Changing stream state from STREAMING to IDLE can be associated with side
effects under some circumstances (such as terminating bluetoothd during
music is streamed). In this case, after connection is lost, stream state
changes from STREAMING to IDLE - "avdtp_sep_set_state" is triggered which
invokes callback called "stream_state_changed" which internally invokes
"avdtp_sep_set_state" (state of stream doesn't change and stays as IDLE)
second time and then stream callbacks list is discarded by "stream_free"
("g_slist_free(stream->callbacks)"). After returning from callback,
"stream->callbacks" list (and "l" pointer as well) is already out of date,
so attempting to fetch "l->next" pointer (returned by "g_slist_next(l)"
to be prepared to next iteration of "for" loop) from node on discarded
list leads to invalid read issue (reported by valgrind).
This patch prevents from this issue by moving "l = g_slist_next(l)"
instruction just before invoking callback - loop has been modified and
"while" used instead of "for" loop variant.
---
audio/avdtp.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/audio/avdtp.c b/audio/avdtp.c
index 6018c37..c49dee9 100644
--- a/audio/avdtp.c
+++ b/audio/avdtp.c
@@ -1098,8 +1098,10 @@ static void avdtp_sep_set_state(struct avdtp *session,
break;
}
- for (l = stream->callbacks; l != NULL; l = g_slist_next(l)) {
+ l = stream->callbacks;
+ while (l != NULL) {
struct stream_callback *cb = l->data;
+ l = g_slist_next(l);
cb->cb(stream, old_state, state, err_ptr, cb->user_data);
}
--
1.6.3.3
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
