From: Andrei Emeltchenko <andrei.emeltchenko@xxxxxxxxx> Fixes use after free memory bug. req is assigned to user_data and then freed with destroy_gatt_req(req) --- android/scpp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/android/scpp.c b/android/scpp.c index 77f48cd..9f60c9f 100644 --- a/android/scpp.c +++ b/android/scpp.c @@ -301,8 +301,6 @@ static void refresh_discovered_cb(uint8_t status, GSList *chars, uint16_t start, end; bt_uuid_t uuid; - destroy_gatt_req(req); - if (status) { error("Scan Refresh %s", att_ecode2str(status)); return; @@ -329,6 +327,8 @@ static void refresh_discovered_cb(uint8_t status, GSList *chars, discover_desc(scan, scan->attrib, start, end, &uuid, discover_descriptor_cb, user_data); + + destroy_gatt_req(req); } static void iwin_discovered_cb(uint8_t status, GSList *chars, void *user_data) -- 2.1.0 -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html