diff options
| author | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2020-03-31 10:28:23 -0700 |
|---|---|---|
| committer | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2020-04-01 10:42:00 -0700 |
| commit | 18b780eac37e56990d4128f0405e48b2e2ad7232 (patch) | |
| tree | 1846a444df87a1c49ea4c600ff1e29ebb42ef4e1 /src/gatt-database.c | |
| parent | 4661c1bc2f1da7089789faa60bbbbaa07a5b33f8 (diff) | |
| download | bluez-18b780eac37e56990d4128f0405e48b2e2ad7232.tar.gz | |
gatt: Fix possible crashes when disconnecting
If there are pending AcquireWrite or AcquireNotify when disconnecting
the attribute object may be freed (e.g. device is temporary) leading to
the following backtrace:
bluetoothd[369928]: src/gatt-database.c:gatt_db_service_removed() Local GATT service removed
bluetoothd[369928]: src/adapter.c:adapter_service_remove() /org/bluez/hci1
bluetoothd[369928]: src/adapter.c:remove_uuid() sending remove uuid command for index 1
bluetoothd[369928]: src/sdpd-service.c:remove_record_from_server() Removing record with handle 0x1002e
bluetoothd[369928]: src/gatt-database.c:send_notification_to_device() GATT server sending indication
bluetoothd[369928]: src/device.c:gatt_debug() Write Complete: err -125
bluetoothd[369928]: src/gatt-database.c:client_disconnect_cb() Client disconnected
bluetoothd[369928]: src/advertising.c:client_disconnect_cb() Client disconnected
bluetoothd[369928]: Failed to acquire write: org.freedesktop.DBus.Error.NoReply
Program received signal SIGSEGV, Segmentation fault.
0x0000555555631450 in acquire_write_reply (message=0x55555583dec0, user_data=0x555555843e40) at src/gatt-database.c:2437
2437 send_write(op->device, op->attrib, chrc->proxy, NULL, op->id,
Diffstat (limited to 'src/gatt-database.c')
| -rw-r--r-- | src/gatt-database.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/src/gatt-database.c b/src/gatt-database.c index c11d14b41..55fd28a54 100644 --- a/src/gatt-database.c +++ b/src/gatt-database.c @@ -2405,6 +2405,11 @@ static void acquire_write_reply(DBusMessage *message, void *user_data) int fd; uint16_t mtu; + if (!op->owner_queue) { + DBG("Pending write was canceled when object got removed"); + return; + } + chrc = gatt_db_attribute_get_user_data(op->attrib); dbus_error_init(&err); @@ -2487,6 +2492,11 @@ static void acquire_notify_reply(DBusMessage *message, void *user_data) int fd; uint16_t mtu; + if (!op->owner_queue) { + DBG("Pending notify was canceled when object got removed"); + return; + } + dbus_error_init(&err); if (dbus_set_error_from_message(&err, message) == TRUE) { |