shared/gatt: Fix NULL pointer dereference

Message ID	20200331104532.365961-1-szymon.janc@codecoup.pl (mailing list archive)
State	Accepted
Delegated to:	Luiz Von Dentz
Headers	show Return-Path: <SRS0=zBKN=5Q=vger.kernel.org=linux-bluetooth-owner@kernel.org> From: Szymon Janc <szymon.janc@codecoup.pl> To: linux-bluetooth@vger.kernel.org Cc: Szymon Janc <szymon.janc@codecoup.pl> Subject: [PATCH] shared/gatt: Fix NULL pointer dereference Date: Tue, 31 Mar 2020 12:45:32 +0200 Message-Id: <20200331104532.365961-1-szymon.janc@codecoup.pl> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-bluetooth-owner@vger.kernel.org Precedence: bulk
Series	shared/gatt: Fix NULL pointer dereference \| expand shared/gatt: Fix NULL pointer dereference

Message ID

20200331104532.365961-1-szymon.janc@codecoup.pl (mailing list archive)

State

Accepted

Delegated to:

Luiz Von Dentz

Headers

From: Szymon Janc <szymon.janc@codecoup.pl>
To: linux-bluetooth@vger.kernel.org
Cc: Szymon Janc <szymon.janc@codecoup.pl>
Subject: [PATCH] shared/gatt: Fix NULL pointer dereference
Date: Tue, 31 Mar 2020 12:45:32 +0200
Message-Id: <20200331104532.365961-1-szymon.janc@codecoup.pl>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-bluetooth-owner@vger.kernel.org
Precedence: bulk

Series

shared/gatt: Fix NULL pointer dereference | expand

Commit Message

Szymon Janc March 31, 2020, 10:45 a.m. UTC

bluetoothd[363094]: src/device.c:device_connect_le() Connection attempt to: 00:AA:01:00:00:23

Program received signal SIGSEGV, Segmentation fault.
write_complete_cb (attr=0x55555580aa30, err=-110, user_data=0x55555585f7c0) at src/shared/gatt-server.c:793
793             util_debug(server->debug_callback, server->debug_data,
(gdb) bt
 #0  write_complete_cb (attr=0x55555580aa30, err=-110, user_data=0x55555585f7c0) at src/shared/gatt-server.c:793
 #1  0x00005555556a5852 in pending_write_result (p=0x555555866030, err=<optimized out>) at src/shared/gatt-db.c:162
 #2  0x00005555556a5ac7 in write_timeout (user_data=0x555555866030) at src/shared/gatt-db.c:1879
 #3  0x00005555556a9b15 in timeout_callback (user_data=user_data@entry=0x555555864b20) at src/shared/timeout-glib.c:34
 #4  0x00007ffff7e1f081 in g_timeout_dispatch (source=source@entry=0x555555864f00, callback=0x5555556a9b00 <timeout_callback>, user_data=0x555555864b20) at ../glib/gmain.c:4705
 #5  0x00007ffff7e1e570 in g_main_dispatch (context=0x5555557d9630) at ../glib/gmain.c:3216
 #6  g_main_context_dispatch (context=context@entry=0x5555557d9630) at ../glib/gmain.c:3881
 #7  0x00007ffff7e1e900 in g_main_context_iterate (context=0x5555557d9630, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:3954
 #8  0x00007ffff7e1ebf3 in g_main_loop_run (loop=0x5555557d75d0) at ../glib/gmain.c:4148
 #9  0x00005555556a9dbd in mainloop_run () at src/shared/mainloop-glib.c:79
 #10 0x00005555556aa36a in mainloop_run_with_signal (func=<optimized out>, user_data=0x0) at src/shared/mainloop-notify.c:201
 #11 0x00005555555bb9e3 in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:770
---
 src/shared/gatt-server.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

