Hi,
On Fri, Jul 7, 2017 at 1:07 PM, Luiz Augusto von Dentz
<luiz.dentz@xxxxxxxxx> wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
>
> Calling gatt_db_register with NULL pointers makes no sense since it does
> nothing when the callbacks are NULL so the callback are still reachable
> causing invalid memory to accessed:
>
> Invalid read of size 8
> at 0x50EAFDC: g_slist_find_custom (in /usr/lib64/libglib-2.0.so.0.5000.3)
> by 0x46CDA1: gatt_service_removed (device.c:3563)
> by 0x4896F8: queue_foreach (queue.c:220)
> by 0x4951FB: notify_service_changed (gatt-db.c:268)
> by 0x4951FB: gatt_db_service_destroy (gatt-db.c:279)
> by 0x4898F5: queue_remove_all (queue.c:336)
> by 0x4952E2: gatt_db_clear_range (gatt-db.c:461)
> by 0x48F32B: discovery_op_unref (gatt-client.c:447)
> by 0x4979AA: bt_gatt_request_unref (gatt-helpers.c:594)
> by 0x490489: bt_gatt_client_cancel_all (gatt-client.c:2083)
> by 0x4904D8: bt_gatt_client_free (gatt-client.c:1752)
> by 0x46CF70: gatt_client_cleanup (device.c:561)
> by 0x46D01A: attio_cleanup (device.c:586)
> Address 0x86cb940 is 0 bytes inside a block of size 16 free'd
> at 0x4C2ED4A: free (vg_replace_malloc.c:530)
> by 0x50D16CD: g_free (in /usr/lib64/libglib-2.0.so.0.5000.3)
> by 0x50EA743: g_slice_free_chain_with_offset (in /usr/lib64/libglib-2.0.so.0.5000.3)
> by 0x46D18C: device_free (device.c:638)
> by 0x485B05: remove_interface (object.c:667)
> by 0x485FF9: g_dbus_unregister_interface (object.c:1391)
> by 0x45EFA9: btd_adapter_remove_device (adapter.c:1200)
> by 0x45FBC3: dev_disconnected (adapter.c:6800)
> by 0x48A1A5: request_complete (mgmt.c:261)
> by 0x48AC0B: can_read_data (mgmt.c:353)
> by 0x496954: watch_callback (io-glib.c:170)
> by 0x50CBE51: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.5000.3)
> ---
> src/device.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/src/device.c b/src/device.c
> index 9736bb6..fb9c0e7 100644
> --- a/src/device.c
> +++ b/src/device.c
> @@ -225,6 +225,7 @@ struct btd_device {
> * attribute cache support can be built.
> */
> struct gatt_db *db; /* GATT db cache */
> + unsigned int db_id;
> struct bt_gatt_client *client; /* GATT client instance */
> struct bt_gatt_server *server; /* GATT server instance */
> unsigned int gatt_ready_id;
> @@ -644,7 +645,7 @@ static void device_free(gpointer user_data)
> g_slist_free_full(device->svc_callbacks, svc_dev_remove);
>
> /* Reset callbacks since the device is going to be freed */
> - gatt_db_register(device->db, NULL, NULL, NULL, NULL);
> + gatt_db_unregister(device->db, device->db_id);
>
> attio_cleanup(device);
>
> @@ -3666,8 +3667,8 @@ static struct btd_device *device_new(struct btd_adapter *adapter,
> device->adapter = adapter;
> device->temporary = true;
>
> - gatt_db_register(device->db, gatt_service_added, gatt_service_removed,
> - device, NULL);
> + device->db_id = gatt_db_register(device->db, gatt_service_added,
> + gatt_service_removed, device, NULL);
>
> return btd_device_ref(device);
> }
> --
> 2.9.4
Applied.
--
Luiz Augusto von Dentz
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
