While waiting for the AT+BLDN asynchronous response, if RFCOMM got
disconnected, then respose will cause NULL pointer dereference.
During headset disconnection, the headset state changes from
HEADSET_STATE_CONNECTED to HEADSET_STATE_DISCONNECTED along with
freeing the dev->headset. During the response, in telephony_generic_rsp
its dereferencing.
Log:
bluetoothd[5573]: audio/headset.c:handle_event() Received AT+BLDN
bluetoothd[5573]: audio/telephony.c:telephony_last_dialed_number_req()
telephony-tizen: last dialed number request
bluetoothd[5573]: audio/telephony.c:dbus_method_call_send() +
bluetoothd[5573]: audio/telephony.c:dbus_method_call_send() -
bluetoothd[5573]: Endpoint replied with an error: org.freedesktop.DBus\
.Error.NoReply
bluetoothd[5573]: audio/telephony.c:telephony_device_disconnected()
telephony-tizen: device 0x40439b60 disconnected
bluetoothd[5573]: audio/headset.c:headset_set_state() State changed
/org/bluez/5573/hci0/dev_BC_47_60_F5_88_89:
HEADSET_STATE_CONNECTED -> HEADSET_STATE_DISCONNECTED
bluetoothd[5573]: audio/media.c:headset_state_changed()
bluetoothd[5573]: audio/media.c:headset_state_changed() Clear endpoint
0x40430620
bluetoothd[5573]: audio/telephony.c:telephony_dial_number_reply()
redial_reply
bluetoothd[5573]: audio/telephony.c:telephony_dial_number_reply()
dial_reply reply: No Call log
---
audio/headset.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/audio/headset.c b/audio/headset.c
index bd83a65..30d24cf 100644
--- a/audio/headset.c
+++ b/audio/headset.c
@@ -689,6 +689,9 @@ static int telephony_generic_rsp(struct audio_device *device, cme_error_t err)
struct headset *hs = device->headset;
struct headset_slc *slc = hs->slc;
+ if (!slc)
+ return -EIO;
+
if ((err != CME_ERROR_NONE) && slc->cme_enabled)
return headset_send(hs, "\r\n+CME ERROR: %d\r\n", err);
--
1.7.4.1
Trivial formatting fix.
---
gdbus/object.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/gdbus/object.c b/gdbus/object.c
index 9689006..d58a1a8 100644
--- a/gdbus/object.c
+++ b/gdbus/object.c
@@ -226,7 +226,7 @@ void g_dbus_pending_success(DBusConnection *connection,
{
GSList *list;
- for (list = pending_security; list; list = list->next) {
+ for (list = pending_security; list; list = list->next) {
struct security_data *secdata = list->data;
if (secdata->pending != pending)
@@ -240,7 +240,7 @@ void g_dbus_pending_success(DBusConnection *connection,
dbus_message_unref(secdata->message);
g_free(secdata);
return;
- }
+ }
}
void g_dbus_pending_error_valist(DBusConnection *connection,
@@ -249,7 +249,7 @@ void g_dbus_pending_error_valist(DBusConnection *connection,
{
GSList *list;
- for (list = pending_security; list; list = list->next) {
+ for (list = pending_security; list; list = list->next) {
struct security_data *secdata = list->data;
DBusMessage *reply;
@@ -268,7 +268,7 @@ void g_dbus_pending_error_valist(DBusConnection *connection,
dbus_message_unref(secdata->message);
g_free(secdata);
return;
- }
+ }
}
void g_dbus_pending_error(DBusConnection *connection,
--
1.7.4.1
Hi Syam,
On Tue, Oct 23, 2012, Syam Sidhardhan wrote:
> Trivial formatting fix.
> ---
> gdbus/object.c | 8 ++++----
> 1 files changed, 4 insertions(+), 4 deletions(-)
This patch has been applied. Thanks.
Johan
Hi Johan,
On Tue, Nov 13, 2012 at 9:10 PM, Johan Hedberg <[email protected]> wrote:
> Hi Syam,
>
> On Fri, Nov 09, 2012, Syam Sidhardhan wrote:
>> On Tue, Oct 23, 2012 at 7:27 PM, Syam Sidhardhan <[email protected]> wrote:
>> > While waiting for the AT+BLDN asynchronous response, if RFCOMM got
>> > disconnected, then respose will cause NULL pointer dereference.
