Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp1060235pxb;
        Fri, 1 Apr 2022 03:36:24 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzYWG5vBMPHSplIA4OfZ58m9YpwEBuPDpT7KUG2193WHNK9zq1MhRnzQpBtZ+CuiPCLBJEN
X-Received: by 2002:a17:903:120c:b0:154:c135:60d3 with SMTP id l12-20020a170903120c00b00154c13560d3mr9885710plh.48.1648809384411;
        Fri, 01 Apr 2022 03:36:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1648809384; cv=none;
        d=google.com; s=arc-20160816;
        b=vnurkncoURwN83u24e5zkyflXFuKK/W8QJc79DJKqeNIkfSxkV9ndVAkx9+5Ihx4D0
         zjgMBxCAQB5hgeGLq+p43/+m2iD23vZTIzw3q7Ialx+PPg/Iq3VwJYAcjnrwb1DczpKE
         VPyr4U6ZzLpnACpLXSRhRdFFN2qWES/PagJbK9+NuBu6S1zYitW6vaQqGaGwort3p5nH
         f1bjRrQWy3OQPrZRAJQQBX64WWlrvrrLEWErVXVcM+Iy9wAbssUlB/WyuBxcE4b9N4le
         mG5e3LgPIKYJfzuzALVshQRA0WfKKOc4alOc6uuuxjJ4w0zgnZ1pESL0/knRVGkgL1bE
         MMGA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-filter;
        bh=EpQ5cQBDgtRxJYKSAj/fkHBjjptidvLiv4kkZu8JCBE=;
        b=P17nW/BWNOQh59eh8yEkVOwwVXjJxi/a/zSxaQOzLd0kCo21IONjLMJKZcPqSchTu3
         4c/ia6ktAsb3dBLXAtSWkESQttEghP0e8y52Giqj92iXY0BQcApnFozRZyMUZunOr3wp
         YiOdqyKNHpOdVycnX1tRU2VCDOIzbB9U01YgiINWRTfE4hmE6LBwKr4LJ+soHiSuIQb2
         7kn802swD9z0HlfNW764BS4fB6jltJts5XP4I13eD6DA/oEf0Scy5/Zka7FCSZVr93uc
         4Khutxp/hOO7QLe7kfHZQ15KvI1ixpIS4Hr+YoM9avKeWNNseqlXsCQQMIs2hXFDQAWH
         Vv1g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id n188-20020a6327c5000000b003827f1fef8csi2152401pgn.400.2022.04.01.03.35.55;
        Fri, 01 Apr 2022 03:36:24 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S241844AbiDAHso (ORCPT <rfc822;bopamo@gmail.com> + 99 others);
        Fri, 1 Apr 2022 03:48:44 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51162 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1343943AbiDAHso (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Fri, 1 Apr 2022 03:48:44 -0400
Received: from mxout03.lancloud.ru (mxout03.lancloud.ru [45.84.86.113])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EBD5025F65A
        for <linux-bluetooth@vger.kernel.org>; Fri,  1 Apr 2022 00:46:52 -0700 (PDT)
Received: from LanCloud
DKIM-Filter: OpenDKIM Filter v2.11.0 mxout03.lancloud.ru 7403E20A7B7F
Received: from LanCloud
Received: from LanCloud
Received: from LanCloud
From:   Ildar Kamaletdinov <i.kamaletdinov@omp.ru>
To:     <linux-bluetooth@vger.kernel.org>
CC:     Ildar Kamaletdinov <i.kamaletdinov@omp.ru>
Subject: [PATCH BlueZ 7/7] gatt: Fix double free and freed memory dereference
Date:   Fri, 1 Apr 2022 10:46:40 +0300
Message-ID: <20220401074640.3956695-8-i.kamaletdinov@omp.ru>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220401074640.3956695-1-i.kamaletdinov@omp.ru>
References: <20220401074640.3956695-1-i.kamaletdinov@omp.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type:   text/plain; charset=US-ASCII
X-Originating-IP: [192.168.11.198]
X-ClientProxiedBy: LFEXT02.lancloud.ru (fd00:f066::142) To
 LFEX1910.lancloud.ru (fd00:f066::80)
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE,
        SPF_PASS,T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

In condition where device no longer exist or not paired when sending
notification it is possible to to occure double free and dereference of
already freed memory.

To avoid this we need to recheck the state of device after sending
notification.

Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
---
 src/gatt-database.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/gatt-database.c b/src/gatt-database.c
index d6c94058c..d32f616a9 100644
--- a/src/gatt-database.c
+++ b/src/gatt-database.c
@@ -3877,6 +3877,10 @@ void btd_gatt_database_server_connected(struct btd_gatt_database *database,
 
 	send_notification_to_device(state, state->pending);
 
+	state = find_device_state(database, &bdaddr, bdaddr_type);
+	if (!state || !state->pending)
+		return;
+
 	free(state->pending->value);
 	free(state->pending);
 	state->pending = NULL;
-- 
2.34.0