From: Bharat Panda <bharat.panda@samsung.com>
Date: Tue, 10 Nov 2015 06:01:41 +0000 (+0530)
Subject: Audio/Media: Fix incorrect value dereference
X-Git-Tag: accepted/tizen/mobile/20151202.230855~9
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=f37981ababd10cee13868a91abf2a585639e664d;p=platform%2Fupstream%2Fbluez.git

Audio/Media: Fix incorrect value dereference

parameter value passed to the config_cb is a pointer to the
gbooloean. Dereferencing the value rather than address leads to
mismatch in handling the return value.

avdtp.c:avdtp_parse_cmd() Received SET_CONFIGURATION_CMD
a2dp.c:endpoint_setconf_ind() Source 0xb7d49ef8: Set_Configuration_Ind
a2dp.c:setup_ref() 0xb7d53b98: ref=2
media.c:media_adapter_get_player()
media.c:media_set_sink_callback()
media.c:media_endpoint_async_call() Calling SetConfiguration: name = :1.37 path = /MediaEndpoint/A2DPSource

*#0 0xb6cea184 in __libc_free (mem=0xbead3ae4) at malloc.c:3736
*#1 0xb6e33468 in g_free () from /usr/lib/libglib-2.0.so.0
*#2 0xb6f25db0 in auto_config (data=0xb7d53b98) at profiles/audio/a2dp.c:430
*#3 0xb6f2ad76 in config_cb (endpoint=<value optimized out>,
*	ret=<value optimized out>, size=<value optimized out>,
*	user_data=<value optimized out>) at profiles/audio/media.c:707
*#4 0xb6f2cc4a in endpoint_reply (call=<value optimized out>,
*	user_data=0xb7d516b0) at profiles/audio/media.c:357
*#5 0xb6ddce96 in _dbus_pending_call_complete (pending=0xb7d53bc8)
*	at dbus-pending-call.c:216
*#6 0xb6dcfe82 in complete_pending_call_and_unlock (connection=0xb7d44b40,
*	pending=0xb7d53bc8, message=<value optimized out>)
*	at dbus-connection.c:2331

git repo link:
http://git.kernel.org/cgit/bluetooth/bluez.git/commit/?id=8a5538eaa6edb40693e5f93564c41e59f45bee09

Change-Id: I1286a29c0559845e66f56e427aed26e517c6b9ea
---

diff --git a/profiles/audio/media.c b/profiles/audio/media.c
index e9e4da9..72e20e8 100644
--- a/profiles/audio/media.c
+++ b/profiles/audio/media.c
@@ -704,8 +704,9 @@ static void config_cb(struct media_endpoint *endpoint, void *ret, int size,
 							void *user_data)
 {
 	struct a2dp_config_data *data = user_data;
+	gboolean *ret_value = ret;
 
-	data->cb(data->setup, ret ? TRUE : FALSE);
+	data->cb(data->setup, *ret_value ? TRUE : FALSE);
 }
 
 static int set_config(struct a2dp_sep *sep, uint8_t *configuration,