From de8c249f785d9ca54f8fee6d1e5b0cbbfef7f0d4 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Fri, 2 Feb 2024 10:07:15 -0500
Subject: [PATCH] btdev: Fix crash on BIG Sync Terminate command

When receiving BIG Sync Terminate command the following crash could be
observed:

Invalid read of size 8
   at 0x15FC9F: cmd_big_term_sync (btdev.c:6417)
   by 0x15D19D: run_cmd (btdev.c:7269)
   by 0x16E7DF: process_cmd (btdev.c:7425)
   by 0x16E7DF: btdev_receive_h4 (btdev.c:7516)
   by 0x143AB9: vhci_read_callback (vhci.c:77)
   by 0x185AAE: io_callback (io-mainloop.c:110)
   by 0x187158: mainloop_run (mainloop.c:106)
   by 0x188357: mainloop_run_with_signal (mainloop-notify.c:188)
   by 0x4EA6B89: (below main) (in /usr/lib64/libc.so.6)
 Address 0x53cf678 is 8 bytes inside a block of size 16 free'd
   at 0x4845B2C: free (vg_replace_malloc.c:985)
   by 0x17E0FE: queue_remove (queue.c:256)
   by 0x1497F0: conn_remove (btdev.c:537)
   by 0x15FC8A: cmd_big_term_sync (btdev.c:6427)
   by 0x15D19D: run_cmd (btdev.c:7269)
   by 0x16E7DF: process_cmd (btdev.c:7425)
   by 0x16E7DF: btdev_receive_h4 (btdev.c:7516)
   by 0x143AB9: vhci_read_callback (vhci.c:77)
   by 0x185AAE: io_callback (io-mainloop.c:110)
   by 0x187158: mainloop_run (mainloop.c:106)
   by 0x188357: mainloop_run_with_signal (mainloop-notify.c:188)
   by 0x4EA6B89: (below main) (in /usr/lib64/libc.so.6)
---
 emulator/btdev.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/emulator/btdev.c b/emulator/btdev.c
index da94f29d1..7b67e9430 100644
--- a/emulator/btdev.c
+++ b/emulator/btdev.c
@@ -6425,6 +6425,7 @@ static int cmd_big_term_sync(struct btdev *dev, const void *data, uint8_t len)
 								0x16);
 
 		conn_remove(conn);
+		break;
 	}
 
 done:
-- 
2.47.3