diff options
author | Luiz Augusto von Dentz <luiz.dentz@openbossa.org> | 2009-07-21 13:40:06 -0300 |
---|---|---|
committer | Luiz Augusto von Dentz <luiz.dentz@openbossa.org> | 2009-07-21 13:40:06 -0300 |
commit | 8c677a559dbaa7c9b53fea05f91081c05244ec1f (patch) | |
tree | b0f6704605a6fbfba72ac863e8a7fb6a623f4d57 /src/sdpd-service.c | |
parent | edbe0ace7b9e4c8afe0e61bb66b9dd77385ddfa3 (diff) | |
download | bluez-8c677a559dbaa7c9b53fea05f91081c05244ec1f.tar.gz |
Fix segfault when a record is updated.
Current code is freeing the new record when it shouldn't as the memory is
reused by extract_pdu_server.
Diffstat (limited to 'src/sdpd-service.c')
-rw-r--r-- | src/sdpd-service.c | 37 |
1 files changed, 17 insertions, 20 deletions
diff --git a/src/sdpd-service.c b/src/sdpd-service.c index f19e1d4e1..6a1f27c13 100644 --- a/src/sdpd-service.c +++ b/src/sdpd-service.c @@ -31,6 +31,7 @@ #include <stdio.h> #include <errno.h> #include <stdlib.h> +#include <assert.h> #include <sys/time.h> #include <sys/socket.h> @@ -624,7 +625,7 @@ invalid: */ int service_update_req(sdp_req_t *req, sdp_buf_t *rsp) { - sdp_record_t *orec; + sdp_record_t *orec, *nrec; int status = 0, scanned = 0; uint8_t *p = req->buf + sizeof(sdp_pdu_hdr_t); int bufsize = req->len - sizeof(sdp_pdu_hdr_t); @@ -639,27 +640,23 @@ int service_update_req(sdp_req_t *req, sdp_buf_t *rsp) SDPDBG("SvcRecOld: %p", orec); - if (orec) { - sdp_record_t *nrec = extract_pdu_server(BDADDR_ANY, p, bufsize, - handle, &scanned); - if (nrec && handle == nrec->handle) { - update_db_timestamp(); - update_svclass_list(BDADDR_ANY); - } else { - SDPDBG("SvcRecHandle : 0x%x", handle); - SDPDBG("SvcRecHandleNew : 0x%x", nrec->handle); - SDPDBG("SvcRecNew : %p", nrec); - SDPDBG("SvcRecOld : %p", orec); - SDPDBG("Failure to update, restore old value"); - - status = SDP_INVALID_SYNTAX; - } - - if (nrec) - sdp_record_free(nrec); - } else + if (!orec) { status = SDP_INVALID_RECORD_HANDLE; + goto done; + } + + nrec = extract_pdu_server(BDADDR_ANY, p, bufsize, handle, &scanned); + if (!nrec) { + status = SDP_INVALID_SYNTAX; + goto done; + } + + assert(nrec == orec); + + update_db_timestamp(); + update_svclass_list(BDADDR_ANY); +done: p = rsp->data; bt_put_unaligned(htons(status), (uint16_t *) p); rsp->data_size = sizeof(uint16_t); |