Skip to content

Commit 78388ed

Browse files
pasinborrrden
authored andcommitted
Fix incoming BLE L2CAP socket double-free on connection teardown (#499)
btAttached() (incoming) now calls c4socket_retain, matching btOpen(), to balance the c4socket_release in NativeC4Socket_closed. Without it the incoming socket was double-freed on teardown (SIGABRT, invalid refCount -6666666).
1 parent 0e90968 commit 78388ed

1 file changed

Lines changed: 4 additions & 0 deletions

File tree

common/main/cpp/native_c4btsocketfactory.cc

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -79,6 +79,7 @@ static void btOpen(C4Socket* socket,
7979
jint envState = attachJVM(&env, "btOpen");
8080
if (envState != JNI_OK && envState != JNI_EDETACHED) return;
8181

82+
// Balanced by the c4socket_release in NativeC4Socket_closed.
8283
c4socket_retain(socket);
8384

8485
// addr->hostname carries the CBL peer-ID / BT MAC address as a C4Slice.
@@ -178,6 +179,9 @@ static void btAttached(C4Socket* socket) {
178179

179180
jstring jPeerID = env->NewStringUTF((const char *)ctx->peerID.buf);
180181

182+
// Balanced by the c4socket_release in NativeC4Socket_closed. Mirrors btOpen.
183+
c4socket_retain(socket);
184+
181185
env->CallStaticVoidMethod(
182186
cls_C4BTSocketFactory, m_attached,
183187
(jlong) socket,

0 commit comments

Comments
 (0)