RFCOMM socket : free connection info before sending callback

[Problem] Application crash happens when
 bluetooth_rfcomm_remove_socket() is called in socket disconnect callback.
[Cause & Measure] Connection information structure is freed by
 bluetooth_rfcomm_remove_socket(). But after returning back from
 callback, already freed structure is accessed. It causes crash.
 Before sending disconnection event, free related structure first. So
 that, application can use bluetooth_rfcomm_remove_socket() in
 disconnection callback without crash.
[Checking Method] Call bluetooth_rfcomm_remove_socket() in server
 socket's disconnection callback.

(gdb) f 0
128			conn = l->data;
(gdb) p *info
$1 = {object_id = 2874763544,
  path = 0xf6ecb840, id = 1802724708,
  uuid = 0x2e706f74 <error: Cannot access memory at address 0x2e706f74>, rfcomm_conns = 0x73754244, disconnect_idle_id = 1701013760}

Change-Id: I1a3436979bb1fbb3ebfa4890157f2b4868de23fd

diff --git a/bt-api/bt-rfcomm-client.c b/bt-api/bt-rfcomm-client.c
index 099816e..58cf81f 100644 (file)
--- a/bt-api/bt-rfcomm-client.c
+++ b/bt-api/bt-rfcomm-client.c
@@ -269,15 +269,14 @@ static void _bt_rfcomm_disconnect_conn_info(rfcomm_conn_info_t *conn_info,
        BT_DBG("Disconnection Result[%d] BT_ADDRESS[%s] UUID[%s] FD[%d]",
                        BLUETOOTH_ERROR_NONE, conn_info->bt_addr,
                        info->uuid, conn_info->fd);
-       _bt_common_event_cb(BLUETOOTH_EVENT_RFCOMM_DISCONNECTED,
-                       BLUETOOTH_ERROR_NONE, &disconn_info,
-                       event_info->cb, event_info->user_data);
-
        __rfcomm_remove_conn_info_t(info, conn_info->bt_addr);
-
        if (info->rfcomm_conns == NULL)
                rfcomm_cb_data_remove(info);
 
+       _bt_common_event_cb(BLUETOOTH_EVENT_RFCOMM_DISCONNECTED,
+                       BLUETOOTH_ERROR_NONE, &disconn_info,
+                       event_info->cb, event_info->user_data);
+
        BT_DBG("-");
 }
 

diff --git a/bt-api/bt-rfcomm-server.c b/bt-api/bt-rfcomm-server.c
index d29f93c..04efc68 100644 (file)
--- a/bt-api/bt-rfcomm-server.c
+++ b/bt-api/bt-rfcomm-server.c
@@ -209,11 +209,11 @@ static void __rfcomm_server_disconnect_conn(rfcomm_conn_t *conn,
        BT_INFO("Disconnected FD [%d]", conn->fd);
        disconn_info.socket_fd = conn->fd;
 
+       __rfcomm_remove_conn(info, conn->fd);
+
        _bt_common_event_cb(BLUETOOTH_EVENT_RFCOMM_DISCONNECTED,
                        BLUETOOTH_ERROR_NONE, &disconn_info,
                        event_info->cb, event_info->user_data);
-
-       __rfcomm_remove_conn(info, conn->fd);
 }
 
 static gboolean __rfcomm_server_disconnect(rfcomm_info_t *info)