[PATCH BlueZ 1/2 v2] thermometer: Fix crash while unregistering adapter

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH BlueZ 1/2 v2] thermometer: Fix crash while unregistering adapter
@ 2013-01-28 21:44 Luiz Augusto von Dentz
  2013-01-28 21:44 ` [PATCH BlueZ 2/2 v2] attrib: Don't attempt to unregister event id 0 Luiz Augusto von Dentz
  2013-01-28 22:39 ` [PATCH BlueZ 1/2 v2] thermometer: Fix crash while unregistering adapter Johan Hedberg
  0 siblings, 2 replies; 4+ messages in thread
From: Luiz Augusto von Dentz @ 2013-01-28 21:44 UTC (permalink / raw)
  To: linux-bluetooth

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Invalid read of size 8
   at 0x448200: g_attrib_unregister (gattrib.c:722)
   by 0x440476: destroy_thermometer (thermometer.c:167)
   by 0x40D849: remove_interface (object.c:656)
   by 0x40DAA9: g_dbus_unregister_interface (object.c:1413)
   by 0x3DF7A63C9C: g_slist_foreach (gslist.c:894)
   by 0x469656: device_remove (device.c:2200)
   by 0x45CDC1: adapter_remove (adapter.c:3884)
   by 0x45F146: index_removed (adapter.c:5442)
   by 0x46BC17: received_data (mgmt.c:252)
   by 0x3DF7A47A74: g_main_context_dispatch (gmain.c:2715)
   by 0x3DF7A47DA7: g_main_context_iterate.isra.24 (gmain.c:3290)
   by 0x3DF7A481A1: g_main_loop_run (gmain.c:3484)
 Address 0x40 is not stack'd, malloc'd or (recently) free'd
---
v2: Print a warning if invalid id is passed to g_attrib_unregister

 profiles/thermometer/thermometer.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/profiles/thermometer/thermometer.c b/profiles/thermometer/thermometer.c
index 0cf14e6..1b299e7 100644
--- a/profiles/thermometer/thermometer.c
+++ b/profiles/thermometer/thermometer.c
@@ -164,12 +164,12 @@ static void destroy_thermometer(gpointer user_data)
 	if (t->attioid > 0)
 		btd_device_remove_attio_callback(t->dev, t->attioid);
 
-	g_attrib_unregister(t->attrib, t->attio_measurement_id);
-	g_attrib_unregister(t->attrib, t->attio_intermediate_id);
-	g_attrib_unregister(t->attrib, t->attio_interval_id);
-
-	if (t->attrib != NULL)
+	if (t->attrib != NULL) {
+		g_attrib_unregister(t->attrib, t->attio_measurement_id);
+		g_attrib_unregister(t->attrib, t->attio_intermediate_id);
+		g_attrib_unregister(t->attrib, t->attio_interval_id);
 		g_attrib_unref(t->attrib);
+	}
 
 	btd_device_unref(t->dev);
 	g_free(t->svc_range);
-- 
1.8.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH BlueZ 2/2 v2] attrib: Don't attempt to unregister event id 0
  2013-01-28 21:44 [PATCH BlueZ 1/2 v2] thermometer: Fix crash while unregistering adapter Luiz Augusto von Dentz
@ 2013-01-28 21:44 ` Luiz Augusto von Dentz
  2013-01-28 22:39 ` [PATCH BlueZ 1/2 v2] thermometer: Fix crash while unregistering adapter Johan Hedberg
  1 sibling, 0 replies; 4+ messages in thread
From: Luiz Augusto von Dentz @ 2013-01-28 21:44 UTC (permalink / raw)
  To: linux-bluetooth

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Id 0 is considered invalid so the code should not even try to lookup for
it in the event list instead print a warning and return FALSE
immediatelly.
---
 attrib/gattrib.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/attrib/gattrib.c b/attrib/gattrib.c
index 58f19d0..01c19f9 100644
--- a/attrib/gattrib.c
+++ b/attrib/gattrib.c
@@ -719,6 +719,11 @@ gboolean g_attrib_unregister(GAttrib *attrib, guint id)
 	struct event *evt;
 	GSList *l;
 
+	if (id == 0) {
+		warn("%s: invalid id", __FUNCTION__);
+		return FALSE;
+	}
+
 	l = g_slist_find_custom(attrib->events, GUINT_TO_POINTER(id),
 							event_cmp_by_id);
 	if (l == NULL)
-- 
1.8.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH BlueZ 1/2 v2] thermometer: Fix crash while unregistering adapter
  2013-01-28 21:44 [PATCH BlueZ 1/2 v2] thermometer: Fix crash while unregistering adapter Luiz Augusto von Dentz
  2013-01-28 21:44 ` [PATCH BlueZ 2/2 v2] attrib: Don't attempt to unregister event id 0 Luiz Augusto von Dentz
@ 2013-01-28 22:39 ` Johan Hedberg
  1 sibling, 0 replies; 4+ messages in thread
From: Johan Hedberg @ 2013-01-28 22:39 UTC (permalink / raw)
  To: Luiz Augusto von Dentz; +Cc: linux-bluetooth

Hi Luiz,

On Mon, Jan 28, 2013, Luiz Augusto von Dentz wrote:
> Invalid read of size 8
>    at 0x448200: g_attrib_unregister (gattrib.c:722)
>    by 0x440476: destroy_thermometer (thermometer.c:167)
>    by 0x40D849: remove_interface (object.c:656)
>    by 0x40DAA9: g_dbus_unregister_interface (object.c:1413)
>    by 0x3DF7A63C9C: g_slist_foreach (gslist.c:894)
>    by 0x469656: device_remove (device.c:2200)
>    by 0x45CDC1: adapter_remove (adapter.c:3884)
>    by 0x45F146: index_removed (adapter.c:5442)
>    by 0x46BC17: received_data (mgmt.c:252)
>    by 0x3DF7A47A74: g_main_context_dispatch (gmain.c:2715)
>    by 0x3DF7A47DA7: g_main_context_iterate.isra.24 (gmain.c:3290)
>    by 0x3DF7A481A1: g_main_loop_run (gmain.c:3484)
>  Address 0x40 is not stack'd, malloc'd or (recently) free'd
> ---
> v2: Print a warning if invalid id is passed to g_attrib_unregister
> 
>  profiles/thermometer/thermometer.c | 10 +++++-----
>  1 file changed, 5 insertions(+), 5 deletions(-)

Both patches have been applied. Thanks.

