From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
While accepting the connection via DEFER_SETUP a second connection can
be created by using avctp_connect_browsing which will not detect one is
in course as the state has not yet changed, this can cause memory leaks
or crashes as the following:
profiles/audio/avctp.c:avctp_confirm_cb() AVCTP: incoming connect from XX:XX:XX:XX:XX:XX
profiles/audio/avctp.c:avctp_set_state() AVCTP Browsing Connecting
profiles/audio/avctp.c:avctp_connect_browsing_cb() AVCTP Browsing: connected to XX:XX:XX:XX:XX:XX
profiles/audio/avctp.c:avctp_set_state() AVCTP Browsing Connected
profiles/audio/avctp.c:avctp_connect_browsing_cb() AVCTP Browsing: connected to XX:XX:XX:XX:XX:XX
profiles/audio/avctp.c:avctp_set_state() AVCTP Browsing Connected
profiles/audio/avctp.c:session_browsing_cb() AVCTP Browsing: disconnected
profiles/audio/avctp.c:avctp_set_state() AVCTP Connected
Invalid read of size 8
at 0x41EB28: session_browsing_cb (avctp.c:842)
by 0x32F5447E05: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3600.3)
by 0x32F5448157: ??? (in /usr/lib64/libglib-2.0.so.0.3600.3)
by 0x32F5448559: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3600.3)
by 0x40A28F: main (main.c:583)
Address 0x20 is not stack'd, malloc'd or (recently) free'd
---
profiles/audio/avctp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/profiles/audio/avctp.c b/profiles/audio/avctp.c
index 11e9365..2c1aa94 100644
--- a/profiles/audio/avctp.c
+++ b/profiles/audio/avctp.c
@@ -1328,8 +1328,10 @@ static void avctp_browsing_confirm(struct avctp *session, GIOChannel *chan,
}
if (bt_io_accept(chan, avctp_connect_browsing_cb, session, NULL,
- &err))
+ &err)) {
+ avctp_set_state(session, AVCTP_STATE_BROWSING_CONNECTING);
return;
+ }
error("Browsing: %s", err->message);
g_error_free(err);
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
