From f3704f48a19a656ff85a1b19f7c1d81955d92a6c Mon Sep 17 00:00:00 2001
From: Ayush Garg <ayush.garg@samsung.com>
Date: Tue, 28 Dec 2021 21:34:42 +0530
Subject: [PATCH] a2dp: Fix crash on connection lost

when the channel is removed on connection lost, the
setup->chan pointer becomes dangling which causes crash
in find_remote_sep.
So mark this pointer as NULL whenever the channel is removed.

Change-Id: I1b3fe81df18d4ea8eed00739a9db7d0e7232dda0
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>
---
 profiles/audio/a2dp.c | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/profiles/audio/a2dp.c b/profiles/audio/a2dp.c
index 7479683..d2047cd 100644
--- a/profiles/audio/a2dp.c
+++ b/profiles/audio/a2dp.c
@@ -1235,6 +1235,13 @@ static gboolean close_ind(struct avdtp *session, struct avdtp_local_sep *sep,
 static struct a2dp_remote_sep *find_remote_sep(struct a2dp_channel *chan,
 						struct a2dp_sep *sep)
 {
+#ifdef TIZEN_FEATURE_BLUEZ_MODIFY
+	if (!chan) {
+		DBG("chan is NULL");
+		return NULL;
+	}
+#endif
+
 	struct avdtp_remote_sep *rsep;
 
 	rsep = avdtp_find_remote_sep(chan->session, sep->lsep);
@@ -1289,6 +1296,13 @@ failed:
 static struct a2dp_remote_sep *get_remote_sep(struct a2dp_channel *chan,
 						struct avdtp_stream *stream)
 {
+#ifdef TIZEN_FEATURE_BLUEZ_MODIFY
+	if (!chan) {
+		DBG("chan is NULL");
+		return NULL;
+	}
+#endif
+
 	struct avdtp_remote_sep *rsep;
 
 	rsep = avdtp_stream_get_remote_sep(stream);
@@ -1596,6 +1610,9 @@ static void remove_remote_sep(void *data)
 static void channel_free(void *data)
 {
 	struct a2dp_channel *chan = data;
+#ifdef TIZEN_FEATURE_BLUEZ_MODIFY
+	struct a2dp_setup *setup = NULL;
+#endif
 
 	if (chan->auth_id > 0)
 		btd_cancel_authorization(chan->auth_id);
@@ -1612,6 +1629,15 @@ static void channel_free(void *data)
 
 	queue_destroy(chan->seps, remove_remote_sep);
 	free(chan->last_used);
+
+#ifdef TIZEN_FEATURE_BLUEZ_MODIFY
+	if (chan->session)
+		setup = find_setup_by_session(chan->session);
+
+	if (setup && setup->chan == chan)
+		setup->chan = NULL;
+#endif
+
 	g_free(chan);
 }
 
@@ -2706,6 +2732,14 @@ static void select_cb(struct a2dp_setup *setup, void *ret, int size)
 	}
 
 	setup->rsep = find_remote_sep(setup->chan, setup->sep);
+
+#ifdef TIZEN_FEATURE_BLUEZ_MODIFY
+	if (!setup->rsep) {
+		error("unable to find remote SEP");
+		goto done;
+	}
+#endif
+
 	service = avdtp_get_codec(setup->rsep->sep);
 	codec = (struct avdtp_media_codec_capability *) service->data;
 
-- 
2.7.4