From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
The following crash can happen if the original gatt_db has incomplete
service definitions since the attribute might still be discovering:
Invalid read of size 4
at 0x1E5A39: bt_uuid_len (uuid.h:289)
by 0x1E5A39: service_clone (gatt-db.c:284)
by 0x1D5EBB: queue_foreach (queue.c:207)
by 0x1E61CD: gatt_db_clone (gatt-db.c:329)
by 0x1C18F0: btd_device_set_gatt_db (device.c:7110)
by 0x1C9F96: foreach_rsi (set.c:295)
by 0x1D5EBB: queue_foreach (queue.c:207)
by 0x48EA91F: g_slist_foreach (in /usr/lib64/libglib-2.0.so.0.8000.3)
by 0x1CA2C8: btd_set_add_device (set.c:357)
by 0x1BB9AB: btd_device_add_set (device.c:2049)
by 0x17FF76: csip_ready (csip.c:243)
by 0x1FD5CC: csip_notify_ready (csip.c:546)
by 0x1FD5CC: csip_idle (csip.c:630)
by 0x1DE20C: idle_notify (gatt-client.c:171)
Address 0xc is not stack'd, malloc'd or (recently) free'd
---
src/shared/gatt-db.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/shared/gatt-db.c b/src/shared/gatt-db.c
index b35763410d17..72254c7e41ba 100644
--- a/src/shared/gatt-db.c
+++ b/src/shared/gatt-db.c
@@ -278,6 +278,9 @@ static void service_clone(void *data, void *user_data)
for (i = 0; i < service->num_handles; i++) {
struct gatt_db_attribute *attr = service->attributes[i];
+ if (!attr)
+ continue;
+
/* Only clone values for characteristics declaration since that
* is considered when calculating the db hash.
*/
--
2.47.1
