Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp456175iog; Wed, 15 Jun 2022 05:54:34 -0700 (PDT) X-Google-Smtp-Source: AGRyM1srQ3MAPPhYbKK/DD+QmOjrUph6ZUPbnU8QoVnifiGsQQfUpabpYpqRJc83xf+uo2c721/W X-Received: by 2002:a17:902:d652:b0:168:bffe:e5fe with SMTP id y18-20020a170902d65200b00168bffee5femr9143539plh.81.1655297674748; Wed, 15 Jun 2022 05:54:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1655297674; cv=none; d=google.com; s=arc-20160816; b=NW54x2uDlGUHPDqB0lVanGj/cdqdFVoeD4qdWuFGfHTKJGDrmEHDHzzi7N5BHSlZYl YBsYUKojvozVHQ4I7JpBxmb2LK1IOZvMFwUtVT4gD/PP/mpL1YJFspB+qF3X9t32koAO s0Wsiw/3DifzlU6iHMXxX6wvU7Ia6INgOxOQYIbYhi6boyjMFG8FTioPC5ek7WGz819K 2LWcmuTvdWShL/ZDzY/e+CZHEL6NfCl1iJhLCcBhiPj4sTIJEt4o14ZMc4k0YgQHYBR+ U4PZOzEljswushOXrOVeVgTHD8OuN2ezvYO9ozGPC80juJjgE4bje9UTzoOVIb25vpKX 4T5A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:feedback-id:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from; bh=OgA93kdRertztZCSGg8qNmsmZftfNp0Ggh3rbBmIaw4=; b=GRRPNit1cVhMsb3FPhaGLNnI0QX9yjdpx7Fs72fIdjIWwFuDa8LuQ2vsEu2BWqOB5V OJUIAjlo6NSuqHv77yAfxPu/V/b/0+qG1VjJluaKfjXB95m+K9Ufj5/ffumtPZV4b32l cVRK7iBDYC7qT8/Lxb23fZ8x/r473nZg2jsfYLUtdPTftajvpL78lolA+EVlYmc80JRa dTZv0dpsJFmzmsNGZ/OQTz48hUzq1zMJJI2uTt8+7JhtZlwvdpBjL11XQTW0W8jbrEeF B14Eswijamo8r0A3TJlh6YEHQpgSnyncqLs8QfyQvE5e34xY2lLBTuZRatVi42icCC6D PMVA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a6-20020a1709027e4600b001641971151asi16446195pln.207.2022.06.15.05.54.08; Wed, 15 Jun 2022 05:54:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1348764AbiFOMuz (ORCPT + 99 others); Wed, 15 Jun 2022 08:50:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56924 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1348414AbiFOMuf (ORCPT ); Wed, 15 Jun 2022 08:50:35 -0400 Received: from smtpbg153.qq.com (smtpbg153.qq.com [13.245.218.24]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 06AA04F1FA for ; Wed, 15 Jun 2022 05:49:52 -0700 (PDT) X-QQ-mid: bizesmtp87t1655297385t6bj9g1x Received: from localhost.localdomain ( [113.57.152.160]) by bizesmtp.qq.com (ESMTP) with id ; Wed, 15 Jun 2022 20:49:21 +0800 (CST) X-QQ-SSF: 01400000002000C0E000B00A0000000 X-QQ-FEAT: Y/4E1fKPEOrnRwXjViLjC1WqysMj8XwXdfd30Noaod4CcrBtePKhe15poi/zK ySjYFtXGe0KSI7wzPkAIJQkVz1ECi7bL1VowB935hAn2GLD5F+GWNghzTSWyHQ5UGvyFS5M D20VuEruiX3LQxOKyMBNLa67MZ0J7OV0BbOGhvST1tf6GQZvq/x/hRc+6s2l88B7x9DMqSy OcHinYch6Pm6Nbdei49dyytDq+tOGYBeeA8vTPREiEwel089fFHVltP1xSSE+kRJ41HUEjz naqM+DGeX3Nd8j8TmxQQkZkG54+o8pT+7ykYPe5msfZ8AhdgPXUew4XbpGX14c3JYfNdcZc 5SEdYXm X-QQ-GoodBg: 2 From: Youwan Wang To: linux-bluetooth@vger.kernel.org Cc: Youwan Wang Subject: [PATCH] obexd: Fix crash of transfer pointer has being freed Date: Wed, 15 Jun 2022 20:49:02 +0800 Message-Id: <20220615124902.17347-1-wangyouwan@uniontech.