Hi Andrei, On Monday 22 of December 2014 13:49:13 Andrei Emeltchenko wrote: > From: Andrei Emeltchenko <andrei.emeltchenko@xxxxxxxxx> > > Fixes use after free memory bug. > req is assigned to user_data and then freed with destroy_gatt_req(req) > --- > android/scpp.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/android/scpp.c b/android/scpp.c > index 77f48cd..9f60c9f 100644 > --- a/android/scpp.c > +++ b/android/scpp.c > @@ -301,8 +301,6 @@ static void refresh_discovered_cb(uint8_t status, GSList > *chars, uint16_t start, end; > bt_uuid_t uuid; > > - destroy_gatt_req(req); > - > if (status) { > error("Scan Refresh %s", att_ecode2str(status)); > return; > @@ -329,6 +327,8 @@ static void refresh_discovered_cb(uint8_t status, GSList > *chars, > > discover_desc(scan, scan->attrib, start, end, &uuid, > discover_descriptor_cb, user_data); > + > + destroy_gatt_req(req); > } > > static void iwin_discovered_cb(uint8_t status, GSList *chars, void > *user_data) This patch doesn't fix the bug (actually it introduces some memleaks). >From what I see in code gatt_request is packing userdata passed to discover_desc() so I think fix should be like: --- a/android/scpp.c +++ b/android/scpp.c @@ -328,7 +328,7 @@ static void refresh_discovered_cb(uint8_t status, GSList *chars, bt_uuid16_create(&uuid, GATT_CLIENT_CHARAC_CFG_UUID); discover_desc(scan, scan->attrib, start, end, &uuid, - discover_descriptor_cb, user_data); + discover_descriptor_cb, scan); Although here scan and userdata seems reluctant (since req is already holding sccp instance). I'd wait for Luiz to comment on this since he wrote most of the scpp code. -- BR Szymon Janc -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html