mirror of
https://git.kernel.org/pub/scm/bluetooth/bluez.git
synced 2024-12-02 00:24:25 +08:00
99f609241c
When doing the Find Included Services GATT procedure, the status of the ATT procedure was being ignored, and in the case of a timeout it is possible to crash bluetooth with an invalid memory access. Valgrind log: ==1755== Invalid read of size 8 ==1755== at 0x46971A: find_included_cb (device.c:2964) ==1755== by 0x4465AE: isd_unref (gatt.c:92) ==1755== by 0x446885: find_included_cb (gatt.c:425) ==1755== by 0x448266: disconnect_timeout (gattrib.c:269) ==1755== by 0x4E76BCA: g_timeout_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2) ==1755== by 0x4E76044: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2) ==1755== by 0x4E76377: g_main_context_iterate.isra.24 (in /usr/lib64/libglib-2.0.so.0.3400.2) ==1755== by 0x4E76771: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2) ==1755== by 0x40A2EE: main (main.c:583) ==1755== Address 0x69530a8 is 8 bytes inside a block of size 64 free'd ==1755== at 0x4C2874F: free (vg_replace_malloc.c:446) ==1755== by 0x40BFA6: service_filter (watch.c:486) ==1755== by 0x40BC6A: message_filter (watch.c:554) ==1755== by 0x5160A1D: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.7.2) ==1755== by 0x40AAB7: message_dispatch (mainloop.c:76) ==1755== by 0x4E76BCA: g_timeout_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2) ==1755== by 0x4E76044: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2) ==1755== by 0x4E76377: g_main_context_iterate.isra.24 (in /usr/lib64/libglib-2.0.so.0.3400.2) ==1755== by 0x4E76771: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2) ==1755== by 0x40A2EE: main (main.c:583) ==1755== ==1755== Invalid read of size 8 ==1755== at 0x4486D5: g_attrib_get_buffer (gattrib.c:657) ==1755== by 0x4467C5: find_included (gatt.c:363) ==1755== by 0x4465AE: isd_unref (gatt.c:92) ==1755== by 0x446885: find_included_cb (gatt.c:425) ==1755== by 0x448266: disconnect_timeout (gattrib.c:269) ==1755== by 0x4E76BCA: g_timeout_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2) ==1755== by 0x4E76044: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2) ==1755== by 0x4E76377: g_main_context_iterate.isra.24 (in /usr/lib64/libglib-2.0.so.0.3400.2) ==1755== by 0x4E76771: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2) ==1755== by 0x40A2EE: main (main.c:583) ==1755== Address 0x18 is not stack'd, malloc'd or (recently) free'd ==1755== ==1755== ==1755== Process terminating with default action of signal 11 (SIGSEGV) ==1755== Access not within mapped region at address 0x18 ==1755== at 0x4486D5: g_attrib_get_buffer (gattrib.c:657) ==1755== by 0x4467C5: find_included (gatt.c:363) ==1755== by 0x4465AE: isd_unref (gatt.c:92) ==1755== by 0x446885: find_included_cb (gatt.c:425) ==1755== by 0x448266: disconnect_timeout (gattrib.c:269) ==1755== by 0x4E76BCA: g_timeout_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2) ==1755== by 0x4E76044: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.3400.2) ==1755== by 0x4E76377: g_main_context_iterate.isra.24 (in /usr/lib64/libglib-2.0.so.0.3400.2) ==1755== by 0x4E76771: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.3400.2) ==1755== by 0x40A2EE: main (main.c:583) |
||
|---|---|---|
| .. | ||
| att-database.h | ||
| att.c | ||
| att.h | ||
| gatt-service.c | ||
| gatt-service.h | ||
| gatt.c | ||
| gatt.h | ||
| gattrib.c | ||
| gattrib.h | ||
| gatttool.c | ||
| gatttool.h | ||
| interactive.c | ||
| utils.c | ||