Currently, when a transport is released it is cast to bap_transport without
checking if the transport is actually a broadcast one. Then, based on this
cast it is released. Problems may occur with transports that are not
broadcast, but are still cast to bap_transport. This commit fixes this
problem.
Vlad Pruteanu (1):
transport: Check if transport is bcast before it's cast to
bap_transport
profiles/audio/transport.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
--
2.39.2
Currently, when a transport is released it is cast to bap_transport without
checking if the transport is actually a broadcast one. Then, based on this
cast it is released. Problems may occur with transports that are not
broadcast, but are still cast to bap_transport. This commit fixes this
problem.
---
profiles/audio/transport.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/profiles/audio/transport.c b/profiles/audio/transport.c
index e2073451c..555da99a8 100644
--- a/profiles/audio/transport.c
+++ b/profiles/audio/transport.c
@@ -643,7 +643,6 @@ static DBusMessage *release(DBusConnection *conn, DBusMessage *msg,
{
struct media_transport *transport = data;
struct media_owner *owner = transport->owner;
- struct bap_transport *bap = transport->data;
const char *sender;
struct media_request *req;
guint id;
@@ -675,9 +674,17 @@ static DBusMessage *release(DBusConnection *conn, DBusMessage *msg,
req = media_request_create(msg, id);
media_owner_add(owner, req);
- if (bt_bap_stream_get_type(bap->stream) ==
- BT_BAP_STREAM_TYPE_BCAST) {
- bap_disable_complete(bap->stream, 0x00, 0x00, owner);
+ if (!strcmp(media_endpoint_get_uuid(transport->endpoint),
+ BAA_SERVICE_UUID)
+ || !strcmp(media_endpoint_get_uuid(transport->endpoint),
+ BCAA_SERVICE_UUID)) {
+
+ struct bap_transport *bap = transport->data;
+
+ if (bt_bap_stream_get_type(bap->stream) ==
+ BT_BAP_STREAM_TYPE_BCAST) {
+ bap_disable_complete(bap->stream, 0x00, 0x00, owner);
+ }
}
return NULL;
--
2.39.2
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=811394
---Test result---
Test Summary:
CheckPatch PASS 0.48 seconds
GitLint PASS 0.66 seconds
BuildEll PASS 24.09 seconds
BluezMake PASS 724.68 seconds
MakeCheck PASS 12.23 seconds
MakeDistcheck PASS 161.22 seconds
CheckValgrind PASS 221.22 seconds
CheckSmatch PASS 329.59 seconds
bluezmakeextell PASS 107.36 seconds
IncrementalBuild PASS 691.09 seconds
ScanBuild PASS 949.26 seconds
---
Regards,
Linux Bluetooth
Hi Vlad,
This appears to fix the use-after-free in bluez 5.71. Thanks.
Tested-by: Ronan Pigott <[email protected]>
Cheers,
Ronan