diff options
| author | Martijn Coenen <maco@google.com> | 2012-01-20 11:27:45 -0800 |
|---|---|---|
| committer | Martijn Coenen <maco@google.com> | 2012-01-20 11:27:45 -0800 |
| commit | 78b4597397765d73b00995165ee972bbf2e36882 (patch) | |
| tree | d6112ee35dca853821dee6a9b7ad907fc4a1390e /src | |
| parent | 5630038faf48c6c087270d55030dc07f332e4da2 (diff) | |
| download | external_libnfc-nxp-78b4597397765d73b00995165ee972bbf2e36882.zip external_libnfc-nxp-78b4597397765d73b00995165ee972bbf2e36882.tar.gz external_libnfc-nxp-78b4597397765d73b00995165ee972bbf2e36882.tar.bz2 | |
Clear out send/recv callbacks for connectionless sockets.
When a connectionless socket is closed, Connectionless_Abort()
is called, which in turn calls the send and receive callbacks
to indicate abortion. But since these callbacks are not cleared
out after a previous send/receive has completed, this can lead
to spurious callbacks and consequently memory corruption.
Change-Id: Iea7a34829c4db1cae3b49f33117b25b50205683f
Diffstat (limited to 'src')
| -rw-r--r-- | src/phFriNfc_LlcpTransport_Connectionless.c | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/src/phFriNfc_LlcpTransport_Connectionless.c b/src/phFriNfc_LlcpTransport_Connectionless.c index 5648c11..941c267 100644 --- a/src/phFriNfc_LlcpTransport_Connectionless.c +++ b/src/phFriNfc_LlcpTransport_Connectionless.c @@ -42,6 +42,7 @@ void Handle_Connectionless_IncommingFrame(phFriNfc_LlcpTransport_t *pLlcpTr /* Test if a socket is registered to get this packet */ if(pLlcpTransport->pSocketTable[i].socket_sSap == dsap && pLlcpTransport->pSocketTable[i].bSocketRecvPending == TRUE) { + pphFriNfc_LlcpTransportSocketRecvFromCb_t pfRecvFromCallback = pLlcpTransport->pSocketTable[i].pfSocketRecvFrom_Cb; /* Reset the RecvPending variable */ pLlcpTransport->pSocketTable[i].bSocketRecvPending = FALSE; @@ -51,8 +52,11 @@ void Handle_Connectionless_IncommingFrame(phFriNfc_LlcpTransport_t *pLlcpTr /* Update the received length */ *pLlcpTransport->pSocketTable[i].receivedLength = psData->length; + /* Clear the Recv callback */ + pLlcpTransport->pSocketTable[i].pfSocketRecvFrom_Cb = NULL; + /* call the Recv callback */ - pLlcpTransport->pSocketTable[i].pfSocketRecvFrom_Cb(pLlcpTransport->pSocketTable[i].pRecvContext,ssap,NFCSTATUS_SUCCESS); + pfRecvFromCallback(pLlcpTransport->pSocketTable[i].pRecvContext,ssap,NFCSTATUS_SUCCESS); break; } } @@ -63,12 +67,17 @@ static void phFriNfc_LlcpTransport_Connectionless_SendTo_CB(void* pContex NFCSTATUS status) { phFriNfc_LlcpTransport_Socket_t *pLlcpSocket = (phFriNfc_LlcpTransport_Socket_t*)pContext; + pphFriNfc_LlcpTransportSocketSendCb_t pfSendCallback = pLlcpSocket->pfSocketSend_Cb; /* Reset the SendPending variable */ pLlcpSocket->bSocketSendPending = FALSE; + /* Clear out the callback */ + pLlcpSocket->pfSocketSend_Cb = NULL; + /* Call the send callback */ - pLlcpSocket->pfSocketSend_Cb(pLlcpSocket->pSendContext,status); + pfSendCallback(pLlcpSocket->pSendContext,status); + } @@ -185,8 +194,10 @@ NFCSTATUS phFriNfc_LlcpTransport_Connectionless_SendTo(phFriNfc_LlcpTransport_So /* Test if a send is pending with this socket */ if(pLlcpSocket->bSocketSendPending == TRUE) { + pphFriNfc_LlcpTransportSocketSendCb_t pfSendCallback = pLlcpSocket->pfSocketSend_Cb; status = NFCSTATUS_FAILED; - pLlcpSocket->pfSocketSend_Cb(pLlcpSocket->pSendContext,status); + pLlcpSocket->pfSocketSend_Cb = NULL; + pfSendCallback(pLlcpSocket->pSendContext,status); } else { |