From 086b653b66ac24db7ae130801a404aa5d024240b Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Thu, 16 May 2013 14:17:31 +0300 Subject: [PATCH] A2DP: Fix regression introduce by 99c6f5221800a48e8ce0b1e070e97d1c26a0f90b Commit 99c6f5221800a48e8ce0b1e070e97d1c26a0f90b checks if there is a pending resume and in case OPEN fails it abort it as well, but it can cause a crash if resume was not requested and the setup is freed by finalize_config: Invalid read of size 4 at 0x4214AD: open_cfm (a2dp.c:730) by 0x424D07: handle_transport_connect (avdtp.c:878) by 0x4288F2: avdtp_connect_cb (avdtp.c:2419) by 0x4458B8: connect_cb (btio.c:230) by 0x4E79D12: g_main_context_dispatch (gmain.c:2539) by 0x4E7A05F: g_main_context_iterate.isra.23 (gmain.c:3146) by 0x4E7A459: g_main_loop_run (gmain.c:3340) by 0x44B0AC: main (main.c:583) Address 0x62c8564 is 68 bytes inside a block of size 88 free'd at 0x4C2A82E: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x420094: setup_free (a2dp.c:156) by 0x420101: setup_unref (a2dp.c:168) by 0x4201CF: setup_cb_free (a2dp.c:191) by 0x4203DC: finalize_config (a2dp.c:234) by 0x4214A8: open_cfm (a2dp.c:728) by 0x424D07: handle_transport_connect (avdtp.c:878) by 0x4288F2: avdtp_connect_cb (avdtp.c:2419) by 0x4458B8: connect_cb (btio.c:230) by 0x4E79D12: g_main_context_dispatch (gmain.c:2539) by 0x4E7A05F: g_main_context_iterate.isra.23 (gmain.c:3146) by 0x4E7A459: g_main_loop_run (gmain.c:3340) --- profiles/audio/a2dp.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/profiles/audio/a2dp.c b/profiles/audio/a2dp.c index 215f4db9e..c6973ae9c 100644 --- a/profiles/audio/a2dp.c +++ b/profiles/audio/a2dp.c @@ -723,16 +723,12 @@ static void open_cfm(struct avdtp *session, struct avdtp_local_sep *sep, if (err) { setup->stream = NULL; setup->err = err; + if (setup->start) + finalize_resume(setup); } finalize_config(setup); - if (!setup->start || !err) - return; - - setup->start = FALSE; - finalize_resume(setup); - return; }