From: Seungyoun Ju <sy39.ju@samsung.com>
Date: Tue, 16 Jan 2018 08:41:37 +0000 (+0900)
Subject: RFCOMM socket : free connection info before sending callback
X-Git-Tag: accepted/tizen/4.0/unified/20190212.083135~9
X-Git-Url: http://review.tizen.org/git/?p=platform%2Fcore%2Fconnectivity%2Fbluetooth-frwk.git;a=commitdiff_plain;h=271f9f9005d4eca6c4d57092be8ed2a00b2e3454

RFCOMM socket : free connection info before sending callback

[Problem] Application crash happens when
 bluetooth_rfcomm_remove_socket() is called in socket disconnect callback.
[Cause & Measure] Connection information structure is freed by
 bluetooth_rfcomm_remove_socket(). But after returning back from
 callback, already freed structure is accessed. It causes crash.
 Before sending disconnection event, free related structure first. So
 that, application can use bluetooth_rfcomm_remove_socket() in
 disconnection callback without crash.
[Checking Method] Call bluetooth_rfcomm_remove_socket() in server
 socket's disconnection callback.

(gdb) f 0
128			conn = l->data;
(gdb) p *info
$1 = {object_id = 2874763544,
  path = 0xf6ecb840, id = 1802724708,
  uuid = 0x2e706f74 <error: Cannot access memory at address 0x2e706f74>, rfcomm_conns = 0x73754244, disconnect_idle_id = 1701013760}

Change-Id: I1a3436979bb1fbb3ebfa4890157f2b4868de23fd
---

diff --git a/bt-api/bt-rfcomm-client.c b/bt-api/bt-rfcomm-client.c
index 099816e..58cf81f 100644
--- a/bt-api/bt-rfcomm-client.c
+++ b/bt-api/bt-rfcomm-client.c
@@ -269,15 +269,14 @@ static void _bt_rfcomm_disconnect_conn_info(rfcomm_conn_info_t *conn_info,
 	BT_DBG("Disconnection Result[%d] BT_ADDRESS[%s] UUID[%s] FD[%d]",
 			BLUETOOTH_ERROR_NONE, conn_info->bt_addr,
 			info->uuid, conn_info->fd);
-	_bt_common_event_cb(BLUETOOTH_EVENT_RFCOMM_DISCONNECTED,
-			BLUETOOTH_ERROR_NONE, &disconn_info,
-			event_info->cb, event_info->user_data);
-
 	__rfcomm_remove_conn_info_t(info, conn_info->bt_addr);
-
 	if (info->rfcomm_conns == NULL)
 		rfcomm_cb_data_remove(info);
 
+	_bt_common_event_cb(BLUETOOTH_EVENT_RFCOMM_DISCONNECTED,
+			BLUETOOTH_ERROR_NONE, &disconn_info,
+			event_info->cb, event_info->user_data);
+
 	BT_DBG("-");
 }
 
diff --git a/bt-api/bt-rfcomm-server.c b/bt-api/bt-rfcomm-server.c
index d29f93c..04efc68 100644
--- a/bt-api/bt-rfcomm-server.c
+++ b/bt-api/bt-rfcomm-server.c
@@ -209,11 +209,11 @@ static void __rfcomm_server_disconnect_conn(rfcomm_conn_t *conn,
 	BT_INFO("Disconnected FD [%d]", conn->fd);
 	disconn_info.socket_fd = conn->fd;
 
+	__rfcomm_remove_conn(info, conn->fd);
+
 	_bt_common_event_cb(BLUETOOTH_EVENT_RFCOMM_DISCONNECTED,
 			BLUETOOTH_ERROR_NONE, &disconn_info,
 			event_info->cb, event_info->user_data);
-
-	__rfcomm_remove_conn(info, conn->fd);
 }
 
 static gboolean __rfcomm_server_disconnect(rfcomm_info_t *info)