[BlueZ v2 1/2] mpris-proxy: Fix possible crash

Linux bluetooth development
 help / color / mirror / Atom feed

* [BlueZ v2 1/2] mpris-proxy: Fix possible crash
@ 2026-05-05 10:48 Bastien Nocera
  2026-05-05 10:48 ` [BlueZ v2 2/2] mpris-proxy: Avoid session->obex dereference Bastien Nocera
  2026-05-05 12:29 ` [BlueZ,v2,1/2] mpris-proxy: Fix possible crash bluez.test.bot
  0 siblings, 2 replies; 3+ messages in thread
From: Bastien Nocera @ 2026-05-05 10:48 UTC (permalink / raw)
  To: linux-bluetooth

find_player_by_obex() doesn't check whether session->obex is a valid
pointer before dereferecing it, but all code paths that assign it use
create_obex_session() to assign it, a function that can fail.

Check whether session->obex is null before dereferencing it.

 #0 find_player_by_obex at tools/mpris-proxy.c:2819
 #1 obex_property_changed at tools/mpris-proxy.c:2929
 #2 add_property at gdbus/client.c:373
 #3 update_properties at gdbus/client.c:399
 #5 properties_changed at gdbus/client.c:537
 #6 signal_filter at gdbus/watch.c:416
 #7 message_filter at gdbus/watch.c:566
 #10 message_dispatch at gdbus/mainloop.c:59
 #13 g_main_context_dispatch_unlocked at ../glib/gmain.c:4451
 #14 g_main_context_iterate_unlocked at ../glib/gmain.c:4516

Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2466640
---
Changes since v1:
- Fix missing space before = sign

 tools/mpris-proxy.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/tools/mpris-proxy.c b/tools/mpris-proxy.c
index 1d7a421e9278..eb607347aa32 100644
--- a/tools/mpris-proxy.c
+++ b/tools/mpris-proxy.c
@@ -2816,8 +2816,12 @@ static struct player *find_player_by_obex(const char *path)
 	for (l = players; l; l = l->next) {
 		struct player *player = l->data;
 		struct obex_session *session = player->obex;
-		const char *obex_path = g_dbus_proxy_get_path(session->obex);
+		const char *obex_path = NULL;
 
+		if (session == NULL)
+			continue;
+
+		obex_path = g_dbus_proxy_get_path(session->obex);
 		if (g_str_has_prefix(path, obex_path))
 			return player;
 	}
-- 
2.54.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [BlueZ v2 2/2] mpris-proxy: Avoid session->obex dereference
  2026-05-05 10:48 [BlueZ v2 1/2] mpris-proxy: Fix possible crash Bastien Nocera
@ 2026-05-05 10:48 ` Bastien Nocera
  2026-05-05 12:29 ` [BlueZ,v2,1/2] mpris-proxy: Fix possible crash bluez.test.bot
  1 sibling, 0 replies; 3+ messages in thread
From: Bastien Nocera @ 2026-05-05 10:48 UTC (permalink / raw)
  To: linux-bluetooth

Protect against trying to access session->obex variable that might be
null after failure to create the session object.
---
 tools/mpris-proxy.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/tools/mpris-proxy.c b/tools/mpris-proxy.c
index eb607347aa32..b6fdf15da40b 100644
--- a/tools/mpris-proxy.c
+++ b/tools/mpris-proxy.c
@@ -1306,7 +1306,7 @@ static int parse_track_entry(DBusMessageIter *entry, const char *key,
 		const char *handle, *path;
 		char *filename, *uri;
 
-		if (!player || !player->obex)
+		if (!player || !player->obex || !player->obex->obex)
 			return -EINVAL;
 
 		path = g_dbus_proxy_get_path(player->obex->obex);
@@ -2614,9 +2614,13 @@ static void obex_get_image(struct player *player, const char *handle)
 	DBusMessage *msg;
 	DBusMessageIter iter, array;
 	struct obex_session *obex_session = player->obex;
-	const char *path = g_dbus_proxy_get_path(obex_session->obex);
+	const char *path;
 	char *filename;
 
+	if (!player->obex)
+		return;
+
+	path = g_dbus_proxy_get_path(obex_session->obex);
 	player->filename = g_strconcat(g_get_tmp_dir(), "/",
 				path + strlen(BLUEZ_OBEX_CLIENT_PATH "/"),
 				"-", handle, NULL);
@@ -2674,7 +2678,7 @@ static void device_property_changed(GDBusProxy *proxy, const char *name,
 			player->obex = NULL;
 	}
 
-	g_dbus_proxy_unref(session->obex);
+	g_clear_pointer(&session->obex, g_dbus_proxy_unref);
 	g_dbus_proxy_unref(session->device);
 	obex_sessions = g_slist_remove(obex_sessions, session);
 	g_free(session);
-- 
2.54.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* RE: [BlueZ,v2,1/2] mpris-proxy: Fix possible crash
  2026-05-05 10:48 [BlueZ v2 1/2] mpris-proxy: Fix possible crash Bastien Nocera
  2026-05-05 10:48 ` [BlueZ v2 2/2] mpris-proxy: Avoid session->obex dereference Bastien Nocera
@ 2026-05-05 12:29 ` bluez.test.bot
  1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2026-05-05 12:29 UTC (permalink / raw)
  To: linux-bluetooth, hadess

[-- Attachment #1: Type: text/plain, Size: 826 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1089833

---Test result---

Test Summary:
CheckPatch                    PASS      0.97 seconds
GitLint                       PASS      0.66 seconds
BuildEll                      PASS      19.94 seconds
BluezMake                     PASS      644.19 seconds
CheckSmatch                   PASS      347.95 seconds
bluezmakeextell               PASS      180.52 seconds
IncrementalBuild              PASS      652.82 seconds
ScanBuild                     PASS      1007.53 seconds



https://github.com/bluez/bluez/pull/2098

---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-05-05 12:29 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-05 10:48 [BlueZ v2 1/2] mpris-proxy: Fix possible crash Bastien Nocera
2026-05-05 10:48 ` [BlueZ v2 2/2] mpris-proxy: Avoid session->obex dereference Bastien Nocera
2026-05-05 12:29 ` [BlueZ,v2,1/2] mpris-proxy: Fix possible crash bluez.test.bot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox