Skip to content

Commit

Permalink
Merge branch 'bugfix/alarm_args_double_free_v5.1' into 'release/v5.1'
Browse files Browse the repository at this point in the history
Bugfix/alarm args double free v5.1

See merge request espressif/esp-idf!27538
  • Loading branch information
jack0c committed Dec 26, 2023
2 parents d24b321 + 244a3f8 commit b7f0139
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 10 deletions.
14 changes: 9 additions & 5 deletions components/bt/host/bluedroid/btc/profile/std/l2cap/btc_l2cap.c
Original file line number Diff line number Diff line change
Expand Up @@ -272,15 +272,17 @@ static void close_timeout_handler(void *arg)
{
btc_msg_t msg;
bt_status_t status;
l2cap_slot_t *slot = (l2cap_slot_t *)arg;

msg.sig = BTC_SIG_API_CB;
msg.pid = BTC_PID_L2CAP;
msg.act = BTA_JV_L2CAP_CLOSE_EVT;

status = btc_transfer_context(&msg, arg, sizeof(tBTA_JV), NULL, NULL);
status = btc_transfer_context(&msg, slot->alarm_arg, sizeof(tBTA_JV), NULL, NULL);

if (arg) {
free(arg);
if (slot->alarm_arg) {
free(slot->alarm_arg);
slot->alarm_arg = NULL;
}

if (status != BT_STATUS_SUCCESS) {
Expand Down Expand Up @@ -837,16 +839,19 @@ void btc_l2cap_cb_handler(btc_msg_t *msg)
break;
}
memcpy(p_arg, p_data, sizeof(tBTA_JV));
slot->alarm_arg = (void *)p_arg;
if ((slot->close_alarm =
osi_alarm_new("slot", close_timeout_handler, (void *)p_arg, VFS_CLOSE_TIMEOUT)) == NULL) {
osi_alarm_new("slot", close_timeout_handler, (void *)slot, VFS_CLOSE_TIMEOUT)) == NULL) {
free(p_arg);
slot->alarm_arg = NULL;
param.close.status = ESP_BT_L2CAP_NO_RESOURCE;
osi_mutex_unlock(&l2cap_local_param.l2cap_slot_mutex);
BTC_TRACE_ERROR("%s unable to malloc slot close_alarm!", __func__);
break;
}
if (osi_alarm_set(slot->close_alarm, VFS_CLOSE_TIMEOUT) != OSI_ALARM_ERR_PASS) {
free(p_arg);
slot->alarm_arg = NULL;
osi_alarm_free(slot->close_alarm);
param.close.status = ESP_BT_L2CAP_BUSY;
osi_mutex_unlock(&l2cap_local_param.l2cap_slot_mutex);
Expand All @@ -855,7 +860,6 @@ void btc_l2cap_cb_handler(btc_msg_t *msg)
}
BTC_TRACE_WARNING("%s slot rx data will be discard in %d milliseconds!",
__func__, VFS_CLOSE_TIMEOUT);
slot->alarm_arg = (void *)p_arg;
slot->connected = false;
need_call = false;
}
Expand Down
14 changes: 9 additions & 5 deletions components/bt/host/bluedroid/btc/profile/std/spp/btc_spp.c
Original file line number Diff line number Diff line change
Expand Up @@ -254,15 +254,17 @@ static void close_timeout_handler(void *arg)
{
btc_msg_t msg;
bt_status_t status;
spp_slot_t *slot = (spp_slot_t *)arg;

msg.sig = BTC_SIG_API_CB;
msg.pid = BTC_PID_SPP;
msg.act = BTA_JV_RFCOMM_CLOSE_EVT;

status = btc_transfer_context(&msg, arg, sizeof(tBTA_JV), NULL, NULL);
status = btc_transfer_context(&msg, slot->alarm_arg, sizeof(tBTA_JV), NULL, NULL);

if (arg) {
osi_free(arg);
if (slot->alarm_arg) {
osi_free(slot->alarm_arg);
slot->alarm_arg = NULL;
}

if (status != BT_STATUS_SUCCESS) {
Expand Down Expand Up @@ -1211,16 +1213,19 @@ void btc_spp_cb_handler(btc_msg_t *msg)
break;
}
memcpy(p_arg, p_data, sizeof(tBTA_JV));
slot->alarm_arg = (void *)p_arg;
if ((slot->close_alarm =
osi_alarm_new("slot", close_timeout_handler, (void *)p_arg, VFS_CLOSE_TIMEOUT)) == NULL) {
osi_alarm_new("slot", close_timeout_handler, (void *)slot, VFS_CLOSE_TIMEOUT)) == NULL) {
free(p_arg);
slot->alarm_arg = NULL;
param.close.status = ESP_SPP_NO_RESOURCE;
osi_mutex_unlock(&spp_local_param.spp_slot_mutex);
BTC_TRACE_ERROR("%s unable to malloc slot close_alarm!", __func__);
break;
}
if (osi_alarm_set(slot->close_alarm, VFS_CLOSE_TIMEOUT) != OSI_ALARM_ERR_PASS) {
free(p_arg);
slot->alarm_arg = NULL;
osi_alarm_free(slot->close_alarm);
param.close.status = ESP_SPP_BUSY;
osi_mutex_unlock(&spp_local_param.spp_slot_mutex);
Expand All @@ -1229,7 +1234,6 @@ void btc_spp_cb_handler(btc_msg_t *msg)
}
BTC_TRACE_WARNING("%s slot rx data will be discard in %d milliseconds!",
__func__, VFS_CLOSE_TIMEOUT);
slot->alarm_arg = (void *)p_arg;
slot->connected = false;
need_call = false;
}
Expand Down

0 comments on commit b7f0139

Please sign in to comment.