Commit 66f77f9d authored by Luiz Augusto von Dentz's avatar Luiz Augusto von Dentz Committed by Anas Nashif
Browse files

Bluetooth: ATT: Fix crash if bt_l2cap_send_cb fails 



This fixes a regression introduced by
10841b9a as it did remove a call to
net_buf_ref which was used not only to keep a reference for resending
but also to prevent bt_l2cap_send_cb to unref the buffer in case it
fails.

Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
parent 9e3c7b99

subsys/bluetooth/host/att.c

+12 −0
Original line number Diff line number Diff line
@@ -189,11 +189,23 @@ static int chan_send(struct bt_att_chan *chan, struct net_buf *buf, 


	chan->sent = cb ? cb : chan_cb(buf);



	/* bt_l2cap_send_cb takes onwership of the buffer so take another

	 * reference to restore the state in case an error is returned.

	 */

	net_buf_ref(buf);



	err = bt_l2cap_send_cb(chan->att->conn, BT_L2CAP_CID_ATT,

			       buf, att_cb(chan->sent),

			       &chan->chan.chan);

	if (err) {

		/* In case of an error has occurred restore the buffer state as

		 * the extra reference shall have prevented the buffer to be

		 * freed.

		 */

		net_buf_simple_restore(&buf->b, &state);

	} else {

		/* In case of success unref the extra reference taken */

		net_buf_unref(buf);

	}



	return err;

CRA Git | Maintained and supported by SUSTech CRA and CCSE