From: Lucas De Marchi <lucas.de.marchi@xxxxxxxxx>
If we are walking a GSList and remove the element we are pointing to,
the next iteration g_slist_next() will access previously freed
memory.
---
src/device.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/device.c b/src/device.c
index c659164..0339bcf 100644
--- a/src/device.c
+++ b/src/device.c
@@ -1469,7 +1469,7 @@ static void device_remove_profiles(struct btd_device *device, GSList *uuids)
char srcaddr[18], dstaddr[18];
bdaddr_t src;
sdp_list_t *records;
- GSList *l;
+ GSList *l, *next;
adapter_get_address(adapter, &src);
ba2str(&src, srcaddr);
@@ -1498,10 +1498,11 @@ static void device_remove_profiles(struct btd_device *device, GSList *uuids)
if (records)
sdp_list_free(records, (sdp_free_func_t) sdp_record_free);
- for (l = device->profiles; l != NULL; l = g_slist_next(l)) {
+ for (l = device->profiles; l != NULL; l = next) {
struct btd_profile *profile = l->data;
GSList *probe_uuids;
+ next = l->next;
probe_uuids = device_match_profile(device, profile,
device->uuids);
if (probe_uuids != NULL) {
--
1.7.12.2
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
