Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp1472651pxb;
        Fri, 1 Apr 2022 14:42:53 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwZEqeX8xv5eIkq6Kmwgd5AYND4gPBMqf4F0u0AfHzGRnh6wspCAfmhxG85SUSqipH8EZ8J
X-Received: by 2002:aa7:c1cd:0:b0:419:fdb:e17e with SMTP id d13-20020aa7c1cd000000b004190fdbe17emr23025156edp.364.1648849373079;
        Fri, 01 Apr 2022 14:42:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1648849373; cv=none;
        d=google.com; s=arc-20160816;
        b=Og0wuDhsFLE8c2ng88Cqc9r8lj6YYRYSL3uywzAiuuzpSx3U3U1M3SUPp/p1amHrWn
         /iEiEHqpgGnecuypzLpGa6xKGHl4/aq+wh0cF7bxnE3Ekb+cLJ0oosaiVllVotLvEgie
         KLM/UgXSYTQ+89cFY7GoN1RdZWqbhh+G8VznETDGMc9dmNEtIcvSmFMjlH3VxEYw3bYJ
         CYO0x/xgIBMJVOpeGfLzPhuVQ9dBU20mNEt+JC7IFajZqjOTDpIcOQQpl+0BGRVhv462
         xP6SkcFBMvD0JmHHvRu9HftdeTkQpKjVFTca3q802Z/HvEvqURUW7U3dxNL1wl81y0RC
         ob2Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-filter;
        bh=pZFimXU/diDfVcK5gJzhcgT7KmXB/LoPyiBBhrEIu7Y=;
        b=K9Ei1LaetvIHwgwi7jr8vTlFCAaE+gJQcIzncVynddzIrFzRznvD/bbwv+kkDDuysH
         HX+YMhaUgjXt0cVxDK003xUciIeXokmKLFzPwWubgzXsf77/M3CzMgTuU/XWlGLzU/E4
         jIr+pRZzUGpJkpo8bi0CDSiGDagst7ftvz36xeZofRRa1Nfe95G9h0ogeY+8d76+iSjx
         NvfSpG3VHN2fE44dHlYUge5ZjD6dsv4WbjVrSJbu5fpe68OnCRA7D3PmAaZhS9IOTx0B
         b5F187ybRWiJtR4HoQU4Ldtmk0Umy9OlnAo/hNu7MFjU+C1epeUvCBdYb1IWuAuHqtB4
         Py5A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id e19-20020a170906045300b006dfccd1cb8dsi2201500eja.799.2022.04.01.14.41.39;
        Fri, 01 Apr 2022 14:42:53 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1343579AbiDAKaC (ORCPT <rfc822;bopamo@gmail.com> + 99 others);
        Fri, 1 Apr 2022 06:30:02 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38852 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1343590AbiDAK35 (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Fri, 1 Apr 2022 06:29:57 -0400
Received: from mxout03.lancloud.ru (mxout03.lancloud.ru [45.84.86.113])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7FFA726E74D
        for <linux-bluetooth@vger.kernel.org>; Fri,  1 Apr 2022 03:28:06 -0700 (PDT)
Received: from LanCloud
DKIM-Filter: OpenDKIM Filter v2.11.0 mxout03.lancloud.ru 7B30220E7066
Received: from LanCloud
Received: from LanCloud
Received: from LanCloud
From:   Ildar Kamaletdinov <i.kamaletdinov@omp.ru>
To:     <linux-bluetooth@vger.kernel.org>
CC:     Ildar Kamaletdinov <i.kamaletdinov@omp.ru>
Subject: [PATCH BlueZ 7/7] gatt: Fix double free and freed memory dereference
Date:   Fri, 1 Apr 2022 13:27:57 +0300
Message-ID: <20220401102757.3960551-8-i.kamaletdinov@omp.ru>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220401102757.3960551-1-i.kamaletdinov@omp.ru>
References: <20220401102757.3960551-1-i.kamaletdinov@omp.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type:   text/plain; charset=US-ASCII
X-Originating-IP: [192.168.11.198]
X-ClientProxiedBy: LFEXT01.lancloud.ru (fd00:f066::141) To
 LFEX1910.lancloud.ru (fd00:f066::80)
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE,
        SPF_PASS,T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

If device is no longer exists or not paired when notifications send it
is possible to get double free and dereference of already freed memory.

To avoid this we need to recheck the state of device after sending
notification.

Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
---
 src/gatt-database.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/gatt-database.c b/src/gatt-database.c
index d6c94058c..d32f616a9 100644
--- a/src/gatt-database.c
+++ b/src/gatt-database.c
@@ -3877,6 +3877,10 @@ void btd_gatt_database_server_connected(struct btd_gatt_database *database,
 
 	send_notification_to_device(state, state->pending);
 
+	state = find_device_state(database, &bdaddr, bdaddr_type);
+	if (!state || !state->pending)
+		return;
+
 	free(state->pending->value);
 	free(state->pending);
 	state->pending = NULL;
-- 
2.35.1