From c9a87056d733bc23279b30243f03923e53153a94 Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Thu, 25 Jun 2015 10:42:27 +0300 Subject: [PATCH] core/advertising: Fix double free This fixes the following trace introduced by caa5835cd805e9771cddef35906a31cce0232dde: Invalid read of size 8 at 0x4859E4: advertising_manager_destroy (advertising.c:721) by 0x485D1D: btd_advertising_manager_destroy (advertising.c:822) by 0x48B39E: adapter_remove (adapter.c:5191) by 0x49A812: adapter_cleanup (adapter.c:8184) by 0x40BE2A: main (main.c:673) Address 0x5ed5bb8 is 8 bytes inside a block of size 32 free'd at 0x4C2ACE9: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x4C85D9: remove_interface (object.c:658) by 0x4C91B1: g_dbus_unregister_interface (object.c:1382) by 0x485D0D: btd_advertising_manager_destroy (advertising.c:818) by 0x48B39E: adapter_remove (adapter.c:5191) by 0x49A812: adapter_cleanup (adapter.c:8184) by 0x40BE2A: main (main.c:673) This happens because AdvertisingManager is only registered if the kernel support at least one advertising instance so it has be freed directly. --- src/advertising.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/advertising.c b/src/advertising.c index 421a5e990..ab5c6fc53 100644 --- a/src/advertising.c +++ b/src/advertising.c @@ -751,8 +751,7 @@ static void read_adv_features_callback(uint8_t status, uint16_t length, if (!g_dbus_register_interface(btd_get_dbus_connection(), adapter_get_path(manager->adapter), LE_ADVERTISING_MGR_IFACE, - methods, NULL, NULL, manager, - advertising_manager_destroy)) + methods, NULL, NULL, manager, NULL)) error("Failed to register " LE_ADVERTISING_MGR_IFACE); } -- 2.47.3