>> >
>> > During headset disconnection, the headset state changes from
>> > HEADSET_STATE_CONNECTED to HEADSET_STATE_DISCONNECTED along with
>> > freeing the dev->headset. During the response, in telephony_generic_rsp
>> > its dereferencing.
>> >
>> > Log:
>> > bluetoothd[5573]: audio/headset.c:handle_event() Received AT+BLDN
>> > bluetoothd[5573]: audio/telephony.c:telephony_last_dialed_number_req()
>> > telephony-tizen: last dialed number request
>> > bluetoothd[5573]: audio/telephony.c:dbus_method_call_send() +
>> > bluetoothd[5573]: audio/telephony.c:dbus_method_call_send() -
>> > bluetoothd[5573]: Endpoint replied with an error: org.freedesktop.DBus\
>> > .Error.NoReply
>> > bluetoothd[5573]: audio/telephony.c:telephony_device_disconnected()
>> > telephony-tizen: device 0x40439b60 disconnected
>> > bluetoothd[5573]: audio/headset.c:headset_set_state() State changed
>> > /org/bluez/5573/hci0/dev_BC_47_60_F5_88_89:
>> > HEADSET_STATE_CONNECTED -> HEADSET_STATE_DISCONNECTED
>> > bluetoothd[5573]: audio/media.c:headset_state_changed()
>> > bluetoothd[5573]: audio/media.c:headset_state_changed() Clear endpoint
>> > 0x40430620
>> > bluetoothd[5573]: audio/telephony.c:telephony_dial_number_reply()
>> > redial_reply
>> > bluetoothd[5573]: audio/telephony.c:telephony_dial_number_reply()
>> > dial_reply reply: No Call log
>> > ---
>> > audio/headset.c | 3 +++
>> > 1 files changed, 3 insertions(+), 0 deletions(-)
>> >
>> > diff --git a/audio/headset.c b/audio/headset.c
>> > index bd83a65..30d24cf 100644
>> > --- a/audio/headset.c
>> > +++ b/audio/headset.c
>> > @@ -689,6 +689,9 @@ static int telephony_generic_rsp(struct audio_device *device, cme_error_t err)
>> > struct headset *hs = device->headset;
>> > struct headset_slc *slc = hs->slc;
>> >
>> > + if (!slc)
>> > + return -EIO;
>> > +
>> > if ((err != CME_ERROR_NONE) && slc->cme_enabled)
>> > return headset_send(hs, "\r\n+CME ERROR: %d\r\n", err);
>> >
>>
>> ping.
>
> This file doesn't exist in bluez.git anymore.
>
Yes, I noticed Luiz patch which removes the headset.c and other
stuff. Thank you.
Regards,
Syam.
Hi Syam,
On Fri, Nov 09, 2012, Syam Sidhardhan wrote:
> On Tue, Oct 23, 2012 at 7:27 PM, Syam Sidhardhan <[email protected]> wrote:
> > While waiting for the AT+BLDN asynchronous response, if RFCOMM got
> > disconnected, then respose will cause NULL pointer dereference.
> >
> > During headset disconnection, the headset state changes from
> > HEADSET_STATE_CONNECTED to HEADSET_STATE_DISCONNECTED along with
> > freeing the dev->headset. During the response, in telephony_generic_rsp
> > its dereferencing.
