From ccbc792aff13daf3a89bbc09c9530b910bb03705 Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Thu, 5 Mar 2015 13:52:11 +0200 Subject: [PATCH] shared/att: Fix invalid read The following backtrace can be reproduced with unit/test-gatt and it is caused by the callback removing all entries from notify list: Invalid read of size 8 at 0x438FE9: handle_notify (att.c:755) by 0x438FE9: can_read_data (att.c:841) by 0x4465AA: watch_callback (io-glib.c:170) by 0x4E7EAEA: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4200.1) by 0x4E7EE87: ??? (in /usr/lib64/libglib-2.0.so.0.4200.1) by 0x4E7F1B1: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.4200.1) by 0x437161: tester_run (tester.c:817) by 0x433308: main (test-gatt.c:3174) Address 0x59671f0 is 16 bytes inside a block of size 24 free'd at 0x4C2ACE9: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x446E58: queue_entry_unref (queue.c:96) by 0x4474E9: queue_remove_if (queue.c:338) by 0x438CAE: bt_att_unregister (att.c:1327) by 0x43EF4B: bt_gatt_client_free (gatt-client.c:1578) by 0x43F040: bt_gatt_client_unref (gatt-client.c:1689) by 0x43F0B8: notify_cb (gatt-client.c:1551) by 0x4390AE: handle_notify (att.c:764) by 0x4390AE: can_read_data (att.c:841) by 0x4465AA: watch_callback (io-glib.c:170) by 0x4E7EAEA: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4200.1) by 0x4E7EE87: ??? (in /usr/lib64/libglib-2.0.so.0.4200.1) by 0x4E7F1B1: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.4200.1) --- src/shared/att.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/shared/att.c b/src/shared/att.c index 67f93fc3f..55d633be7 100644 --- a/src/shared/att.c +++ b/src/shared/att.c @@ -751,10 +751,12 @@ static void handle_notify(struct bt_att *att, uint8_t opcode, uint8_t *pdu, bt_att_ref(att); - for (found = false, entry = queue_get_entries(att->notify_list); entry; - entry = entry->next) { + for (found = false, entry = queue_get_entries(att->notify_list); + !queue_isempty(att->notify_list) && entry;) { struct att_notify *notify = entry->data; + entry = entry->next; + if (!opcode_match(notify->opcode, opcode)) continue; -- 2.47.3