A pointer to freed memory is dereferenced if we call function hdp_get_dcpsm_cb() with out any earlier reference. --- profiles/health/hdp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/profiles/health/hdp.c b/profiles/health/hdp.c index c15f06a..a42ca48 100644 --- a/profiles/health/hdp.c +++ b/profiles/health/hdp.c @@ -542,9 +542,9 @@ static void hdp_get_dcpsm_cb(uint16_t dcpsm, gpointer user_data, GError *err) hdp_tmp_dc_data_destroy, &gerr)) return; - hdp_tmp_dc_data_unref(hdp_conn); hdp_conn->cb(hdp_chann->mdl, err, hdp_conn); g_error_free(gerr); + hdp_tmp_dc_data_unref(hdp_conn); } static void device_reconnect_mdl_cb(struct mcap_mdl *mdl, GError *err, -- 1.7.9.5 -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
