Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Bluetooth: L2CAP_BR: CID of data sending is invalid
There is a corner case that the channel is in disconnecting status, due to there is a disconnect request sent from peer. At this time, the channel is status is `BT_L2CAP_CONNECTED`. But it has been removed from `conn->channels` by calling the function `l2cap_br_remove_tx_cid`. And the disconnect event is notified upper layer via the callback `ops->disconnected`. The thread of the callback context is blocked due to the the calling of `printk` in the callback function. Then the pending lower priority thread, sending the data in this l2cap channel, is activated. Then in the function `bt_l2cap_br_send_cb`, a NULL pointer will be got according to the given CID. And unexpected behavior happens when accessing a NULL pointer, since the invalid channel pointer is not checked in function `bt_l2cap_br_send_cb`. Check the channel pointer after function `bt_l2cap_br_lookup_tx_cid` called. If the channel pointer is invalid, return error code `-ESHUTDOWN` directly. Signed-off-by: Lyle Zhu <[email protected]>
- Loading branch information