From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
If the client disconnect/crash while MGMT_OP_STOP_DISCOVERY was pending
it would possibly cause a crash as the client pointer is passed to
mgmt_send and accessed in the callback after being freed.
To fix this the adapter itself is now passed to the callback so the
client is not accessed directly, instead the code now checks if
discovery_list has not been cleared in the meantime and only then
proceed to access the client pointer which is how
MGMT_OP_START_DISCOVERY is handled.
---
src/adapter.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/adapter.c b/src/adapter.c
index c23c84175..64815ecd2 100644
--- a/src/adapter.c
+++ b/src/adapter.c
@@ -1926,11 +1926,19 @@ static bool set_discovery_discoverable(struct btd_adapter *adapter, bool enable)
static void stop_discovery_complete(uint8_t status, uint16_t length,
const void *param, void *user_data)
{
- struct watch_client *client = user_data;
- struct btd_adapter *adapter = client->adapter;
+ struct btd_adapter *adapter = user_data;
+ struct watch_client *client;
DBG("status 0x%02x", status);
+ /* Is there are no clients the discovery must have been stopped while
+ * discovery command was pending.
+ */
+ if (!adapter->discovery_list)
+ return;
+
+ client = adapter->discovery_list->data;
+
discovery_reply(client, status);
if (status != MGMT_STATUS_SUCCESS)
--
2.25.3
