From fea68267b586dfeffcff2cb71ac53bb0941bc1be Mon Sep 17 00:00:00 2001 From: Abhay Agarwal Date: Fri, 11 Sep 2020 15:06:37 +0530 Subject: [PATCH] Mesh: Fix crash due to derefence of NULL pointer This patch fix the crash occured due to dererencing without null check (gdb) bt 0 0xf7051b4a in g_slist_length () from /lib/libglib-2.0.so.0 1 0xf716ab6c in __bt_mesh_destroy_network_handles (net=net@entry=0x1fc9100) at /usr/src/debug/capi-network-bluetooth-0.6.0/src/bluetooth-mesh.c:869 2 0xf716ae14 in __bt_mesh_destroy_network_handles (net=0x1fc9100) at /usr/src/debug/capi-network-bluetooth-0.6.0/src/bluetooth-mesh.c:854 3 __mesh_unload_network_configurations (data=0x1fc9100, user_data=) at /usr/src/debug/capi-network-bluetooth-0.6.0/src/bluetooth-mesh.c:709 4 0xf7051b6c in g_slist_foreach () from /lib/libglib-2.0.so.0 5 0xf716bc9e in bt_mesh_deinitialize () at /usr/src/debug/capi-network-bluetooth-0.6.0/src/bluetooth-mesh.c:731 Change-Id: I25aee100d88f4fa281cdeb6f04b64bf6d60184ff Signed-off-by: Abhay Agarwal --- src/bluetooth-mesh.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/src/bluetooth-mesh.c b/src/bluetooth-mesh.c index dfc0c3b..6798f35 100644 --- a/src/bluetooth-mesh.c +++ b/src/bluetooth-mesh.c @@ -338,6 +338,10 @@ int __bt_check_mesh_init_status(void) static void __bt_mesh_free_models(void *data) { bt_mesh_model_s *model = (bt_mesh_model_s*)data; + + if (!model) + return; + model_list = g_slist_remove(model_list, model); g_free(model); } @@ -345,6 +349,10 @@ static void __bt_mesh_free_models(void *data) static void __bt_mesh_free_elements(void *data) { bt_mesh_element_s *elem = (bt_mesh_element_s*)data; + + if (!elem) + return; + element_list = g_slist_remove(element_list, elem); g_slist_free_full(elem->models, __bt_mesh_free_models); g_free(elem); @@ -354,6 +362,10 @@ static void __bt_mesh_free_elements(void *data) static void __bt_mesh_free_appkeys(void *data) { bt_mesh_appkey_s *appkey = (bt_mesh_appkey_s*)data; + + if (!appkey) + return; + appkey_list = g_slist_remove(appkey_list, appkey); g_free(appkey); } @@ -864,6 +876,9 @@ static void __bt_mesh_destroy_network_handles(bt_mesh_network_s *net) bt_mesh_node_s *node_s = (bt_mesh_node_s*)l->data; l = g_slist_next(l); + if (!node_s) + continue; + net->nodes = g_slist_remove(net->nodes, node_s); node_list = g_slist_remove(node_list, node_s); BT_INFO("Mesh: Total elements present in Node [%d]", @@ -880,6 +895,9 @@ static void __bt_mesh_destroy_network_handles(bt_mesh_network_s *net) bt_mesh_netkey_s *netkey_s = (bt_mesh_netkey_s*)l->data; l = g_slist_next(l); + if (!netkey_s) + continue; + net->netkeys = g_slist_remove(net->netkeys, netkey_s); netkey_list = g_slist_remove(netkey_list, netkey_s); BT_INFO("Mesh: Total appkeys present in Netkey [%d]", @@ -895,6 +913,9 @@ static void __bt_mesh_destroy_network_handles(bt_mesh_network_s *net) bt_mesh_group_s *group_s = (bt_mesh_group_s*)l->data; l = g_slist_next(l); + if (!group_s) + continue; + net->groups = g_slist_remove(net->groups, group_s); group_list = g_slist_remove(group_list, group_s); g_free(group_s); -- 2.7.4