From: Andrei Emeltchenko <andrei.emeltchenko@xxxxxxxxx>
Fixes use after free memory bug.
req is assigned to user_data and then freed with destroy_gatt_req(req)
---
android/scpp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/android/scpp.c b/android/scpp.c
index 77f48cd..9f60c9f 100644
--- a/android/scpp.c
+++ b/android/scpp.c
@@ -301,8 +301,6 @@ static void refresh_discovered_cb(uint8_t status, GSList *chars,
uint16_t start, end;
bt_uuid_t uuid;
- destroy_gatt_req(req);
-
if (status) {
error("Scan Refresh %s", att_ecode2str(status));
return;
@@ -329,6 +327,8 @@ static void refresh_discovered_cb(uint8_t status, GSList *chars,
discover_desc(scan, scan->attrib, start, end, &uuid,
discover_descriptor_cb, user_data);
+
+ destroy_gatt_req(req);
}
static void iwin_discovered_cb(uint8_t status, GSList *chars, void *user_data)
--
2.1.0
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
