From 83e34edae3ab8dcbe1aadf57d5ac4fc43678b8ea Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Mon, 20 Nov 2017 16:27:04 +0200
Subject: [PATCH] client: Fix crashing on disconnect command

disconnect callback was writing on the argv pointer causing word
wordfree to access invalid memory:

Invalid free() / delete / delete[] / realloc()
  at 0x4C2FD18: free (vg_replace_malloc.c:530)
  by 0x56E8588: wordfree (in /usr/lib64/libc-2.25.so)
  by 0x41D0EB: rl_handler (shell.c:388)
  by 0x53CDB6D: rl_callback_read_char (in /usr/lib64/libreadline.so.7.0)
  by 0x41CA20: input_read (shell.c:661)
  by 0x41D88A: watch_callback (io-glib.c:170)
  by 0x4E85246: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.5200.3)
  by 0x4E855E7: ??? (in /usr/lib64/libglib-2.0.so.0.5200.3)
  by 0x4E85901: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.5200.3)
  by 0x41D77D: bt_shell_run (shell.c:609)
  by 0x4055E4: main (main.c:2502)
Address 0x76afcb4 is 4 bytes inside a block of size 30 alloc'd
  at 0x4C2EB6B: malloc (vg_replace_malloc.c:299)
  by 0x517F803: ??? (in /usr/lib64/libdbus-1.so.3.19.0)
  by 0x516D32A: dbus_message_copy (in /usr/lib64/libdbus-1.so.3.19.0)
  by 0x4195F4: prop_entry_update.isra.1 (client.c:186)
  by 0x4197C4: prop_entry_new (client.c:202)
  by 0x4197C4: add_property (client.c:237)
  by 0x4199A5: update_properties (client.c:277)
  by 0x419E74: parse_properties (client.c:974)
  by 0x419E74: parse_interfaces (client.c:1001)
  by 0x41B412: parse_managed_objects (client.c:1093)
  by 0x41B412: get_managed_objects_reply (client.c:1114)
  by 0x51607A1: ??? (in /usr/lib64/libdbus-1.so.3.19.0)
  by 0x516411E: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.0)
  by 0x41261F: message_dispatch (mainloop.c:72)
  by 0x4E81C26: ??? (in /usr/lib64/libglib-2.0.so.0.5200.3)
---
 client/main.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/client/main.c b/client/main.c
index 23b0e0ab2..52b431bce 100644
--- a/client/main.c
+++ b/client/main.c
@@ -1745,13 +1745,17 @@ static void cmd_disconn(int argc, char *argv[])
 		bt_shell_printf("Failed to disconnect\n");
 		return;
 	}
+
 	if (!argc || strlen(argv[0]) == 0) {
 		DBusMessageIter iter;
+		const char *addr;
 
 		if (g_dbus_proxy_get_property(proxy, "Address", &iter) == TRUE)
-			dbus_message_iter_get_basic(&iter, &argv[0]);
-	}
-	bt_shell_printf("Attempting to disconnect from %s\n", argv[0]);
+			dbus_message_iter_get_basic(&iter, &addr);
+
+		bt_shell_printf("Attempting to disconnect from %s\n", addr);
+	} else
+		bt_shell_printf("Attempting to disconnect from %s\n", argv[0]);
 }
 
 static void cmd_list_attributes(int argc, char *argv[])
-- 
2.47.3