proxy.c:159)
==9308== by 0x4E92FBA: connection_close (qmi-proxy.c:187)
==9308== by 0x4E93FC1: connection_readable_cb (qmi-proxy.c:626)
==9308== by 0x52C2A4D: socket_source_dispatch (gsocket.c:3264)
==9308== by 0x583D47A: g_main_dispatch (gmain.c:3065)
==9308== by 0x583E237: g_main_context_dispatch (gmain.c:3641)
==9308== by 0x583E463: g_main_context_iterate (gmain.c:3712)
==9308== by 0x583E79C: g_main_loop_run (gmain.c:3906)
==9308== by 0x401411: main (qmi-proxy.c:220)
==9308== Block was alloc'd at
==9308== at 0x4C2B3D0: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==9308== by 0x584502D: g_malloc (gmem.c:104)
==9308== by 0x585B990: g_slice_alloc (gslice.c:1016)
==9308== by 0x585B9D4: g_slice_alloc0 (gslice.c:1042)
==9308== by 0x4E94287: incoming_cb (qmi-proxy.c:695)
==9308== by 0x60F2A4B: ffi_call_unix64 (unix64.S:75)
==9308== by 0x60F24B8: ffi_call (ffi64.c:492)
==9308== by 0x55BB773: g_cclosure_marshal_generic (gclosure.c:1454)
==9308== by 0x55BA093: g_closure_invoke (gclosure.c:777)
==9308== by 0x55D1B45: signal_emit_unlocked_R (gsignal.c:3586)
==9308== by 0x55D0F00: g_signal_emit_valist (gsignal.c:3340)
==9308== by 0x55D1383: g_signal_emit (gsignal.c:3386)
The original implementation actually had some bugs when freeing the output
array in error conditions. Also, use g_ascii_xdigit_value() instead of
custom conversions.
QMI_WDS_IP_FAMILY_UNSPECIFIED = 8 but ip_type gets initialized to
0, so the "IP Family Preference" was always being sent with an
unrecognized value.
Fixes: 81c21379 qmicli: add support for IP type to --wds-start-networ