From cce308d62636989d6f4dd792bf27735334b22899 Mon Sep 17 00:00:00 2001 From: Matthias Ringwald Date: Tue, 11 Sep 2018 08:32:03 +0200 Subject: [PATCH] gatt_client: stop timer on disconnect - fixes use after free / crash --- CHANGELOG.md | 3 ++- src/ble/gatt_client.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ae9ceb80e..3263ba98a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,7 +12,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. ### Fixed - HCI/L2CAP: Error creating outgoing connection (e.g. Connection Limit Exceeded) now handled - RFCOMM: Trigger l2cap request to send on rfcomm credits when client is waiting to sendtrigger l2cap request to send on rfcomm credits when client is waiting to send -- L2CAP: Try to emit 'can send now' on HCI Disconnect, if all ACL buffers in Bluetooth Controller have been used for the closed connection +- L2CAP: Evaluate 'can send now' on HCI Disconnect as ACL buffers in Bluetooth Controller have been used for the closed connection are freed implicitly +- GATT Client: stop timer on disconnect - fixes use after free / crash ## Changes August 2018 diff --git a/src/ble/gatt_client.c b/src/ble/gatt_client.c index 87807f000..83e4eb0ad 100644 --- a/src/ble/gatt_client.c +++ b/src/ble/gatt_client.c @@ -1092,8 +1092,9 @@ static void gatt_client_event_packet_handler(uint8_t packet_type, uint16_t chann con_handle = little_endian_read_16(packet,3); peripheral = get_gatt_client_context_for_handle(con_handle); if (!peripheral) break; - gatt_client_report_error_if_pending(peripheral, ATT_ERROR_HCI_DISCONNECT_RECEIVED); + gatt_client_report_error_if_pending(peripheral, ATT_ERROR_HCI_DISCONNECT_RECEIVED); + gatt_client_timeout_stop(peripheral); btstack_linked_list_remove(&gatt_client_connections, (btstack_linked_item_t *) peripheral); btstack_memory_gatt_client_free(peripheral); break;