From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
This fixes the following crash:
Invalid read of size 8
at 0x1E1E0B: bt_gatt_client_idle_unregister (gatt-client.c:3812)
by 0x1EB6BD: bt_bap_detach (bap.c:3821)
by 0x1EB6BD: bt_bap_detach (bap.c:3808)
by 0x1D5631: queue_foreach (queue.c:207)
by 0x1DCAA3: disconnect_cb (att.c:713)
by 0x1F4404: watch_callback (io-glib.c:157)
by 0x48BBC7E: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.7400.6)
by 0x4912117: ??? (in /usr/lib64/libglib-2.0.so.0.7400.6)
by 0x48BB24E: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.7400.6)
by 0x1F4A54: mainloop_run (mainloop-glib.c:66)
by 0x1F4E21: mainloop_run_with_signal (mainloop-notify.c:188)
by 0x1304B4: main (main.c:1428)
Address 0x28 is not stack'd, malloc'd or (recently) free'd
---
src/shared/gatt-client.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/shared/gatt-client.c b/src/shared/gatt-client.c
index 3a29f807fc85..d28f5b3670f6 100644
--- a/src/shared/gatt-client.c
+++ b/src/shared/gatt-client.c
@@ -3809,6 +3809,9 @@ bool bt_gatt_client_idle_unregister(struct bt_gatt_client *client,
{
struct idle_cb *idle = UINT_TO_PTR(id);
+ if (!client || !id)
+ return false;
+
if (queue_remove(client->idle_cbs, idle)) {
idle_destroy(idle);
return true;
--
2.39.2
