diff mbox series

[BlueZ,7/7] gatt: Fix double free and freed memory dereference

Message ID 20220401074640.3956695-8-i.kamaletdinov@omp.ru
State New
Headers show
Series Fix bugs found by SVACE static analisys tool | expand

Commit Message

Ildar Kamaletdinov April 1, 2022, 7:46 a.m. UTC 
In condition where device no longer exist or not paired when sending
notification it is possible to to occure double free and dereference of
already freed memory.

To avoid this we need to recheck the state of device after sending
notification.

Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
---
 src/gatt-database.c | 4 ++++
 1 file changed, 4 insertions(+)
diff mbox series

Patch

diff --git a/src/gatt-database.c b/src/gatt-database.c
index d6c94058c..d32f616a9 100644
--- a/src/gatt-database.c
+++ b/src/gatt-database.c
@@ -3877,6 +3877,10 @@  void btd_gatt_database_server_connected(struct btd_gatt_database *database,
 
 	send_notification_to_device(state, state->pending);
 
+	state = find_device_state(database, &bdaddr, bdaddr_type);
+	if (!state || !state->pending)
+		return;
+
 	free(state->pending->value);
 	free(state->pending);
 	state->pending = NULL;