Google Git
Sign in
android / platform / external / bluetooth / bluez / 37b02c1^! / .
commit37b02c1ef9be4f989c9ad5e511f519d35f2bc088[log] [tgz]
authorJohan Hedberg <johan.hedberg@nokia.com>Wed Nov 11 16:43:39 2009 +0200
committerJohan Hedberg <johan.hedberg@nokia.com>Wed Nov 11 16:53:24 2009 +0200
treead42a8e43c381f77e3d200be4cf4e05a7f5e160f
parentcc35f24a2a728c4e8c31ea0c6c11c6b701901861 [diff]
Fix bluetoothd crash when adapter agent exists during authentication

During general bonding or dedicated bonding acceptor
device->authr->agent will point to the adapter agent. However, there's
no direct way to access device->authr if the agent exists while
authentication is ongoing. With the current code this would lead into
accessing free'd memory since device->authr->agent becomes an invalid
pointer.

One way to fix this would be to add reference counting to the agent
objects, but that would be quite intrusive on the way that the code
expects agent_free to behave at the moment and handles agent
re-registration checks. Another option would be to iterate through all
device objects to find if any of them have a reference to the adapter
agent, however this would be quite a waste of CPU cycles (and pretty
ugly imho).

This patch takes neither of these two possibilities but comes with the
realization that maintaining device->authr is completely unnecessary
after the authentication callbacks have been called (currently
device->authr gets reset only when the full pairing process completes).
Since agent_free takes care of the bluetoothd internal callbacks in the
case that the agent exited unexpectedly we simply need to clean up
device->authr in these callbacks, which is what this patch does.

diff --git a/src/device.c b/src/device.c
index f52ff93..de27220 100644
--- a/src/device.c
+++ b/src/device.c

@@ -2044,12 +2044,13 @@
 	struct btd_device *device = auth->device;
 
 	/* No need to reply anything if the authentication already failed */
-	if (!auth->cb)
+	if (!auth || !auth->cb)
 		return;
 
 	((agent_pincode_cb) auth->cb)(agent, err, pincode, device);
 
-	auth->cb = NULL;
+	device->authr = NULL;
+	g_free(auth);
 }
 
 static void confirm_cb(struct agent *agent, DBusError *err, void *data)
@@ -2058,12 +2059,13 @@
 	struct btd_device *device = auth->device;
 
 	/* No need to reply anything if the authentication already failed */
-	if (!auth->cb)
+	if (!auth || !auth->cb)
 		return;
 
 	((agent_cb) auth->cb)(agent, err, device);
 
-	auth->cb = NULL;
+	device->authr = NULL;
+	g_free(auth);
 }
 
 static void passkey_cb(struct agent *agent, DBusError *err, uint32_t passkey,
@@ -2073,12 +2075,13 @@
 	struct btd_device *device = auth->device;
 
 	/* No need to reply anything if the authentication already failed */
-	if (!auth->cb)
+	if (!auth || !auth->cb)
 		return;
 
 	((agent_passkey_cb) auth->cb)(agent, err, passkey, device);
 
-	auth->cb = NULL;
+	device->authr = NULL;
+	g_free(auth);
 }
 
 int device_request_authentication(struct btd_device *device, auth_type_t type,
@@ -2145,7 +2148,7 @@
 	struct agent *agent = auth->agent;
 	DBusError err;
 
-	if (!auth->cb)
+	if (!auth || !auth->cb)
 		return;
 
 	dbus_error_init(&err);