diff options
| author | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2017-07-25 11:39:01 +0300 |
|---|---|---|
| committer | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2017-07-25 11:39:01 +0300 |
| commit | 3790a1f46ce0105308a45b4dbb9ca769828fa81d (patch) | |
| tree | f55b0b29164d85ecb88f04f653ea698e62bf9f67 /src/gatt-client.c | |
| parent | 5e44548ec102eec6267f0e0e2521b8e7774d11e0 (diff) | |
| download | bluez-3790a1f46ce0105308a45b4dbb9ca769828fa81d.tar.gz | |
gatt: Fix crash when cleanup notify_io
When removing interfaces the code will attempt to free any notify client
but the notify_io may still be pointing to the client causing the
following crash:
Invalid read of size 8
at 0x49D531: notify_io_destroy (gatt-client.c:1452)
by 0x49E1B2: pipe_io_destroy (gatt-client.c:1077)
by 0x49E25D: characteristic_free (gatt-client.c:1650)
by 0x4CA2B9: remove_interface (object.c:667)
by 0x4CAF05: g_dbus_unregister_interface (object.c:1391)
by 0x49D248: unregister_characteristic (gatt-client.c:1730)
by 0x4D0956: queue_remove_all (queue.c:351)
by 0x49D05D: unregister_service (gatt-client.c:1879)
by 0x4D0956: queue_remove_all (queue.c:351)
by 0x4D09B4: queue_destroy (queue.c:73)
by 0x4A10C6: btd_gatt_client_destroy (gatt-client.c:2079)
by 0x4A4087: device_free (device.c:640)
Address 0x8f56b00 is 0 bytes inside a block of size 32 free'd
at 0x4C2FD18: free (vg_replace_malloc.c:530)
by 0x49D4AF: notify_client_unref (gatt-client.c:1267)
by 0x49D520: remove_client (gatt-client.c:1711)
by 0x4D0956: queue_remove_all (queue.c:351)
by 0x49D205: unregister_characteristic (gatt-client.c:1727)
by 0x4D0956: queue_remove_all (queue.c:351)
by 0x49D05D: unregister_service (gatt-client.c:1879)
by 0x4D0956: queue_remove_all (queue.c:351)
by 0x4D09B4: queue_destroy (queue.c:73)
by 0x4A10C6: btd_gatt_client_destroy (gatt-client.c:2079)
by 0x4A4087: device_free (device.c:640)
by 0x4CA2B9: remove_interface (object.c:667)
Diffstat (limited to 'src/gatt-client.c')
| -rw-r--r-- | src/gatt-client.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/gatt-client.c b/src/gatt-client.c index b5b2ea39c..4f70aa7db 100644 --- a/src/gatt-client.c +++ b/src/gatt-client.c @@ -1449,8 +1449,8 @@ static void notify_io_destroy(void *data) { struct notify_client *client = data; - queue_remove(client->chrc->notify_clients, client); - notify_client_unref(client); + if (queue_remove(client->chrc->notify_clients, client)) + notify_client_unref(client); } static DBusMessage *characteristic_acquire_notify(DBusConnection *conn, |