[Problem] Application crash happens when
bluetooth_rfcomm_remove_socket() is called in socket disconnect callback.
[Cause & Measure] Connection information structure is freed by
bluetooth_rfcomm_remove_socket(). But after returning back from
callback, already freed structure is accessed. It causes crash.
Before sending disconnection event, free related structure first. So
that, application can use bluetooth_rfcomm_remove_socket() in
disconnection callback without crash.
[Checking Method] Call bluetooth_rfcomm_remove_socket() in server
socket's disconnection callback.
(gdb) f 0
128 conn = l->data;
(gdb) p *info
$1 = {object_id =
2874763544,
path = 0xf6ecb840, id =
1802724708,
uuid = 0x2e706f74 <error: Cannot access memory at address 0x2e706f74>, rfcomm_conns = 0x73754244, disconnect_idle_id =
1701013760}
Change-Id: I1a3436979bb1fbb3ebfa4890157f2b4868de23fd
BT_DBG("Disconnection Result[%d] BT_ADDRESS[%s] UUID[%s] FD[%d]",
BLUETOOTH_ERROR_NONE, conn_info->bt_addr,
info->uuid, conn_info->fd);
BT_DBG("Disconnection Result[%d] BT_ADDRESS[%s] UUID[%s] FD[%d]",
BLUETOOTH_ERROR_NONE, conn_info->bt_addr,
info->uuid, conn_info->fd);
- _bt_common_event_cb(BLUETOOTH_EVENT_RFCOMM_DISCONNECTED,
- BLUETOOTH_ERROR_NONE, &disconn_info,
- event_info->cb, event_info->user_data);
-
__rfcomm_remove_conn_info_t(info, conn_info->bt_addr);
__rfcomm_remove_conn_info_t(info, conn_info->bt_addr);
if (info->rfcomm_conns == NULL)
rfcomm_cb_data_remove(info);
if (info->rfcomm_conns == NULL)
rfcomm_cb_data_remove(info);
+ _bt_common_event_cb(BLUETOOTH_EVENT_RFCOMM_DISCONNECTED,
+ BLUETOOTH_ERROR_NONE, &disconn_info,
+ event_info->cb, event_info->user_data);
+
BT_INFO("Disconnected FD [%d]", conn->fd);
disconn_info.socket_fd = conn->fd;
BT_INFO("Disconnected FD [%d]", conn->fd);
disconn_info.socket_fd = conn->fd;
+ __rfcomm_remove_conn(info, conn->fd);
+
_bt_common_event_cb(BLUETOOTH_EVENT_RFCOMM_DISCONNECTED,
BLUETOOTH_ERROR_NONE, &disconn_info,
event_info->cb, event_info->user_data);
_bt_common_event_cb(BLUETOOTH_EVENT_RFCOMM_DISCONNECTED,
BLUETOOTH_ERROR_NONE, &disconn_info,
event_info->cb, event_info->user_data);
-
- __rfcomm_remove_conn(info, conn->fd);
}
static gboolean __rfcomm_server_disconnect(rfcomm_info_t *info)
}
static gboolean __rfcomm_server_disconnect(rfcomm_info_t *info)