diff options
| author | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2017-11-09 13:33:30 +0200 |
|---|---|---|
| committer | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2017-11-09 13:33:30 +0200 |
| commit | 4cf79541763cb02e2a553ed16c88bf1d13595eb4 (patch) | |
| tree | f7bc9956d8a38aec509614ba989ee3fcd50adb17 /profiles | |
| parent | 7ece89b0b6f1ef8b4d4ca132a5163c08a14c41e2 (diff) | |
| download | bluez-4cf79541763cb02e2a553ed16c88bf1d13595eb4.tar.gz | |
a2dp: Fix crash when connectin
server->seps contains avdtp_local_sep not a2dp_sep causing the
following crash:
Invalid read of size 4
at 0x426EF8: avdtp_sep_get_state (avdtp.c:3655)
by 0x41D474: a2dp_avdtp_get (a2dp.c:1413)
by 0x42BE80: resume_a2dp (transport.c:340)
by 0x42C0D3: acquire (transport.c:466)
by 0x4CE702: process_message.isra.3 (object.c:259)
by 0x4CEF34: generic_message (object.c:1079)
by 0x53BB57F: ??? (in /usr/lib64/libdbus-1.so.3.19.0)
by 0x53AC3A9: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.0)
by 0x4C935F: message_dispatch (mainloop.c:72)
by 0x50C9C26: ??? (in /usr/lib64/libglib-2.0.so.0.5200.3)
by 0x50CD246: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.5200.3)
by 0x50CD5E7: ??? (in /usr/lib64/libglib-2.0.so.0.5200.3)
Address 0x0 is not stack'd, malloc'd or (recently) free'd
Diffstat (limited to 'profiles')
| -rw-r--r-- | profiles/audio/a2dp.c | 24 |
1 files changed, 12 insertions, 12 deletions
diff --git a/profiles/audio/a2dp.c b/profiles/audio/a2dp.c index 35b9e9d11..fc98bb264 100644 --- a/profiles/audio/a2dp.c +++ b/profiles/audio/a2dp.c @@ -1405,12 +1405,22 @@ struct avdtp *a2dp_avdtp_get(struct btd_device *device) if (server == NULL) return NULL; + chan = queue_find(server->channels, match_by_device, device); + if (!chan) { + chan = channel_new(server, device, NULL); + if (!chan) + return NULL; + } + + if (chan->session) + return avdtp_ref(chan->session); + /* Check if there is any SEP available */ for (entry = queue_get_entries(server->seps); entry; entry = entry->next) { - struct a2dp_sep *sep = entry->data; + struct avdtp_local_sep *sep = entry->data; - if (avdtp_sep_get_state(sep->lsep) == AVDTP_STATE_IDLE) + if (avdtp_sep_get_state(sep) == AVDTP_STATE_IDLE) goto found; } @@ -1419,16 +1429,6 @@ struct avdtp *a2dp_avdtp_get(struct btd_device *device) return NULL; found: - chan = queue_find(server->channels, match_by_device, device); - if (!chan) { - chan = channel_new(server, device, NULL); - if (!chan) - return NULL; - } - - if (chan->session) - return avdtp_ref(chan->session); - chan->session = avdtp_new(NULL, device, server->seps); if (!chan->session) { channel_remove(chan); |