> >
> > Log:
> > bluetoothd[5573]: audio/headset.c:handle_event() Received AT+BLDN
> > bluetoothd[5573]: audio/telephony.c:telephony_last_dialed_number_req()
> > telephony-tizen: last dialed number request
> > bluetoothd[5573]: audio/telephony.c:dbus_method_call_send() +
> > bluetoothd[5573]: audio/telephony.c:dbus_method_call_send() -
> > bluetoothd[5573]: Endpoint replied with an error: org.freedesktop.DBus\
> > .Error.NoReply
> > bluetoothd[5573]: audio/telephony.c:telephony_device_disconnected()
> > telephony-tizen: device 0x40439b60 disconnected
> > bluetoothd[5573]: audio/headset.c:headset_set_state() State changed
> > /org/bluez/5573/hci0/dev_BC_47_60_F5_88_89:
> > HEADSET_STATE_CONNECTED -> HEADSET_STATE_DISCONNECTED
> > bluetoothd[5573]: audio/media.c:headset_state_changed()
> > bluetoothd[5573]: audio/media.c:headset_state_changed() Clear endpoint
> > 0x40430620
> > bluetoothd[5573]: audio/telephony.c:telephony_dial_number_reply()
> > redial_reply
> > bluetoothd[5573]: audio/telephony.c:telephony_dial_number_reply()
> > dial_reply reply: No Call log
> > ---
> > audio/headset.c | 3 +++
> > 1 files changed, 3 insertions(+), 0 deletions(-)
> >
> > diff --git a/audio/headset.c b/audio/headset.c
> > index bd83a65..30d24cf 100644
> > --- a/audio/headset.c
> > +++ b/audio/headset.c
> > @@ -689,6 +689,9 @@ static int telephony_generic_rsp(struct audio_device *device, cme_error_t err)
> > struct headset *hs = device->headset;
> > struct headset_slc *slc = hs->slc;
> >
> > + if (!slc)
> > + return -EIO;
> > +
> > if ((err != CME_ERROR_NONE) && slc->cme_enabled)
> > return headset_send(hs, "\r\n+CME ERROR: %d\r\n", err);
> >
>
> ping.
This file doesn't exist in bluez.git anymore.
Johan
Hi,
On Tue, Oct 23, 2012 at 7:27 PM, Syam Sidhardhan <[email protected]> wrote:
> While waiting for the AT+BLDN asynchronous response, if RFCOMM got
> disconnected, then respose will cause NULL pointer dereference.
>
> During headset disconnection, the headset state changes from
> HEADSET_STATE_CONNECTED to HEADSET_STATE_DISCONNECTED along with
> freeing the dev->headset. During the response, in telephony_generic_rsp
> its dereferencing.
>
> Log:
> bluetoothd[5573]: audio/headset.c:handle_event() Received AT+BLDN
> bluetoothd[5573]: audio/telephony.c:telephony_last_dialed_number_req()
> telephony-tizen: last dialed number request
> bluetoothd[5573]: audio/telephony.c:dbus_method_call_send() +
> bluetoothd[5573]: audio/telephony.c:dbus_method_call_send() -
> bluetoothd[5573]: Endpoint replied with an error: org.freedesktop.DBus\
> .Error.NoReply
> bluetoothd[5573]: audio/telephony.c:telephony_device_disconnected()
> telephony-tizen: device 0x40439b60 disconnected
> bluetoothd[5573]: audio/headset.c:headset_set_state() State changed
> /org/bluez/5573/hci0/dev_BC_47_60_F5_88_89:
> HEADSET_STATE_CONNECTED -> HEADSET_STATE_DISCONNECTED
> bluetoothd[5573]: audio/media.c:headset_state_changed()
> bluetoothd[5573]: audio/media.c:headset_state_changed() Clear endpoint
> 0x40430620
> bluetoothd[5573]: audio/telephony.c:telephony_dial_number_reply()
> redial_reply
> bluetoothd[5573]: audio/telephony.c:telephony_dial_number_reply()
> dial_reply reply: No Call log
> ---
> audio/headset.c | 3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/audio/headset.c b/audio/headset.c
> index bd83a65..30d24cf 100644
> --- a/audio/headset.c
> +++ b/audio/headset.c
> @@ -689,6 +689,9 @@ static int telephony_generic_rsp(struct audio_device *device, cme_error_t err)
> struct headset *hs = device->headset;
> struct headset_slc *slc = hs->slc;
>
> + if (!slc)
> + return -EIO;
> +
> if ((err != CME_ERROR_NONE) && slc->cme_enabled)
> return headset_send(hs, "\r\n+CME ERROR: %d\r\n", err);
>
ping.
Thanks,
Syam