a2dp: Fix crash on transport_cb

There have been reports of crashes on transport_cb where the setup
would most likely already have been freed but transport_cb would still
be called, so instead of assuming the setup pointer would be valid try
to lookup the list of active setups and log a warning when it happens.

Signed-off-by: Anuj Jain <anuj01.jain@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

diff --git a/profiles/audio/a2dp.c b/profiles/audio/a2dp.c
index 5f30fb0..fc11c4e 100644 (file)
--- a/profiles/audio/a2dp.c
+++ b/profiles/audio/a2dp.c
@@ -2315,6 +2315,12 @@ static void transport_cb(GIOChannel *io, GError *err, gpointer user_data)
        struct a2dp_setup *setup = user_data;
        uint16_t omtu, imtu;
 
+       if (!g_slist_find(setups, setup)) {
+               warn("bt_io_accept: setup %p no longer valid", setup);
+               g_io_channel_shutdown(io, TRUE, NULL);
+               return;
+       }
+
        if (err) {
                error("%s", err->message);
                goto drop;
@@ -3546,4 +3552,4 @@ static void a2dp_exit(void)
 }
 
 BLUETOOTH_PLUGIN_DEFINE(a2dp, VERSION, BLUETOOTH_PLUGIN_PRIORITY_DEFAULT,
-                                                       a2dp_init, a2dp_exit)
+               a2dp_init, a2dp_exit)