adapter: Fix crash when discovering
If client exits while start discovery command is pending it may produce
the following crash:
Invalid read of size 8
at 0x49036E: start_discovery_complete (adapter.c:1428)
by 0x4D4957: request_complete (mgmt.c:261)
by 0x4D5BD4: can_read_data (mgmt.c:353)
by 0x4E717A: watch_callback (io-glib.c:170)
by 0x50CEB76: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.5400.3)
by 0x50CEF1F: ??? (in /usr/lib64/libglib-2.0.so.0.5400.3)
by 0x50CF231: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.5400.3)
by 0x40CEC0: main (main.c:770)
Address 0x0 is not stack'd, malloc'd or (recently) free'd
diff --git a/src/adapter.c b/src/adapter.c
index fc4913e..8a99f52 100644
--- a/src/adapter.c
+++ b/src/adapter.c
@@ -1425,7 +1425,7 @@
const void *param, void *user_data)
{
struct btd_adapter *adapter = user_data;
- struct watch_client *client = adapter->discovery_list->data;
+ struct watch_client *client;
const struct mgmt_cp_start_discovery *rp = param;
DBusMessage *reply;
@@ -1434,7 +1434,7 @@
/* Is there are no clients the discovery must have been stopped while
* discovery command was pending.
*/
- if (!client) {
+ if (!adapter->discovery_list) {
struct mgmt_cp_stop_discovery cp;
if (status != MGMT_STATUS_SUCCESS)
@@ -1448,6 +1448,8 @@
return;
}
+ client = adapter->discovery_list->data;
+
if (length < sizeof(*rp)) {
btd_error(adapter->dev_id,
"Wrong size of start discovery return parameters");
