avctp: Fix crash when disconnecting When disconnecting the channel queue shall not be destroyed before freeeing all requests including those that already have been processed otherwise the following crash may happen: 4 errors in context 2 of 103: Invalid read of size 4 at 0x12A5C2: control_req_destroy (avctp.c:762) by 0x12A539: pending_destroy (avctp.c:517) by 0x48A0D48: g_slist_foreach (in /usr/lib/libglib-2.0.so.0.3600.0) by 0x12A77B: avctp_channel_destroy (avctp.c:553) by 0x12A801: avctp_disconnected (avctp.c:570) by 0x12A0F1: control_disconnect (control.c:134) by 0x1306B9: avrcp_disconnect (avrcp.c:4471) by 0x17DAE9: btd_service_disconnect (service.c:307) by 0x18437D: dev_disconn_service (device.c:1405) by 0x48A0D48: g_slist_foreach (in /usr/lib/libglib-2.0.so.0.3600.0) by 0x187D87: device_request_disconnect (device.c:1437) by 0x187EC6: dev_disconnect (device.c:1522) Address 0x4fde068 is 0 bytes inside a block of size 16 free'd at 0x48252B3: free (vg_replace_malloc.c:446) by 0x4888172: g_free (in /usr/lib/libglib-2.0.so.0.3600.0) by 0x12AB64: avctp_queue_destroy (avctp.c:537) by 0x48A0D48: g_slist_foreach (in /usr/lib/libglib-2.0.so.0.3600.0) by 0x48A0D91: g_slist_free_full (in /usr/lib/libglib-2.0.so.0.3600.0) by 0x12A75E: avctp_channel_destroy (avctp.c:552) by 0x12A801: avctp_disconnected (avctp.c:570) by 0x12A0F1: control_disconnect (control.c:134) by 0x1306B9: avrcp_disconnect (avrcp.c:4471) by 0x17DAE9: btd_service_disconnect (service.c:307) by 0x18437D: dev_disconn_service (device.c:1405) by 0x48A0D48: g_slist_foreach (in /usr/lib/libglib-2.0.so.0.3600.0)

Diffstat

1 files changed, 1 insertions(+), 1 deletions(-)