Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp1976529pxb;
        Wed, 30 Mar 2022 13:49:26 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJys5yoH8Ls95hBUGrg4SRz9tygUUI9oWCvq89B39y75DXE9j2uitCSOFynjgpVR5WCaqy7O
X-Received: by 2002:a17:907:d2a:b0:6df:8b4b:2b3b with SMTP id gn42-20020a1709070d2a00b006df8b4b2b3bmr1511689ejc.575.1648673365676;
        Wed, 30 Mar 2022 13:49:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1648673365; cv=none;
        d=google.com; s=arc-20160816;
        b=qHeN1xTEDZkMIYMUOFytxiTK2cVvFrI0eJqeiLSB52nBd0vMZ9aGI0BEZ/1KPAgoek
         YBbemn2EtqaK6ComEY/EbuKrWE2XKkKPu1HujLv5Xhx0UeW75/HL1cRoLCM67TQAaWC6
         eDNok7sYoQX5I4qC/VmpoSU5dsAsRBFGj6mxH5tMfwAVFjHcjhO0I9TKElgu05K3lByK
         jw7hMxL0tLCeyhbMLqXN4bTkFGXIUxMcQyboVaCXy6y7SS4s8a9kUXJFwWpLZwxl3Rts
         m51UnOKlUgRPsRpH6PDTt7pMhYfTb4XU0nl60FDLT8o5SniEZoIynzCAtUU0JqFtkhZe
         wLIw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:to:from:dkim-signature;
        bh=w6xiHdfq0xxN5KWibMpAuSW8diasYg7iip3vPc+3SqI=;
        b=h24ECjobEuMbYeHnZFiRMzAdVBFhvC/s94yFQFpZ4ZDyUj39c20rHv95hlxdJ2xNe4
         P/x0mY0k+5sv710iaCb0pRritnYtuARxgvur+Saz/FKlQmNg2mAUDvTEpycs01/BaGaZ
         kBCZHo8O3tkOcrAfAT/WfeAN+KOaIuJ8WTVN5rXHE5G0s/ZQyY7wraFhIKO7GO2FwXct
         AjgkADVtjsL+R168O2U1WTiUU6bQ2eq1JO2vmOdCBAqaYlNZps3ZI0A91wcS/j9OCcCP
         jbqb6FARLuMZKi6bkQTgPwOxQkxh0jDxFc4eaRw3vhjRBk0aKUU99nmesPbibt82dvVs
         tg6Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@collabora.com header.s=mail header.b="crK3hh/6";
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=collabora.com
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id jr19-20020a170906515300b006dfe65cdeefsi19832270ejc.87.2022.03.30.13.48.08;
        Wed, 30 Mar 2022 13:49:25 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@collabora.com header.s=mail header.b="crK3hh/6";
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=collabora.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S244814AbiC3Ja4 (ORCPT <rfc822;bopamo@gmail.com> + 99 others);
        Wed, 30 Mar 2022 05:30:56 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45998 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S244821AbiC3Jaz (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Wed, 30 Mar 2022 05:30:55 -0400
Received: from bhuna.collabora.co.uk (bhuna.collabora.co.uk [IPv6:2a00:1098:0:82:1000:25:2eeb:e3e3])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 433122ED47
        for <linux-bluetooth@vger.kernel.org>; Wed, 30 Mar 2022 02:29:08 -0700 (PDT)
Received: from [127.0.0.1] (localhost [127.0.0.1])
        (Authenticated sender: fdanis)
        with ESMTPSA id 165471F44489
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=collabora.com;
        s=mail; t=1648632547;
        bh=FfgtYDL2l9wpGYKqYLpfFrAk9rn6nO9x4D9vcKaDIFc=;
        h=From:To:Subject:Date:From;
        b=crK3hh/69PX3uHD7hsyYKApythp51rqCAQNZs6qLX1Vc9qR75lpkSlCMEn58rTUNl
         hYE7LRys2PwW/QsvDEKeSlA8p6yzV0FCrAY4hb1HYSAoXTin9I4qBzONF+NjvhG55C
         +70yD6EuypFhU1D36a5/P2T0hxqWAXdEDxc/k2R520RBJp+dkfTp8HGaApq/cN00jE
         lpD8gBJBZ7ntpYrOLDqu5HCaccYrqxzhDQserN/v754Hpj/xwWDHy2voxHFFbN1Pa7
         2M5M95s3XsCOhKj6lHGTGwmYypTu/Wdn7ipR8ie78TltFz0BoFaevVfGomLSwrhIaj
         hGdhC2AQV+2ww==
From:   =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Danis?= 
        <frederic.danis@collabora.com>
To:     linux-bluetooth@vger.kernel.org
Subject: [BlueZ,v5] a2dp: Fix crash when SEP codec has not been initialized
Date:   Wed, 30 Mar 2022 11:28:44 +0200
Message-Id: <20220330092844.44762-1-frederic.danis@collabora.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS,SPF_PASS,
        T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

If SEP has not been properly discovered avdtp_get_codec may return NULL
thus causing crashes such as when running AVRCP/TG/VLH/BI-01-C after
AVRCP/TG/RCR/BV-04-C.

Prevent remote endpoint registration if its codec is not available.

Remove queue_isempty check from store_remote_seps since that prevents
cleaning up if no seps could be registered.
---
v5: fix avdtp_get_codec() check

 profiles/audio/a2dp.c | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/profiles/audio/a2dp.c b/profiles/audio/a2dp.c
index c3ac432a7..21b3faa47 100644
--- a/profiles/audio/a2dp.c
+++ b/profiles/audio/a2dp.c
@@ -829,9 +829,6 @@ static void store_remote_seps(struct a2dp_channel *chan)
 	char *data;
 	gsize length = 0;
 
-	if (queue_isempty(chan->seps))
-		return;
-
 	ba2str(device_get_address(device), dst_addr);
 
 	snprintf(filename, PATH_MAX, STORAGEDIR "/%s/cache/%s",
@@ -2074,6 +2071,11 @@ static struct a2dp_remote_sep *register_remote_sep(void *data, void *user_data)
 	if (sep)
 		return sep;
 
+	if (!avdtp_get_codec(rsep)) {
+		error("Unable to get remote sep codec");
+		return NULL;
+	}
+
 	sep = new0(struct a2dp_remote_sep, 1);
 	sep->chan = chan;
 	sep->sep = rsep;
@@ -2148,6 +2150,7 @@ static void load_remote_sep(struct a2dp_channel *chan, GKeyFile *key_file,
 	struct avdtp_remote_sep *rsep;
 	uint8_t lseid, rseid;
 	char *value;
+	bool update = false;
 
 	if (!seids)
 		return;
@@ -2206,10 +2209,19 @@ static void load_remote_sep(struct a2dp_channel *chan, GKeyFile *key_file,
 		}
 
 		sep = register_remote_sep(rsep, chan);
-		if (sep)
-			sep->from_cache = true;
+		if (!sep) {
+			avdtp_unregister_remote_sep(chan->session, rsep);
+			update = true;
+			continue;
+		}
+
+		sep->from_cache = true;
 	}
 
+	/* Update cache */
+	if (update)
+		store_remote_seps(chan);
+
 	value = g_key_file_get_string(key_file, "Endpoints", "LastUsed", NULL);
 	if (!value)
 		return;
-- 
2.25.1