From: Matthias Gerstner <mgerstner@suse.de>
To: linux-bluetooth@vger.kernel.org
Subject: bluez: NULL pointer dereference in bluetooth-meshd org.bluez.mesh.Network1.Join
Date: Tue, 1 Oct 2019 14:57:21 +0200 [thread overview]
Message-ID: <20191001125721.GE9771@f195.suse.de> (raw)
[-- Attachment #1: Type: text/plain, Size: 1433 bytes --]
Hi,
in the context of a review of the bluetooth-meshd D-Bus service [1] I
noticed a segmentation fault due to NULL pointer dereference. It can be
triggered in bluez version 5.51 via the following D-Bus call:
$ dbus-send --system --type=method_call --print-reply \
--dest=org.bluez.mesh /org/bluez/mesh org.bluez.mesh.Network1.Join \
objpath:/org/gnome/DisplayManager \
array:byte:1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16
After the D-Bus timeout the bluetooth-meshd will crash with the
following backtrace:
node_init_cb (node=0x0, agent=0x0) at mesh/mesh.c:359
359 reply = dbus_error(join_pending->msg, MESH_ERROR_FAILED,
(gdb) bt
user_data=0x5555555be170) at mesh/node.c:1760
dbus=<optimized out>) at ell/dbus.c:216
user_data=0x5555555a6e00) at ell/dbus.c:279
user_data=0x5555555a7ef0) at ell/io.c:126
at ell/main.c:642
at mesh/main.c:205
The reason is probably that the `join_pending` data structure has
already been freed in a different function.
[1]: https://bugzilla.suse.com/show_bug.cgi?id=1151518
Cheers
Matthias
--
Matthias Gerstner <matthias.gerstner@suse.de>
Dipl.-Wirtsch.-Inf. (FH), Security Engineer
https://www.suse.com/security
Phone: +49 911 740 53 290
GPG Key ID: 0x14C405C971923553
SUSE Software Solutions Germany GmbH
HRB 247165, AG München
Geschäftsführer: Felix Imendörffer
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
reply other threads:[~2019-10-01 12:57 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191001125721.GE9771@f195.suse.de \
--to=mgerstner@suse.de \
--cc=linux-bluetooth@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).