Comments

Luiz Augusto von Dentz March 31, 2020, 5:59 p.m. UTC | #1

Hi Szymon,

On Tue, Mar 31, 2020 at 3:48 AM Szymon Janc <szymon.janc@codecoup.pl> wrote:
>
> bluetoothd[363094]: src/device.c:device_connect_le() Connection attempt to: 00:AA:01:00:00:23
>
> Program received signal SIGSEGV, Segmentation fault.
> write_complete_cb (attr=0x55555580aa30, err=-110, user_data=0x55555585f7c0) at src/shared/gatt-server.c:793
> 793             util_debug(server->debug_callback, server->debug_data,
> (gdb) bt
>  #0  write_complete_cb (attr=0x55555580aa30, err=-110, user_data=0x55555585f7c0) at src/shared/gatt-server.c:793
>  #1  0x00005555556a5852 in pending_write_result (p=0x555555866030, err=<optimized out>) at src/shared/gatt-db.c:162
>  #2  0x00005555556a5ac7 in write_timeout (user_data=0x555555866030) at src/shared/gatt-db.c:1879
>  #3  0x00005555556a9b15 in timeout_callback (user_data=user_data@entry=0x555555864b20) at src/shared/timeout-glib.c:34
>  #4  0x00007ffff7e1f081 in g_timeout_dispatch (source=source@entry=0x555555864f00, callback=0x5555556a9b00 <timeout_callback>, user_data=0x555555864b20) at ../glib/gmain.c:4705
>  #5  0x00007ffff7e1e570 in g_main_dispatch (context=0x5555557d9630) at ../glib/gmain.c:3216
>  #6  g_main_context_dispatch (context=context@entry=0x5555557d9630) at ../glib/gmain.c:3881
>  #7  0x00007ffff7e1e900 in g_main_context_iterate (context=0x5555557d9630, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:3954
>  #8  0x00007ffff7e1ebf3 in g_main_loop_run (loop=0x5555557d75d0) at ../glib/gmain.c:4148
>  #9  0x00005555556a9dbd in mainloop_run () at src/shared/mainloop-glib.c:79
>  #10 0x00005555556aa36a in mainloop_run_with_signal (func=<optimized out>, user_data=0x0) at src/shared/mainloop-notify.c:201
>  #11 0x00005555555bb9e3 in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:770
> ---
>  src/shared/gatt-server.c | 12 ++++++------
>  1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
> index 7e5d652e4..4e07398d2 100644
> --- a/src/shared/gatt-server.c
> +++ b/src/shared/gatt-server.c
> @@ -790,14 +790,14 @@ static void write_complete_cb(struct gatt_db_attribute *attr, int err,
>         struct bt_gatt_server *server = op->server;
>         uint16_t handle;
>
> -       util_debug(server->debug_callback, server->debug_data,
> -                               "Write Complete: err %d", err);
> -
>         if (!server || op->opcode == BT_ATT_OP_WRITE_CMD) {
>                 async_write_op_destroy(op);
>                 return;
>         }
>
> +       util_debug(server->debug_callback, server->debug_data,
> +                                               "Write Complete: err %d", err);
> +
>         handle = gatt_db_attribute_get_handle(attr);
>
>         if (err)
> @@ -914,14 +914,14 @@ static void read_complete_cb(struct gatt_db_attribute *attr, int err,
>         uint16_t mtu;
>         uint16_t handle;
>
> -       util_debug(server->debug_callback, server->debug_data,
> -                               "Read Complete: err %d", err);
> -
>         if (!server) {
>                 async_read_op_destroy(op);
>                 return;
>         }
>
> +       util_debug(server->debug_callback, server->debug_data,
> +                               "Read Complete: err %d", err);
> +
>         mtu = bt_att_get_mtu(server->att);
>         handle = gatt_db_attribute_get_handle(attr);
>
> --
> 2.25.1
>
Applied, thanks.

diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
index 7e5d652e4..4e07398d2 100644
--- a/src/shared/gatt-server.c
+++ b/src/shared/gatt-server.c
@@ -790,14 +790,14 @@  static void write_complete_cb(struct gatt_db_attribute *attr, int err,
 	struct bt_gatt_server *server = op->server;
 	uint16_t handle;
 
-	util_debug(server->debug_callback, server->debug_data,
-				"Write Complete: err %d", err);
-
 	if (!server || op->opcode == BT_ATT_OP_WRITE_CMD) {
 		async_write_op_destroy(op);
 		return;
 	}
 
+	util_debug(server->debug_callback, server->debug_data,
+						"Write Complete: err %d", err);
+
 	handle = gatt_db_attribute_get_handle(attr);
 
 	if (err)
@@ -914,14 +914,14 @@  static void read_complete_cb(struct gatt_db_attribute *attr, int err,
 	uint16_t mtu;
 	uint16_t handle;
 
-	util_debug(server->debug_callback, server->debug_data,
-				"Read Complete: err %d", err);
-
 	if (!server) {
 		async_read_op_destroy(op);
 		return;
 	}
 
+	util_debug(server->debug_callback, server->debug_data,
+				"Read Complete: err %d", err);
+
 	mtu = bt_att_get_mtu(server->att);
 	handle = gatt_db_attribute_get_handle(attr);

shared/gatt: Fix NULL pointer dereference

Commit Message

Comments

Patch