Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp91787ybg; Sun, 31 May 2020 17:57:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyTwxGEX1hY3w3aH6z2r8J6KotqE7MNKfCoXB9jnmxofeaRC4ACfwPegr8okQbq6aGrQ4wi X-Received: by 2002:a05:6402:3044:: with SMTP id bu4mr13801135edb.69.1590973051186; Sun, 31 May 2020 17:57:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1590973051; cv=none; d=google.com; s=arc-20160816; b=XrZHDPnXnC80fkabkxQ8Bx1D6emmPgNM4Qpq5LXlJss2fu5smalfyBQ72RMvbYI3nC 6RZcIIJ7bW6jJ6VMTLDWRZZxNyWIWS06UWrkVqjsz2Ulj1XWN0b3/+t9jyjDQd0XUrk2 dzD2MsBtOMQQmyaqAHhz8wlzjDqCcWcPhmW9REn/0hnVevGaXPGhRVoUTe5ldBhDV4It 9E2qVtaxs7id20kPf2jKd95tHmCAZGpAqPoNQMgEogdEHmQGDuXYuImk2fkYzSFa+hl6 H7QaNUi/SerPzF5ey8KHbbvjTbKWyhc3vPFwd+TbAA8tgYJDQFms0mEgDpzYUeHGwt7u 4p5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=bMwHaXbeSkXrwG2sSCSubJWsZKMT+JxW+Nt8ziFLHC8=; b=L8kDB5gbGMngI4kDPsf2zt89JAryGcCJyd9Lh9tKbXZe1tBJuNdsHpqX1onzbihDhB vwNqXY+lTvwsmevRFffZ+IDS3GznqH98rE2xOKiAsmzfaZd2HyAR11idw752z8jI10W6 W9h6s4Xi6hGFPxu6PzrifqWJJ+KIF8rQcQZvjCF1KnIF0T3bShnrnhop3dSZ2mL5JPuX Th5liBkAo9SAHjunXYUk8uKGPIZOQ/Ky2cNF3fHjITtGTodnaD253YleBUnxNScZIE+O JYK/y8DBOIi7VYnXmHsP0SHaRzu87Jzqvv5T5KhubXqcV8HtqMPp8/Z0lxefHAQRRaFk 2XJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=haiHeVkL; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f16si46222edc.189.2020.05.31.17.56.48; Sun, 31 May 2020 17:57:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chromium.org header.s=google header.b=haiHeVkL; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728395AbgFAA4F (ORCPT + 99 others); Sun, 31 May 2020 20:56:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46772 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726081AbgFAA4F (ORCPT ); Sun, 31 May 2020 20:56:05 -0400 Received: from mail-vs1-xe43.google.com (mail-vs1-xe43.google.com [IPv6:2607:f8b0:4864:20::e43]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5F88CC061A0E for ; Sun, 31 May 2020 17:56:05 -0700 (PDT) Received: by mail-vs1-xe43.google.com with SMTP id 1so4684883vsl.9 for ; Sun, 31 May 2020 17:56:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=bMwHaXbeSkXrwG2sSCSubJWsZKMT+JxW+Nt8ziFLHC8=; b=haiHeVkL6R5ItR1U1IZsbhi4W1XY132nR9OlY8MUO5Z+/VK7ucEWYCCMLxapR+nysE dDOKSJm8Nh0O+Cwl8ZVE6yEUsrY5B8bwnPdwiaMuS8zcnU2TWrm4iOHgJZ7s3aE0I5t0 515jQ+UOuLmqnS1Gv4Yf4E54UdQAyVFB0VmBc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=bMwHaXbeSkXrwG2sSCSubJWsZKMT+JxW+Nt8ziFLHC8=; b=WuzBJCRDtmM0x/PWTD4A5GX2dfV0OTE3SApoPQFkBe65MpmyhwjzckCKjle4DPR3re 8BR0co6T8zJOdDM8Y7ezUTrGsQWnNDEgEAL2pmG7OXW/NQUW/RoL4xlDFwP6rqLcZwyZ 54ORoCVRP1+dJRf4hKX1JKce4PYkXsAmf3T0PSXzFqN7vvQuzW4hIa4M+zhQFkz2MYtC rYgid0UoPo+NCLJAsHQ0hhildb0EArPYHD4HayBIvX/CGiZ+RYuHaNB712670n6chAM6 7wjHI18pTghB/N9fGex14Eftj4QwoCXcZnoczd8MTnkzThjXmP3n0nPiZs1TLnyUOEPK uREQ== X-Gm-Message-State: AOAM531kpKbb3g89olC2HLkrxmz7wH41er0kj5m0BbQJ4KwxjxrsSjgr UTlSPamq32jU7Db29ou12I3g/9/crmY= X-Received: by 2002:a05:6102:2268:: with SMTP id v8mr10434140vsd.114.1590972964252; Sun, 31 May 2020 17:56:04 -0700 (PDT) Received: from alain.c.googlers.com.com (252.177.243.35.bc.googleusercontent.com. [35.243.177.252]) by smtp.gmail.com with ESMTPSA id r17sm350701vsi.34.2020.05.31.17.56.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 31 May 2020 17:56:03 -0700 (PDT) From: Alain Michaud To: linux-bluetooth@vger.kernel.org Cc: Alain Michaud Subject: [BlueZ PATCH] a2dp:fixing double free in load_remote_sep Date: Mon, 1 Jun 2020 00:56:00 +0000 Message-Id: <20200601005600.254025-1-alainm@chromium.org> X-Mailer: git-send-email 2.27.0.rc2.251.g90737beb825-goog MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-bluetooth-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org This patch fixes a double free condition in load_remote_sep. Value is freed, then the inner loop is broken, but the rest of the outer loop will attempt to free value again. --- profiles/audio/a2dp.c | 1 - 1 file changed, 1 deletion(-) diff --git a/profiles/audio/a2dp.c b/profiles/audio/a2dp.c index a2ce3204d..6f46c92bf 100644 --- a/profiles/audio/a2dp.c +++ b/profiles/audio/a2dp.c @@ -1967,7 +1967,6 @@ static void load_remote_sep(struct a2dp_channel *chan, GKeyFile *key_file, if (sscanf(caps + i, "%02hhx", tmp) != 1) { warn("Unable to load Endpoint: seid %u", rseid); - g_free(value); break; } } -- 2.27.0.rc2.251.g90737beb825-goog