From 8b21a74f2e473b88cadc8ad871c635ace969ee02 Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Tue, 20 Feb 2018 16:20:10 +0200 Subject: [PATCH] adapter: Fix crash when discovering If client exits while start discovery command is pending it may produce the following crash: Invalid read of size 8 at 0x49036E: start_discovery_complete (adapter.c:1428) by 0x4D4957: request_complete (mgmt.c:261) by 0x4D5BD4: can_read_data (mgmt.c:353) by 0x4E717A: watch_callback (io-glib.c:170) by 0x50CEB76: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.5400.3) by 0x50CEF1F: ??? (in /usr/lib64/libglib-2.0.so.0.5400.3) by 0x50CF231: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.5400.3) by 0x40CEC0: main (main.c:770) Address 0x0 is not stack'd, malloc'd or (recently) free'd --- src/adapter.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/adapter.c b/src/adapter.c index fc4913e71..8a99f5241 100644 --- a/src/adapter.c +++ b/src/adapter.c @@ -1425,7 +1425,7 @@ static void start_discovery_complete(uint8_t status, uint16_t length, const void *param, void *user_data) { struct btd_adapter *adapter = user_data; - struct watch_client *client = adapter->discovery_list->data; + struct watch_client *client; const struct mgmt_cp_start_discovery *rp = param; DBusMessage *reply; @@ -1434,7 +1434,7 @@ static void start_discovery_complete(uint8_t status, uint16_t length, /* Is there are no clients the discovery must have been stopped while * discovery command was pending. */ - if (!client) { + if (!adapter->discovery_list) { struct mgmt_cp_stop_discovery cp; if (status != MGMT_STATUS_SUCCESS) @@ -1448,6 +1448,8 @@ static void start_discovery_complete(uint8_t status, uint16_t length, return; } + client = adapter->discovery_list->data; + if (length < sizeof(*rp)) { btd_error(adapter->dev_id, "Wrong size of start discovery return parameters"); -- 2.47.3