summaryrefslogtreecommitdiff
path: root/android/avdtp.c
diff options
context:
space:
mode:
authorLuiz Augusto von Dentz <luiz.von.dentz@intel.com>2014-01-14 12:42:48 +0200
committerSzymon Janc <szymon.janc@tieto.com>2014-01-14 11:53:00 +0100
commit5903b4f510a1534ab81b15c4223e0f6839aa207f (patch)
tree32477acb43f508045d97c0f504d3fd8bf4c5cbbe /android/avdtp.c
parentd2ba4c96acc520ffbd5b97c0ef32a0c9045e6959 (diff)
downloadbluez-5903b4f510a1534ab81b15c4223e0f6839aa207f.tar.gz
android/AVDTP: Fix invalid free of struct discover
If callback releases the last reference it can cause the following: Invalid free() / delete / delete[] / realloc() at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x386244EF7E: g_free (in /usr/lib64/libglib-2.0.so.0.3800.2) by 0x410356: finalize_discovery (avdtp.c:933) by 0x414462: session_cb (avdtp.c:2555) by 0x38624492A5: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3800.2) by 0x3862449627: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2) by 0x3862449A39: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3800.2) by 0x403A95: main (main.c:439) Address 0x4cf7af0 is 0 bytes inside a block of size 24 free'd at 0x4A07577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x386244EF7E: g_free (in /usr/lib64/libglib-2.0.so.0.3800.2) by 0x410356: finalize_discovery (avdtp.c:933) by 0x4110BC: avdtp_unref (avdtp.c:1026) by 0x416491: a2dp_device_free (a2dp.c:122) by 0x4165DF: bt_a2dp_notify_state (a2dp.c:166) by 0x417170: discover_cb (a2dp.c:333) by 0x41034E: finalize_discovery (avdtp.c:931) by 0x414462: session_cb (avdtp.c:2555) by 0x38624492A5: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3800.2) by 0x3862449627: ??? (in /usr/lib64/libglib-2.0.so.0.3800.2) by 0x3862449A39: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3800.2)
Diffstat (limited to 'android/avdtp.c')
-rw-r--r--android/avdtp.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/android/avdtp.c b/android/avdtp.c
index 473e02b11..5da120671 100644
--- a/android/avdtp.c
+++ b/android/avdtp.c
@@ -923,6 +923,8 @@ static void finalize_discovery(struct avdtp *session, int err)
if (!discover)
return;
+ session->discover = NULL;
+
avdtp_error_init(&avdtp_err, AVDTP_ERRNO, err);
if (discover->id > 0)
@@ -931,7 +933,6 @@ static void finalize_discovery(struct avdtp *session, int err)
discover->cb(session, session->seps, err ? &avdtp_err : NULL,
discover->user_data);
g_free(discover);
- session->discover = NULL;
}
static void release_stream(struct avdtp_stream *stream, struct avdtp *session)
View Lorry Controller Status