Fix btmon crash
[Problem] btmon crash happens
[Cause & Measure] When SDP continuation is handled, other variable's
value is overwritten because invalid array index is used for memcpy's
src.
[Checking Method] Run btmon -> Connect Android phone to KITT ->
Terminate btmon. In this procedure, btmon crash happens randomly.
When issue happens, irk_list's value is corrupted by invalid memcpy.
This causes crash when it accesses to irk_list.
1: irk_list = (struct queue *) 0xb7cda0a0
(gdb)
499 memcpy(cont_list[i].cont, data + bytes, data[bytes] + 1);
1: irk_list = (struct queue *) 0xb7cda0a0
(gdb)
0xb6f5f1a8 in memcpy@plt ()
1: irk_list = (struct queue *) 0xb7cda0a0
(gdb)
Single stepping until exit from function memcpy@plt,
which has no line number information.
memcpy () at ../sysdeps/arm/memcpy.S:63
...
1: irk_list = (struct queue *) 0xb7000002
(gdb)
search_attr_rsp (frame=0xbeadd3f8, tid=0xb6fcd760 <tid_list>) at monitor/sdp.c:669
669 clear_tid(tid);
1: irk_list = (struct queue *) 0xb7000002
(gdb) p cont_list
$5 = {{channel = 0, cont = '\000' <repeats 16 times>, data = 0xb7cda3a0, size = 656}, {channel = 0, cont = '\000' <repeats 16 times>, data = 0x0, size = 0}, {channel = 0,
cont = '\000' <repeats 16 times>, data = 0x0, size = 0}, {channel = 0, cont = '\000' <repeats 16 times>, data = 0x0, size = 0}, {channel = 0, cont = '\000' <repeats 16 times>,
data = 0x0, size = 0}, {channel = 0, cont = '\000' <repeats 16 times>, data = 0x0, size = 0}, {channel = 0, cont = '\000' <repeats 16 times>, data = 0x0, size = 0}, {channel = 0,
cont = '\000' <repeats 16 times>, data = 0x0, size = 0}}
Change-Id: I3608d1b9cf14bbfc87d17fbad6a443bdcbdf87af
Signed-off-by: Seungyoun Ju <sy39.ju@samsung.com>
Signed-off-by: DoHyun Pyun <dh79.pyun@samsung.com>
projects / platform / upstream / bluez.git / commit