From: Ayush Garg <ayush.garg@samsung.com>
Date: Tue, 28 Dec 2021 16:04:42 +0000 (+0530)
Subject: a2dp: Fix crash on connection lost
X-Git-Tag: accepted/tizen/unified/20220104.123146^2
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F48%2F268648%2F2;p=platform%2Fupstream%2Fbluez.git

a2dp: Fix crash on connection lost

when the channel is removed on connection lost, the
setup->chan pointer becomes dangling which causes crash
in find_remote_sep.
So mark this pointer as NULL whenever the channel is removed.

Change-Id: I1b3fe81df18d4ea8eed00739a9db7d0e7232dda0
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>
---

diff --git a/profiles/audio/a2dp.c b/profiles/audio/a2dp.c
index 7479683..d2047cd 100644
--- a/profiles/audio/a2dp.c
+++ b/profiles/audio/a2dp.c
@@ -1235,6 +1235,13 @@ static gboolean close_ind(struct avdtp *session, struct avdtp_local_sep *sep,
 static struct a2dp_remote_sep *find_remote_sep(struct a2dp_channel *chan,
 						struct a2dp_sep *sep)
 {
+#ifdef TIZEN_FEATURE_BLUEZ_MODIFY
+	if (!chan) {
+		DBG("chan is NULL");
+		return NULL;
+	}
+#endif
+
 	struct avdtp_remote_sep *rsep;
 
 	rsep = avdtp_find_remote_sep(chan->session, sep->lsep);
@@ -1289,6 +1296,13 @@ failed:
 static struct a2dp_remote_sep *get_remote_sep(struct a2dp_channel *chan,
 						struct avdtp_stream *stream)
 {
+#ifdef TIZEN_FEATURE_BLUEZ_MODIFY
+	if (!chan) {
+		DBG("chan is NULL");
+		return NULL;
+	}
+#endif
+
 	struct avdtp_remote_sep *rsep;
 
 	rsep = avdtp_stream_get_remote_sep(stream);
@@ -1596,6 +1610,9 @@ static void remove_remote_sep(void *data)
 static void channel_free(void *data)
 {
 	struct a2dp_channel *chan = data;
+#ifdef TIZEN_FEATURE_BLUEZ_MODIFY
+	struct a2dp_setup *setup = NULL;
+#endif
 
 	if (chan->auth_id > 0)
 		btd_cancel_authorization(chan->auth_id);
@@ -1612,6 +1629,15 @@ static void channel_free(void *data)
 
 	queue_destroy(chan->seps, remove_remote_sep);
 	free(chan->last_used);
+
+#ifdef TIZEN_FEATURE_BLUEZ_MODIFY
+	if (chan->session)
+		setup = find_setup_by_session(chan->session);
+
+	if (setup && setup->chan == chan)
+		setup->chan = NULL;
+#endif
+
 	g_free(chan);
 }
 
@@ -2706,6 +2732,14 @@ static void select_cb(struct a2dp_setup *setup, void *ret, int size)
 	}
 
 	setup->rsep = find_remote_sep(setup->chan, setup->sep);
+
+#ifdef TIZEN_FEATURE_BLUEZ_MODIFY
+	if (!setup->rsep) {
+		error("unable to find remote SEP");
+		goto done;
+	}
+#endif
+
 	service = avdtp_get_codec(setup->rsep->sep);
 	codec = (struct avdtp_media_codec_capability *) service->data;