From eb493d163510bfc72cc30a40217bca7edf7ca075 Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Wed, 12 Jan 2022 07:22:22 -0800 Subject: [PATCH] media: Fix crash when endpoint replies with an error to SetConfiguration If endpoint responds to SetConfiguration the transport is being destroyed without removing it from the list leading a crash. Fixes: https://github.com/bluez/bluez/issues/269 Signed-off-by: Manika Shrivastava Signed-off-by: Ayush Garg --- profiles/audio/media.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/profiles/audio/media.c b/profiles/audio/media.c index 91d73a0..16759b5 100644 --- a/profiles/audio/media.c +++ b/profiles/audio/media.c @@ -285,6 +285,16 @@ static struct media_adapter *find_adapter(struct btd_device *device) return NULL; } +static void endpoint_remove_transport(struct media_endpoint *endpoint, + struct media_transport *transport) +{ + if (!endpoint || !transport) + return; + + endpoint->transports = g_slist_remove(endpoint->transports, transport); + media_transport_destroy(transport); +} + static void clear_configuration(struct media_endpoint *endpoint, struct media_transport *transport) { @@ -307,7 +317,7 @@ static void clear_configuration(struct media_endpoint *endpoint, DBUS_TYPE_INVALID); g_dbus_send_message(btd_get_dbus_connection(), msg); done: - endpoint->transports = g_slist_remove(endpoint->transports, transport); + endpoint_remove_transport(endpoint, transport); #ifdef TIZEN_FEATURE_BLUEZ_MODIFY if ((mp = media_adapter_get_player(endpoint->adapter))) if (mp->sink_watch) { @@ -356,12 +366,8 @@ static void endpoint_reply(DBusPendingCall *call, void *user_data) if (dbus_message_is_method_call(request->msg, MEDIA_ENDPOINT_INTERFACE, - "SetConfiguration")) { - if (request->transport == NULL) - error("Expected to destroy transport"); - else - media_transport_destroy(request->transport); - } + "SetConfiguration")) + endpoint_remove_transport(endpoint, request->transport); dbus_error_free(&err); goto done; -- 2.7.4