From 3790a1f46ce0105308a45b4dbb9ca769828fa81d Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Tue, 25 Jul 2017 11:39:01 +0300 Subject: [PATCH] gatt: Fix crash when cleanup notify_io When removing interfaces the code will attempt to free any notify client but the notify_io may still be pointing to the client causing the following crash: Invalid read of size 8 at 0x49D531: notify_io_destroy (gatt-client.c:1452) by 0x49E1B2: pipe_io_destroy (gatt-client.c:1077) by 0x49E25D: characteristic_free (gatt-client.c:1650) by 0x4CA2B9: remove_interface (object.c:667) by 0x4CAF05: g_dbus_unregister_interface (object.c:1391) by 0x49D248: unregister_characteristic (gatt-client.c:1730) by 0x4D0956: queue_remove_all (queue.c:351) by 0x49D05D: unregister_service (gatt-client.c:1879) by 0x4D0956: queue_remove_all (queue.c:351) by 0x4D09B4: queue_destroy (queue.c:73) by 0x4A10C6: btd_gatt_client_destroy (gatt-client.c:2079) by 0x4A4087: device_free (device.c:640) Address 0x8f56b00 is 0 bytes inside a block of size 32 free'd at 0x4C2FD18: free (vg_replace_malloc.c:530) by 0x49D4AF: notify_client_unref (gatt-client.c:1267) by 0x49D520: remove_client (gatt-client.c:1711) by 0x4D0956: queue_remove_all (queue.c:351) by 0x49D205: unregister_characteristic (gatt-client.c:1727) by 0x4D0956: queue_remove_all (queue.c:351) by 0x49D05D: unregister_service (gatt-client.c:1879) by 0x4D0956: queue_remove_all (queue.c:351) by 0x4D09B4: queue_destroy (queue.c:73) by 0x4A10C6: btd_gatt_client_destroy (gatt-client.c:2079) by 0x4A4087: device_free (device.c:640) by 0x4CA2B9: remove_interface (object.c:667) --- src/gatt-client.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/gatt-client.c b/src/gatt-client.c index b5b2ea39c..4f70aa7db 100644 --- a/src/gatt-client.c +++ b/src/gatt-client.c @@ -1449,8 +1449,8 @@ static void notify_io_destroy(void *data) { struct notify_client *client = data; - queue_remove(client->chrc->notify_clients, client); - notify_client_unref(client); + if (queue_remove(client->chrc->notify_clients, client)) + notify_client_unref(client); } static DBusMessage *characteristic_acquire_notify(DBusConnection *conn, -- 2.47.3