search

opengitway / btstack

Automatically exported from code.google.com/p/btstack
0 stars 0 forks source link

Use after free in rfcomm_multiplexer_state_machine #395

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. RFCOMM connection is successfully created (using a client and the daemon).
2. The client is closed, causing L2CAP_DISCONNECT event to be raised.
3. In rfcomm_multiplexer_state_machine, RFCOMM_MULTIPLEXER_SEND_UA_0_AND_DISC 
is reached. rfcomm_multiplexer_finalize is called, which frees the multiplexer, 
but multiplexer->at_least_one_connection is being accessed right afterwards.

What version of the product are you using? On what operating system?
Present in the latest r2598.

Original issue reported on code.google.com by kob...@mce-sys.com on 12 Jun 2014 at 7:58

GoogleCodeExporter commented 9 years ago 
Ouch. Thanks for reporting. Fixed in r2599

Original comment by matthias.ringwald@gmail.com on 12 Jun 2014 at 8:18