diff options
| author | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2014-07-30 13:00:03 +0300 |
|---|---|---|
| committer | Szymon Janc <szymon.janc@tieto.com> | 2014-07-30 12:27:10 +0200 |
| commit | e33cfea47f12cae9b48e1c135edf8d21639a5b6a (patch) | |
| tree | f4450b9d127087968307024738b16b1fbb342c9b /android/avrcp.c | |
| parent | 1dee0975b006d859c6901da4d029418bd82e143e (diff) | |
| download | bluez-e33cfea47f12cae9b48e1c135edf8d21639a5b6a.tar.gz | |
android/avrcp: Fix crash while discovering records
If the device is removed before SDP discovery is completed the following
crash can happen:
Invalid read of size 4
at 0x11CA6A: avrcp_device_free (avrcp.c:472)
by 0x11D70F: search_cb (avrcp.c:944)
by 0x13749D: search_completed_cb (sdp-client.c:176)
by 0x134E0F: sdp_process (sdp.c:4345)
by 0x1374F5: search_process_cb (sdp-client.c:201)
by 0x48BD9C7: g_io_unix_dispatch (giounix.c:166)
by 0x48C2CCB: g_main_context_dispatch (gmain.c:2539)
by 0x48C2ED9: g_main_context_iterate.isra.19 (gmain.c:3146)
by 0x48C3167: g_main_loop_run (gmain.c:3340)
by 0x10D00D: main (main.c:538)
Address 0x4bcb904 is 20 bytes inside a block of size 24 free'd
at 0x4897E6C: free (in /system/lib/valgrind/vgpreload_memcheck-arm-linux.so)
by 0x48C5E2B: g_free (gmem.c:252)
by 0x11A52F: bt_a2dp_notify_state (a2dp.c:238)
by 0x1172C1: process_disconnect (avdtp.c:1005)
by 0x48C146B: g_list_foreach (gslist.c:840)
by 0x48CD869: g_slist_free_full (gslist.c:177)
by 0x117CAB: connection_lost (avdtp.c:1021)
by 0x11A02F: session_cb (avdtp.c:2081)
by 0x48BD9C7: g_io_unix_dispatch (giounix.c:166)
by 0x48C2CCB: g_main_context_dispatch (gmain.c:2539)
by 0x48C2ED9: g_main_context_iterate.isra.19 (gmain.c:3146)
by 0x48C3167: g_main_loop_run (gmain.c:3340)
Diffstat (limited to 'android/avrcp.c')
| -rw-r--r-- | android/avrcp.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/android/avrcp.c b/android/avrcp.c index caf933508..8c5cf8a58 100644 --- a/android/avrcp.c +++ b/android/avrcp.c @@ -892,6 +892,9 @@ static void search_cb(sdp_list_t *recs, int err, gpointer data) DBG(""); + if (!g_slist_find(devices, dev)) + return; + if (err < 0) { error("Unable to get AV_REMOTE_SVCLASS_ID SDP record: %s", strerror(-err)); |