Johan

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH BlueZ 1/3] hcidump: Distinct Control and Browsing AVCTP channels
@ 2013-01-31 15:33 Luiz Augusto von Dentz
  2013-01-31 15:33 ` [PATCH BlueZ 1/2 v2] thermometer: Fix crash while unregistering adapter Luiz Augusto von Dentz
  0 siblings, 1 reply; 4+ messages in thread
From: Luiz Augusto von Dentz @ 2013-01-31 15:33 UTC (permalink / raw)
  To: linux-bluetooth

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

This prints the respective channel of the trafic
---
 tools/parser/avctp.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tools/parser/avctp.c b/tools/parser/avctp.c
index 60a5f69..58b181d 100644
--- a/tools/parser/avctp.c
+++ b/tools/parser/avctp.c
@@ -60,7 +60,8 @@ void avctp_dump(int level, struct frame *frm, uint16_t psm)
 	hdr = get_u8(frm);
 	pid = get_u16(frm);
 
-	printf("AVCTP: %s %s: pt 0x%02x transaction %d pid 0x%04x \n",
+	printf("AVCTP %s: %s %s: pt 0x%02x transaction %d pid 0x%04x\n",
+				psm == 23 ? "Control" : "Browsing",
 				hdr & 0x02 ? "Response" : "Command",
 				pt2str(hdr), hdr & 0x0c, hdr >> 4, pid);
 
-- 
1.8.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH BlueZ 1/2 v2] thermometer: Fix crash while unregistering adapter
  2013-01-31 15:33 [PATCH BlueZ 1/3] hcidump: Distinct Control and Browsing AVCTP channels Luiz Augusto von Dentz
@ 2013-01-31 15:33 ` Luiz Augusto von Dentz
  0 siblings, 0 replies; 4+ messages in thread
From: Luiz Augusto von Dentz @ 2013-01-31 15:33 UTC (permalink / raw)
  To: linux-bluetooth

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Invalid read of size 8
   at 0x448200: g_attrib_unregister (gattrib.c:722)
   by 0x440476: destroy_thermometer (thermometer.c:167)
   by 0x40D849: remove_interface (object.c:656)
   by 0x40DAA9: g_dbus_unregister_interface (object.c:1413)
   by 0x3DF7A63C9C: g_slist_foreach (gslist.c:894)
   by 0x469656: device_remove (device.c:2200)
   by 0x45CDC1: adapter_remove (adapter.c:3884)
   by 0x45F146: index_removed (adapter.c:5442)
   by 0x46BC17: received_data (mgmt.c:252)
   by 0x3DF7A47A74: g_main_context_dispatch (gmain.c:2715)
   by 0x3DF7A47DA7: g_main_context_iterate.isra.24 (gmain.c:3290)
   by 0x3DF7A481A1: g_main_loop_run (gmain.c:3484)
 Address 0x40 is not stack'd, malloc'd or (recently) free'd
---
v2: Print a warning if invalid id is passed to g_attrib_unregister

 profiles/thermometer/thermometer.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/profiles/thermometer/thermometer.c b/profiles/thermometer/thermometer.c
index 0cf14e6..1b299e7 100644
--- a/profiles/thermometer/thermometer.c
+++ b/profiles/thermometer/thermometer.c
@@ -164,12 +164,12 @@ static void destroy_thermometer(gpointer user_data)
 	if (t->attioid > 0)
 		btd_device_remove_attio_callback(t->dev, t->attioid);
 
-	g_attrib_unregister(t->attrib, t->attio_measurement_id);
-	g_attrib_unregister(t->attrib, t->attio_intermediate_id);
-	g_attrib_unregister(t->attrib, t->attio_interval_id);
-
-	if (t->attrib != NULL)
+	if (t->attrib != NULL) {
+		g_attrib_unregister(t->attrib, t->attio_measurement_id);
+		g_attrib_unregister(t->attrib, t->attio_intermediate_id);
+		g_attrib_unregister(t->attrib, t->attio_interval_id);
 		g_attrib_unref(t->attrib);
+	}
 
 	btd_device_unref(t->dev);
 	g_free(t->svc_range);
-- 
1.8.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2013-01-31 15:33 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-01-28 21:44 [PATCH BlueZ 1/2 v2] thermometer: Fix crash while unregistering adapter Luiz Augusto von Dentz
2013-01-28 21:44 ` [PATCH BlueZ 2/2 v2] attrib: Don't attempt to unregister event id 0 Luiz Augusto von Dentz
2013-01-28 22:39 ` [PATCH BlueZ 1/2 v2] thermometer: Fix crash while unregistering adapter Johan Hedberg
  -- strict thread matches above, loose matches on Subject: below --
2013-01-31 15:33 [PATCH BlueZ 1/3] hcidump: Distinct Control and Browsing AVCTP channels Luiz Augusto von Dentz
2013-01-31 15:33 ` [PATCH BlueZ 1/2 v2] thermometer: Fix crash while unregistering adapter Luiz Augusto von Dentz

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.