On Fri, Feb 19, 2010 at 7:32 PM, Johan Hedberg <johan.hedberg@xxxxxxxxx> wrote:
> Please try to at least do a compile check before you submit patches.
> This one gives the following error:
> audio/avdtp.c: In function ‘handle_unanswered_req’:
> audio/avdtp.c:908: error: comparison between pointer and integer
>
> What you probably want is session->req->signal_id == AVDTP_ABORT.
>
Sorry. The attached patch compiles without warnings on "./configure && make".
(new dependency to a capabilities lib prevents ./bootstrap-configure atm)
Br,
Daniel
From f45006ec75c23b55470e8088fe64e8f0b6ab6404 Mon Sep 17 00:00:00 2001
From: Daniel Orstadius <daniel.orstadius@xxxxxxxxx>
Date: Sun, 21 Feb 2010 14:39:49 +0200
Subject: [PATCH] Fix double free on AVDTP Abort response
The pending request might be freed twice when receiving an Abort
response, in handle_unanswered_req and session_cb. Avoid freeing
it in handle_unanswered_req.
---
audio/avdtp.c | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/audio/avdtp.c b/audio/avdtp.c
index 2591845..add08f1 100644
--- a/audio/avdtp.c
+++ b/audio/avdtp.c
@@ -905,6 +905,13 @@ static void handle_unanswered_req(struct avdtp *session,
struct avdtp_local_sep *lsep;
struct avdtp_error err;
+ if (session->req->signal_id == AVDTP_ABORT) {
+ /* Avoid freeing the Abort request here */
+ debug("handle_unanswered_req: Abort req, returning");
+ session->req->stream = NULL;
+ return;
+ }
+
req = session->req;
session->req = NULL;
--
1.6.0.4