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-QQ-SENDSIZE: 520 Feedback-ID: bizesmtp:uniontech.com:qybgforeign:qybgforeign9 X-QQ-Bgrelay: 1 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org PC1 -> PC2 in the process of transferring the file, PC2 terminate the reception. It is found that PC1 will receive the Rcvd Forbiden message. transfer_response func is called and go to failed: transfer_complete func is called and go to transfer_free Invalid read of size 8 at 0x129C9B: put_get_data (gobex-transfer.c:138) by 0x128675: get_body (gobex-packet.c:397) by 0x128675: g_obex_packet_encode (gobex-packet.c:451) by 0x1264ED: write_data (gobex.c:461) by 0x1264ED: write_data (gobex.c:431) by 0x49B7E97: g_main_context_dispatch () by 0x49B8287: ??? () by 0x49B8581: g_main_loop_run () by 0x120834: main (main.c:322) Address 0x7300028 is 56 bytes inside a block of size 64 free'd at 0x48369AB: free (vg_replace_malloc.c:530) by 0x12A404: transfer_response (gobex-transfer.c:245) by 0x126B02: handle_response (gobex.c:1128) by 0x127087: incoming_data (gobex.c:1373) by 0x49B7E97: g_main_context_dispatch () by 0x49B8287: ??? () by 0x49B8581: g_main_loop_run () by 0x120834: main (main.c:322) Block was alloc'd at at 0x4837B65: calloc (vg_replace_malloc.c:752) by 0x49BD9D8: g_malloc0 () by 0x129A49: transfer_new (gobex-transfer.c:258) by 0x12A612: g_obex_put_req_pkt (gobex-transfer.c:282) by 0x12A612: g_obex_put_req_pkt (gobex-transfer.c:271) by 0x145862: transfer_start_put (transfer.c:880) by 0x145862: obc_transfer_start (transfer.c:911) by 0x13B487: session_process_transfer (session.c:836) by 0x13C128: session_process_queue (session.c:887) by 0x13C128: session_process_queue (session.c:872) by 0x13C18F: session_process (session.c:820) by 0x49B7E97: g_main_context_dispatch (in /usr/lib/x86_64-linux-gnu/) by 0x49B8287: ??? (in /usr/lib/x86_64-linux-gnu/) by 0x49B8581: g_main_loop_run (in /usr/lib/x86_64-linux-gnu/) by 0x120834: main (main.c:322) --- gobex/gobex-transfer.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/gobex/gobex-transfer.c b/gobex/gobex-transfer.c index c94d018b2..8e97fc73e 100644 --- a/gobex/gobex-transfer.c +++ b/gobex/gobex-transfer.c @@ -197,6 +197,14 @@ static void transfer_response(GObex *obex, GError *err, GObexPacket *rsp, } rspcode = g_obex_packet_get_operation(rsp, &final); + if (rspcode == G_OBEX_RSP_FORBIDDEN) { + err = g_error_new(G_OBEX_ERROR, rspcode, "%s", + g_obex_strerror(rspcode)); + g_obex_debug(G_OBEX_DEBUG_ERROR, "%s", err->message); + g_error_free(err); + return; + } + if (rspcode != G_OBEX_RSP_SUCCESS && rspcode != G_OBEX_RSP_CONTINUE) { err = g_error_new(G_OBEX_ERROR, rspcode, "%s", g_obex_strerror(rspcode)); -- 2.20.1