projects / platform / upstream / bluez.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 40ee864)
shared/gatt-client: Fix possible crash
authorLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
Fri, 17 Jul 2020 21:09:42 +0000 (14:09 -0700)
committerAyush Garg <ayush.garg@samsung.com>
Mon, 12 Apr 2021 09:00:49 +0000 (14:30 +0530)
This fixes the following crash which was the cause of CI failing with
the latest changes:

Invalid read of size 8
   at 0x15A5ED: queue_remove_if (queue.c:289)
   by 0x15181E: chrc_removed (gatt-client.c:278)
   by 0x15A4BC: queue_foreach (queue.c:220)
   by 0x157870: notify_attribute_changed (gatt-db.c:396)
   by 0x157870: notify_service_changed (gatt-db.c:407)
   by 0x15793C: gatt_db_service_destroy (gatt-db.c:433)
   by 0x15A741: queue_remove_all (queue.c:354)
   by 0x15A774: queue_destroy (queue.c:73)
   by 0x15776F: gatt_db_destroy (gatt-db.c:459)
   by 0x15776F: gatt_db_unref (gatt-db.c:471)
   by 0x15776F: gatt_db_unref (gatt-db.c:463)
   by 0x15211A: bt_gatt_client_free (gatt-client.c:2250)
   by 0x152565: notify_cb (gatt-client.c:2228)
   by 0x14D0F8: handle_notify (att.c:972)
   by 0x14D0F8: can_read_data (att.c:1063)
   by 0x1597F4: watch_callback (io-glib.c:170)
   by 0x48B67AE: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.6400.3)
   by 0x48B6B37: ??? (in /usr/lib64/libglib-2.0.so.0.6400.3)
   by 0x48B6E52: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.6400.3)
   by 0x159DE4: mainloop_run (mainloop-glib.c:79)
   by 0x15A1C1: mainloop_run_with_signal (mainloop-notify.c:201)
   by 0x14B27B: tester_run (tester.c:870)
   by 0x147C8E: main (test-gatt.c:4488)
 Address 0x4f51498 is 8 bytes inside a block of size 32 free'd
   at 0x483B9F5: free (vg_replace_malloc.c:538)
   by 0x1520A8: bt_gatt_client_free (gatt-client.c:2235)
   by 0x152565: notify_cb (gatt-client.c:2228)
   by 0x14D0F8: handle_notify (att.c:972)
   by 0x14D0F8: can_read_data (att.c:1063)
   by 0x1597F4: watch_callback (io-glib.c:170)
   by 0x48B67AE: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.6400.3)
   by 0x48B6B37: ??? (in /usr/lib64/libglib-2.0.so.0.6400.3)
   by 0x48B6E52: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.6400.3)
   by 0x159DE4: mainloop_run (mainloop-glib.c:79)
   by 0x15A1C1: mainloop_run_with_signal (mainloop-notify.c:201)
   by 0x14B27B: tester_run (tester.c:870)
   by 0x147C8E: main (test-gatt.c:4488)

Signed-off-by: Anuj Jain <anuj01.jain@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>
src/shared/gatt-client.c patch | blob | history

diff --git a/src/shared/gatt-client.c b/src/shared/gatt-client.c
index 5843ff2..8d1a27d 100644 (file)
--- a/src/shared/gatt-client.c
+++ b/src/shared/gatt-client.c
@@ -2506,6 +2506,7 @@ static void bt_gatt_client_free(struct bt_gatt_client *client)
 {
        bt_gatt_client_cancel_all(client);
 
+       queue_destroy(client->notify_chrcs, notify_chrc_free);
        queue_destroy(client->notify_list, notify_data_cleanup);
 
        queue_destroy(client->ready_cbs, ready_destroy);
@@ -2536,7 +2537,6 @@ static void bt_gatt_client_free(struct bt_gatt_client *client)
        queue_destroy(client->clones, NULL);
        queue_destroy(client->svc_chngd_queue, free);
        queue_destroy(client->long_write_queue, request_unref);
-       queue_destroy(client->notify_chrcs, notify_chrc_free);
        queue_destroy(client->pending_requests, request_unref);
 
 #ifdef TIZEN_FEATURE_BLUEZ_MODIFY
Domain: Network & Connectivity / Bluetooth;