Fix accessing free'd memory

3 files changed, 38 insertions, 34 deletions

diff --git a/hcid/dbus.c b/hcid/dbus.c
index 365af30e..162745cd 100644
--- a/hcid/dbus.c
+++ b/hcid/dbus.c
@@ -752,8 +752,9 @@ void hcid_dbus_bonding_process_complete(bdaddr_t *local, bdaddr_t *peer, const u
 
 	l = slist_find(pdata->pending_bondings, peer, pending_bonding_cmp);
 	if (l) {
+		void *d = l->data;
 		pdata->pending_bondings = slist_remove(pdata->pending_bondings, l->data);
-		free(l->data);
+		free(d);
 
 		if (!status) {
 			const char *name = "BondingCreated";
diff --git a/hcid/device.c b/hcid/device.c
index 7beb4fe8..5c3518dd 100644
--- a/hcid/device.c
+++ b/hcid/device.c
@@ -99,28 +99,6 @@ void init_devices(void)
 		memset(devices + i, 0, sizeof(struct hci_dev));
 }
 
-static int device_read_bdaddr(uint16_t dev_id, bdaddr_t *bdaddr)
-{
-	int dd;
-
-	dd = hci_open_dev(dev_id);
-	if (dd < 0) {
-		error("Can't open device hci%d",
-		      dev_id, strerror(errno), errno);
-		return -errno;
-	}
-
-	if (hci_read_bd_addr(dd, bdaddr, 2000) < 0) {
-		error("Can't read address for hci%d: %s (%d)",
-		      dev_id, strerror(errno), errno);
-		return -errno;
-	}
-
-	hci_close_dev(dd);
-
-	return 0;
-}
-
 int add_device(uint16_t dev_id)
 {
 	struct hci_dev *dev;
@@ -140,13 +118,7 @@ int add_device(uint16_t dev_id)
 		dev->ignore = 1;
 	}
 
-	if (bacmp(&di.bdaddr, BDADDR_ANY))
-		bacpy(&dev->bdaddr, &di.bdaddr);
-	else {
-		int ret = device_read_bdaddr(dev_id, &dev->bdaddr);
-		if (ret < 0)
-			return ret;
-	}
+	bacpy(&dev->bdaddr, &di.bdaddr);
 	memcpy(dev->features, di.features, 8);
 
 	info("Device hci%d has been added", dev_id);
@@ -266,6 +238,7 @@ int stop_device(uint16_t dev_id)
 int get_device_address(uint16_t dev_id, char *address, size_t size)
 {
 	struct hci_dev *dev;
+	int dd;
 
 	ASSERT_DEV_ID;
 
@@ -274,6 +247,24 @@ int get_device_address(uint16_t dev_id, char *address, size_t size)
 
 	dev = &devices[dev_id];
 
+	if (bacmp(&dev->bdaddr, BDADDR_ANY))
+		return ba2str(&dev->bdaddr, address);
+
+	dd = hci_open_dev(dev_id);
+	if (dd < 0) {
+		error("Can't open device hci%d",
+					dev_id, strerror(errno), errno);
+		return -errno;
+	}
+
+	if (hci_read_bd_addr(dd, &dev->bdaddr, 2000) < 0) {
+		error("Can't read address for hci%d: %s (%d)",
+					dev_id, strerror(errno), errno);
+		return -errno;
+	}
+
+	hci_close_dev(dd);
+
 	return ba2str(&dev->bdaddr, address);
 }
 
diff --git a/hcid/main.c b/hcid/main.c
index d69326dc..3aea1a89 100644
--- a/hcid/main.c
+++ b/hcid/main.c
@@ -478,7 +478,19 @@ static void init_all_devices(int ctl)
 	for (i = 0; i < dl->dev_num; i++, dr++) {
 		if (hcid.auto_init)
 			init_device(dr->dev_id);
+
+		add_device(dr->dev_id);
+
+		if (hcid.auto_init && hci_test_bit(HCI_UP, &dr->dev_opt))
+			configure_device(dr->dev_id);
+
+		if (hcid.security && hci_test_bit(HCI_UP, &dr->dev_opt))
+			start_security_manager(dr->dev_id);
+
+		start_device(dr->dev_id);
+
 		hcid_dbus_register_device(dr->dev_id);
+		hcid_dbus_start_device(dr->dev_id);
 	}
 
 	free(dl);
@@ -520,6 +532,7 @@ static inline void device_event(GIOChannel *chan, evt_stack_internal *si)
 		info("HCI dev %d registered", sd->dev_id);
 		if (hcid.auto_init)
 			init_device(sd->dev_id);
+		add_device(sd->dev_id);
 		hcid_dbus_register_device(sd->dev_id);
 		break;
 
@@ -531,7 +544,6 @@ static inline void device_event(GIOChannel *chan, evt_stack_internal *si)
 
 	case HCI_DEV_UP:
 		info("HCI dev %d up", sd->dev_id);
-		add_device(sd->dev_id);
 		if (hcid.auto_init)
 			configure_device(sd->dev_id);
 		if (hcid.security)
@@ -705,13 +717,13 @@ int main(int argc, char *argv[])
 	/* Create event loop */
 	event_loop = g_main_new(FALSE);
 
+	/* Initialize already connected devices */
+	init_all_devices(hcid.sock);
+
 	ctl_io = g_io_channel_unix_new(hcid.sock);
 
 	g_io_add_watch(ctl_io, G_IO_IN, io_stack_event, NULL);
 
-	/* Initialize already connected devices */
-	init_all_devices(hcid.sock);
-
 	if (sdp)
 		start_sdp_server();