2012-02-07 17:04:24

by Frédéric DALLEAU

[permalink] [raw]
Subject: [PATCH] gateway: Fix crash if SCO connection fails

In some situations, a connect callback is created, but
this callback is not added to media_owner. Thus when the owner
is destroyed and at rfcomm disconnect, the callback is executed
with an invalid pointer.
---
audio/gateway.c | 5 +----
1 files changed, 1 insertions(+), 4 deletions(-)

diff --git a/audio/gateway.c b/audio/gateway.c
index bde3e02..fc453dd 100644
--- a/audio/gateway.c
+++ b/audio/gateway.c
@@ -836,12 +836,9 @@ unsigned int gateway_request_stream(struct audio_device *dev,
gateway_stream_cb_t cb, void *user_data)
{
struct gateway *gw = dev->gateway;
- unsigned int id;
GError *err = NULL;
GIOChannel *io;

- id = connect_cb_new(gw, cb, user_data);
-
if (!gw->rfcomm)
get_records(dev);
else if (!gw->sco) {
@@ -858,7 +855,7 @@ unsigned int gateway_request_stream(struct audio_device *dev,
} else
g_idle_add(request_stream_cb, dev);

- return id;
+ return connect_cb_new(gw, cb, user_data);
}

int gateway_config_stream(struct audio_device *dev, gateway_stream_cb_t cb,
--
1.7.5.4



2012-02-07 19:30:42

by Dalleau, Frederic

[permalink] [raw]
Subject: Re: [PATCH] gateway: Fix crash if SCO connection fails

Hi Luiz,

2012/2/7 Luiz Augusto von Dentz <[email protected]>
> Hi Fr?d?ric,
> It doesn't seems this change anything since the id is always returned
> anyway, have you tried to reproduce it while running with valgrind?

There is one case where the function returns 0.
It doesn't appear in the patch, but you can check in the code.
However I haven't tested with valgrind.

Regards,
Fr?d?ric

2012-02-07 18:07:45

by Luiz Augusto von Dentz

[permalink] [raw]
Subject: Re: [PATCH] gateway: Fix crash if SCO connection fails

Hi Fr?d?ric,

2012/2/7 Fr?d?ric Dalleau <[email protected]>:
> In some situations, a connect callback is created, but
> this callback is not added to media_owner. Thus when the owner
> is destroyed and at rfcomm disconnect, the callback is executed
> with an invalid pointer.
> ---
> ?audio/gateway.c | ? ?5 +----
> ?1 files changed, 1 insertions(+), 4 deletions(-)
>
> diff --git a/audio/gateway.c b/audio/gateway.c
> index bde3e02..fc453dd 100644
> --- a/audio/gateway.c
> +++ b/audio/gateway.c
> @@ -836,12 +836,9 @@ unsigned int gateway_request_stream(struct audio_device *dev,
> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?gateway_stream_cb_t cb, void *user_data)
> ?{
> ? ? ? ?struct gateway *gw = dev->gateway;
> - ? ? ? unsigned int id;
> ? ? ? ?GError *err = NULL;
> ? ? ? ?GIOChannel *io;
>
> - ? ? ? id = connect_cb_new(gw, cb, user_data);
> -
> ? ? ? ?if (!gw->rfcomm)
> ? ? ? ? ? ? ? ?get_records(dev);
> ? ? ? ?else if (!gw->sco) {
> @@ -858,7 +855,7 @@ unsigned int gateway_request_stream(struct audio_device *dev,
> ? ? ? ?} else
> ? ? ? ? ? ? ? ?g_idle_add(request_stream_cb, dev);
>
> - ? ? ? return id;
> + ? ? ? return connect_cb_new(gw, cb, user_data);
> ?}
>
> ?int gateway_config_stream(struct audio_device *dev, gateway_stream_cb_t cb,
> --
> 1.7.5.4

It doesn't seems this change anything since the id is always returned
anyway, have you tried to reproduce it while running with valgrind?


--
Luiz Augusto von Dentz