review.tizen.org Git - platform/upstream/bluez.git/commit

author	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
	Thu, 4 Jun 2020 21:04:39 +0000 (14:04 -0700)
committer	Ayush Garg <ayush.garg@samsung.com>
	Mon, 12 Apr 2021 09:00:49 +0000 (14:30 +0530)
commit	be68a8dd8b67000b41c2161203cd38642f50c8d2
tree	2e0a2978a3c2632deecdbb85fb5ff0a14a56ca6c	tree \| snapshot
parent	7607614f47955cbb0829b003c11fffc1351eefba	commit \| diff

shared/hci: Fix crash when bt_hci_unref is used from callback

If application unref its reference on the command callback it can lead
to crashes like the following:

Invalid read of size 1
    at 0x254270: wakeup_writer (hci.c:187)
    by 0x254321: process_response (hci.c:229)
    by 0x254590: process_event (hci.c:263)
    by 0x254590: io_read_callback (hci.c:305)
    by 0x269258: watch_callback (io-glib.c:170)
    by 0x496756F: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.6200.6)
    by 0x49678FF: ??? (in /usr/lib64/libglib-2.0.so.0.6200.6)
    by 0x4967BF2: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.6200.6)
    by 0x269C6C: mainloop_run (mainloop-glib.c:79)
    by 0x26A219: mainloop_run_with_signal (mainloop-notify.c:201)
    by 0x171A35: main (main.c:770)
  Address 0x53b7e81 is 17 bytes inside a block of size 64 free'd
    at 0x483AA0C: free (vg_replace_malloc.c:540)
    by 0x254A70: bt_hci_unref (hci.c:461)

Signed-off-by: Anuj Jain <anuj01.jain@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>