From e4925be847e3659cf681f2c963b4392b30df836b Mon Sep 17 00:00:00 2001 From: Anderson Lizardo Date: Fri, 10 Jan 2014 19:51:47 -0800 Subject: [PATCH] shared: Fix crash if adapter is removed before mgmt event is received If "Index Removed" mgmt event is received after a mgmt command was sent by userspace, but before its Command Status/Complete event is received, bluetoothd will eventually call mgmt_cancel_index(), which will destroy the queue of pending commands. By the time request_complete() is called, the request callback is no more valid, because the destroy callback was already called. Therefore, the fix is to simply ignore the event. Valgrind output: ==3676== Invalid read of size 4 ==3676== at 0x80BCD07: request_complete (mgmt.c:239) ==3676== by 0x80BCF72: can_read_data (mgmt.c:350) ==3676== by 0x80BBE22: read_callback (io-glib.c:164) ==3676== by 0x40C019D: g_io_unix_dispatch (giounix.c:166) ==3676== by 0x407FD45: g_main_context_dispatch (gmain.c:2539) ==3676== by 0x40800E4: g_main_context_iterate.isra.21 (gmain.c:3146) ==3676== by 0x408052A: g_main_loop_run (gmain.c:3340) ==3676== by 0x41BE4D2: (below main) (libc-start.c:226) ==3676== Address 0x10 is not stack'd, malloc'd or (recently) free'd --- src/shared/mgmt.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/shared/mgmt.c b/src/shared/mgmt.c index a391ab587..d7493e210 100644 --- a/src/shared/mgmt.c +++ b/src/shared/mgmt.c @@ -235,11 +235,13 @@ static void request_complete(struct mgmt *mgmt, uint8_t status, request = queue_remove_if(mgmt->pending_list, match_request_opcode_index, &match); + if (request) { + if (request->callback) + request->callback(status, length, param, + request->user_data); - if (request->callback) - request->callback(status, length, param, request->user_data); - - destroy_request(request); + destroy_request(request); + } if (mgmt->destroyed) return; -- 2.47.3