Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp1121136pxb;
        Fri, 1 Apr 2022 05:17:02 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwGFNZ983mZDNUEVUpNNlY6F0hAirHdnyaNqn1w4+1MXfB8P9qtTvr2iFDtPpUQ8+Tex/ck
X-Received: by 2002:a05:6402:43cc:b0:419:2486:6cd2 with SMTP id p12-20020a05640243cc00b0041924866cd2mr20856174edc.334.1648815422743;
        Fri, 01 Apr 2022 05:17:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1648815422; cv=none;
        d=google.com; s=arc-20160816;
        b=ftcLGL/dakjM3d8sc1ytOhzFDDc0+yiuDmPsXTzbpMWFQy+/tPU4jD+WY9zHmQcrFh
         5TZvRFRvxCL54N8MFGiqyeItjFHJg6cKTd/kqa5E+9KKyUwLSlpV9+QoevFr0IAfxrWD
         FuDG0b747Gvvds9Qw4dRuckzZlKJmaNKdMJruuo7M9uV6aFfRtlktRKgpvO/Y5/5XRJC
         d4mR1fmI2EV5kB8Ry6W2c3Sdu5dPnJt5dxyYK1KMR0vQmEwG8c4WrlP5ARusczKe3JIs
         BUD9Oyg2s0eYrCC13BNcrRTdUUeSA4R1HZXhceLrnLQC0VeoqJ5/wLHnjdqNfqlNMFCS
         6o8Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-filter;
        bh=pZFimXU/diDfVcK5gJzhcgT7KmXB/LoPyiBBhrEIu7Y=;
        b=tcGf4riSm4qb39xMMrGEYy5nxElAUkXaIACCk/xsIfOE+HYk4UoJre2BnNJYahB72R
         UP23+AoRvULc4pP0k2nAfG1ZjASZFpV0926aQjJJvgvqP2UE6mvjK2f2XmfLAmzSvS15
         eYW+aZ61qnV71EAcm/JgUfPuZE0Q9j+XLBj/GRyJ/gszSzFXGEvIU8JU2nkX0vSG6njp
         Cd7bRVJso9zdzFQMXGJdUBX0ZIeG0annrvf1yInTSlWK+RRJQCXHAM2DSZ0kE0mSo9QC
         63c7IswBCPzV83+KIHWNLA9RCN/FUaJVTRQQX8++ePmZHGwuca/GtAj8DVARC6k1ubY+
         iBlQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id z20-20020a05640240d400b00418c2b5bdf1si1614221edb.211.2022.04.01.05.16.22;
        Fri, 01 Apr 2022 05:17:02 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S237488AbiDALQM (ORCPT <rfc822;bopamo@gmail.com> + 99 others);
        Fri, 1 Apr 2022 07:16:12 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52620 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1345371AbiDALQL (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Fri, 1 Apr 2022 07:16:11 -0400
Received: from mxout01.lancloud.ru (mxout01.lancloud.ru [45.84.86.81])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B7633132E8D
        for <linux-bluetooth@vger.kernel.org>; Fri,  1 Apr 2022 04:14:17 -0700 (PDT)
Received: from LanCloud
DKIM-Filter: OpenDKIM Filter v2.11.0 mxout01.lancloud.ru DBD6520D4AD3
Received: from LanCloud
Received: from LanCloud
Received: from LanCloud
From:   Ildar Kamaletdinov <i.kamaletdinov@omp.ru>
To:     <linux-bluetooth@vger.kernel.org>
CC:     Ildar Kamaletdinov <i.kamaletdinov@omp.ru>
Subject: [PATCH BlueZ 7/7] gatt: Fix double free and freed memory dereference
Date:   Fri, 1 Apr 2022 14:14:08 +0300
Message-ID: <20220401111408.3961844-8-i.kamaletdinov@omp.ru>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220401111408.3961844-1-i.kamaletdinov@omp.ru>
References: <20220401111408.3961844-1-i.kamaletdinov@omp.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type:   text/plain; charset=US-ASCII
X-Originating-IP: [192.168.11.198]
X-ClientProxiedBy: LFEXT01.lancloud.ru (fd00:f066::141) To
 LFEX1910.lancloud.ru (fd00:f066::80)
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE,
        SPF_PASS,T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

If device is no longer exists or not paired when notifications send it
is possible to get double free and dereference of already freed memory.

To avoid this we need to recheck the state of device after sending
notification.

Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
---
 src/gatt-database.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/gatt-database.c b/src/gatt-database.c
index d6c94058c..d32f616a9 100644
--- a/src/gatt-database.c
+++ b/src/gatt-database.c
@@ -3877,6 +3877,10 @@ void btd_gatt_database_server_connected(struct btd_gatt_database *database,
 
 	send_notification_to_device(state, state->pending);
 
+	state = find_device_state(database, &bdaddr, bdaddr_type);
+	if (!state || !state->pending)
+		return;
+
 	free(state->pending->value);
 	free(state->pending);
 	state->pending = NULL;
-- 
2.35.1