diff mbox series

[Bluez,v1,14/14] core: fix a possible crash when removing devices

Message ID 20210708142059.Bluez.v1.14.Ib24a67a8a849f311d5213f83eaac3cfbc54b7b58@changeid
State New
Headers show
Series [Bluez,v1,01/14] lib: add hash functions for bt_uuid_t | expand

Commit Message

Howard Chung July 8, 2021, 6:23 a.m. UTC
From: Yun-Hao Chung <howardchung@chromium.org>

This patch changes the logic of probe_service so that the same service
will not be added to a device.
---
The crash can be reproduced in the following steps

1. set service allowlist to ['aaaa']
2. pair with any device
3. after the device is disconnected, set service allowlist to an empty
   list
4. remove the device from adapter

In step 3, when allowlist is set to empty, profile that was blocked
will be added to each devices. However, in step 2, profiles the device
provides had already been added. Due the logic of
device.c:probe_service, there will be 2 identical services in
device->services, which causes a double-free error when removing the
device.

 src/device.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/src/device.c b/src/device.c
index 0d7444706336..dba26f787066 100644
--- a/src/device.c
+++ b/src/device.c
@@ -4709,8 +4709,11 @@  static struct btd_service *probe_service(struct btd_device *device,
 		return NULL;
 
 	l = find_service_with_profile(device->services, profile);
+	/* If the service already exists, return NULL so that it won't be added
+	 * to the device->services.
+	 */
 	if (l)
-		return l->data;
+		return NULL;
 
 	service = service_create(device, profile);