Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp1262680pxb;
        Fri, 1 Apr 2022 08:41:38 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzrNGMe0aeyMd9mZaWMRGsKrzHAJ3Y9inYy7WTLIk66hkij8mp95sreTI++/NTFsVzS1M5e
X-Received: by 2002:a63:4602:0:b0:381:f916:9312 with SMTP id t2-20020a634602000000b00381f9169312mr15924642pga.473.1648827698207;
        Fri, 01 Apr 2022 08:41:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1648827698; cv=none;
        d=google.com; s=arc-20160816;
        b=SbhsmAKtB/YUkVTy27GVr6oWeGCnb1kNGKp7dvGqs0E2F/5N5RI35OUOPA1AQF/2tW
         tV46AhkE6e6z0x/ZzjAPNo+oC4cSuX+D494vWui30e92hLe7jUv4K3W42XN46yAMwGPs
         oyssI2A8Ss/iFzXhv7nQ7zdL3h0+EtJZRaHZ1rDU7/j/OjR2QPpYmkAnfec/3PG9J1LY
         Ey733UC86oUJMdvM0RdHeNWq++BT/2zwKQoFMitr25NyN5Eq4g9ZOCG89ymj+/zGsAMB
         4kmZ2qdBG1ukJFcNSS7gG6/0l+WHqj3RfRlIFsqzPyLGqoBY7CgJoXh4hvlcefHBf/7/
         5kMA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-filter;
        bh=pZFimXU/diDfVcK5gJzhcgT7KmXB/LoPyiBBhrEIu7Y=;
        b=atvsV5dSV104IpT/KQIli+3qLN4YrAVNaAOE1ZKbsvgxZvDZx2QAu1tal2GwX5elpA
         To7B/LB5XNlHKLugkLqOjeDb/SHCF7NL4/5YMGe8OJa/pBbaJzSvZnwXSGk68IMTgtYP
         upngdj774CBQPxUsIFaLNa/CMO6+ZEEM36+f6TwRCUa6i8vVsLPm7BBUxWBSxAwtLDtF
         KPeQz6+IuPBcpC3HYpabeyApqgDYdUB3AhtystP88EvFAMVsgfibIpWlEdl09As4jbsa
         T8J3+YLgU/dwAok/nb07Et6F6q0gBulZcEqOGeIV0a51LW0DF+mX845EykPpBzqYCZ3x
         eiYQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id e15-20020a17090301cf00b00153b2d16607si2654917plh.527.2022.04.01.08.41.23;
        Fri, 01 Apr 2022 08:41:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231462AbiDAMSq (ORCPT <rfc822;bopamo@gmail.com> + 99 others);
        Fri, 1 Apr 2022 08:18:46 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33946 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1345804AbiDAMSp (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Fri, 1 Apr 2022 08:18:45 -0400
Received: from mxout04.lancloud.ru (mxout04.lancloud.ru [45.84.86.114])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A716448324
        for <linux-bluetooth@vger.kernel.org>; Fri,  1 Apr 2022 05:16:55 -0700 (PDT)
Received: from LanCloud
DKIM-Filter: OpenDKIM Filter v2.11.0 mxout04.lancloud.ru 0294820D30AF
Received: from LanCloud
Received: from LanCloud
Received: from LanCloud
From:   Ildar Kamaletdinov <i.kamaletdinov@omp.ru>
To:     <linux-bluetooth@vger.kernel.org>
CC:     Ildar Kamaletdinov <i.kamaletdinov@omp.ru>
Subject: [PATCH BlueZ 6/6] gatt: Fix double free and freed memory dereference
Date:   Fri, 1 Apr 2022 15:16:47 +0300
Message-ID: <20220401121647.3985682-7-i.kamaletdinov@omp.ru>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220401121647.3985682-1-i.kamaletdinov@omp.ru>
References: <20220401121647.3985682-1-i.kamaletdinov@omp.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type:   text/plain; charset=US-ASCII
X-Originating-IP: [192.168.11.198]
X-ClientProxiedBy: LFEXT02.lancloud.ru (fd00:f066::142) To
 LFEX1910.lancloud.ru (fd00:f066::80)
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE,
        SPF_PASS,T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

If device is no longer exists or not paired when notifications send it
is possible to get double free and dereference of already freed memory.

To avoid this we need to recheck the state of device after sending
notification.

Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
---
 src/gatt-database.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/gatt-database.c b/src/gatt-database.c
index d6c94058c..d32f616a9 100644
--- a/src/gatt-database.c
+++ b/src/gatt-database.c
@@ -3877,6 +3877,10 @@ void btd_gatt_database_server_connected(struct btd_gatt_database *database,
 
 	send_notification_to_device(state, state->pending);
 
+	state = find_device_state(database, &bdaddr, bdaddr_type);
+	if (!state || !state->pending)
+		return;
+
 	free(state->pending->value);
 	free(state->pending);
 	state->pending = NULL;
-- 
2.35.1