adapter->bdaddr is set later in read_info_complete and current check
always returns false. Check against bdaddr received in command response
instead and fail if it is all zeros.
Invalid write of size 8
at 0x41F297: setconf_cfm (a2dp.c:567)
by 0x42526B: session_cb (avdtp.c:3176)
by 0x39B0847A54: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
by 0x39B0847D87: ??? (in /usr/lib64/libglib-2.0.so.0.3400.2)
by 0x39B0848181: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2)
by 0x409C3E: main (main.c:583)
Address 0x555fda8 is 40 bytes inside a block of size 88 free'd
at 0x4A077A6: free (vg_replace_malloc.c:446)
by 0x39B084D79E: g_free (in /usr/lib64/libglib-2.0.so.0.3400.2)
by 0x41E217: setup_cb_free (a2dp.c:191)
by 0x41E410: finalize_config (a2dp.c:234)
by 0x41F296: setconf_cfm (a2dp.c:566)
by 0x42526B: session_cb (avdtp.c:3176)
by 0x39B0847A54: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2)
by 0x39B0847D87: ??? (in /usr/lib64/libglib-2.0.so.0.3400.2)
by 0x39B0848181: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2)
by 0x409C3E: main (main.c:583)
Sometimes profiles may complete the connection in different order
than expected so the code has to check if it was actually the
current pending profile to proceed to the next.
If pretty hostname is not set fallback to static hostname (if it is
set). If static or pretty hostname is not set appropriate properties
are empty strings not NULLs. This behaviour is recomended by hostnamed.
In case hci_get_route() failed mark first adapter on list as default.
This make sure default adapter is always set and that
btd_adapter_get_default will not return NULL if at least one adapter
is registered.
Drivers may depends on adapter being default or not. This fix hostname
plugin setting default adapter name to 'foo #1' instead of 'foo' if
pretty hostname was received before probing adapter drivers.
rsp_count is either read or calculated from untrusted input, and
therefore needs to be checked before being used as offset. The "plen"
variable is appropriate because it is calculated as the sum of fixed and
variable length fields, excluding the continuation state field, which
has at least 1 byte for its own length field.
This refactor code for message processing for future feature addition.
nokia.com:bt and EIR processing is now separated from performing
actions based on received data.
If a2dp_resume() fails, the transport state should not be modified. It
would otherwise enter an incosistent state where the transport will be
impossible to resume, since acquire() will see the transport in
TRANSPORT_STATE_REQUESTING state and will thus return
btd_error_not_authorized().
When the client uses ObjectManager to init properties, do not call
property changed callbacks. They should only be called once the proxy
added has been successfully signaled since the proxy itself provides
a full copy of available properties.
read_watch_destroy is called when received_data returns FALSE.
free mgmt in read_watch_destroy instead of received_data to avoid
use after free.
Invalid write of size 4
at 0x8051604: read_watch_destroy (mgmt.c:271)
by 0x48C7468E: g_source_callback_unref (gmain.c:1457)
by 0x48C77287: g_main_context_dispatch (gmain.c:2723)
by 0x48C774FF: g_main_context_iterate.isra.22 (gmain.c:3290)
by 0x48C77962: g_main_loop_run (gmain.c:3484)
by 0x805393E: tester_run (tester.c:784)
by 0x804D1C7: main (mgmt-tester.c:2558)
Address 0x4039b80 is 16 bytes inside a block of size 76 free'd
at 0x4007F0F: free (vg_replace_malloc.c:446)
by 0x48C7D44B: standard_free (gmem.c:98)
by 0x48C7D607: g_free (gmem.c:252)
by 0x8051BB6: received_data (mgmt.c:337)
by 0x48CBA72E: g_io_unix_dispatch (giounix.c:167)
by 0x48C7715A: g_main_context_dispatch (gmain.c:2715)
by 0x48C774FF: g_main_context_iterate.isra.22 (gmain.c:3290)
by 0x48C77962: g_main_loop_run (gmain.c:3484)
by 0x805393E: tester_run (tester.c:784)
by 0x804D1C7: main (mgmt-tester.c:2558)
