From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
Invalid read of size 8
at 0x470101: update_bredr_services (device.c:2784)
by 0x470591: browse_cb (device.c:2975)
by 0x458B0E: search_completed_cb (sdp-client.c:186)
by 0x47C154: sdp_process (sdp.c:4343)
by 0x458954: search_process_cb (sdp-client.c:205)
by 0x3F31A47A54: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
by 0x3F31A47D87: ??? (in /usr/lib64/libglib-2.0.so.0.3400.2)
by 0x3F31A48181: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2)
by 0x40A265: main (main.c:595)
Address 0x0 is not stack'd, malloc'd or (recently) free'd
---
src/device.c | 65 +++++++++++++++++++++++++++++++++++-------------------------
1 file changed, 38 insertions(+), 27 deletions(-)
diff --git a/src/device.c b/src/device.c
index 0f75c60..c324764 100644
--- a/src/device.c
+++ b/src/device.c
@@ -2677,6 +2677,40 @@ static int rec_cmp(const void *a, const void *b)
return r1->handle - r2->handle;
}
+static int update_record(struct browse_req *req, const char *uuid,
+ sdp_record_t *rec)
+{
+ GSList *l;
+
+ /* Check for duplicates */
+ if (sdp_list_find(req->records, rec, rec_cmp))
+ return -EALREADY;
+
+ /* Copy record */
+ req->records = sdp_list_append(req->records, sdp_copy_record(rec));
+
+ /* Check if UUID is duplicated */
+ l = g_slist_find_custom(req->device->uuids, uuid, bt_uuid_strcmp);
+ if (l == NULL) {
+ l = g_slist_find_custom(req->profiles_added, uuid,
+ bt_uuid_strcmp);
+ if (l == NULL)
+ return 0;
+ req->profiles_added = g_slist_append(req->profiles_added,
+ g_strdup(uuid));
+ return 0;
+ }
+
+ l = g_slist_find_custom(req->profiles_removed, uuid, bt_uuid_strcmp);
+ if (l == NULL)
+ return 0;
+
+ g_free(l->data);
+ req->profiles_removed = g_slist_delete_link(req->profiles_removed, l);
+
+ return 0;
+}
+
static void update_bredr_services(struct browse_req *req, sdp_list_t *recs)
{
struct btd_device *device = req->device;
@@ -2712,7 +2746,6 @@ static void update_bredr_services(struct browse_req *req, sdp_list_t *recs)
sdp_record_t *rec = (sdp_record_t *) seq->data;
sdp_list_t *svcclass = NULL;
char *profile_uuid;
- GSList *l;
if (!rec)
break;
@@ -2754,12 +2787,8 @@ static void update_bredr_services(struct browse_req *req, sdp_list_t *recs)
product, version);
}
- /* Check for duplicates */
- if (sdp_list_find(req->records, rec, rec_cmp)) {
- g_free(profile_uuid);
- sdp_list_free(svcclass, free);
- continue;
- }
+ if (update_record(req, profile_uuid, rec) < 0)
+ goto next;
if (sdp_key_file)
store_sdp_record(sdp_key_file, rec);
@@ -2767,26 +2796,8 @@ static void update_bredr_services(struct browse_req *req, sdp_list_t *recs)
if (att_key_file)
store_primaries_from_sdp_record(att_key_file, rec);
- /* Copy record */
- req->records = sdp_list_append(req->records,
- sdp_copy_record(rec));
-
- l = g_slist_find_custom(device->uuids, profile_uuid,
- bt_uuid_strcmp);
- if (!l)
- req->profiles_added =
- g_slist_append(req->profiles_added,
- profile_uuid);
- else {
- l = g_slist_find_custom(req->profiles_removed,
- profile_uuid,
- bt_uuid_strcmp);
- g_free(l->data);
- req->profiles_removed =
- g_slist_delete_link(req->profiles_removed, l);
- g_free(profile_uuid);
- }
-
+next:
+ g_free(profile_uuid);
sdp_list_free(svcclass, free);
}
--
1.8.1.4
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
