* [BlueZ v2 1/2] mpris-proxy: Fix possible crash @ 2026-05-05 10:48 Bastien Nocera 2026-05-05 10:48 ` [BlueZ v2 2/2] mpris-proxy: Avoid session->obex dereference Bastien Nocera 2026-05-05 12:29 ` [BlueZ,v2,1/2] mpris-proxy: Fix possible crash bluez.test.bot 0 siblings, 2 replies; 3+ messages in thread From: Bastien Nocera @ 2026-05-05 10:48 UTC (permalink / raw) To: linux-bluetooth find_player_by_obex() doesn't check whether session->obex is a valid pointer before dereferecing it, but all code paths that assign it use create_obex_session() to assign it, a function that can fail. Check whether session->obex is null before dereferencing it. #0 find_player_by_obex at tools/mpris-proxy.c:2819 #1 obex_property_changed at tools/mpris-proxy.c:2929 #2 add_property at gdbus/client.c:373 #3 update_properties at gdbus/client.c:399 #5 properties_changed at gdbus/client.c:537 #6 signal_filter at gdbus/watch.c:416 #7 message_filter at gdbus/watch.c:566 #10 message_dispatch at gdbus/mainloop.c:59 #13 g_main_context_dispatch_unlocked at ../glib/gmain.c:4451 #14 g_main_context_iterate_unlocked at ../glib/gmain.c:4516 Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2466640 --- Changes since v1: - Fix missing space before = sign tools/mpris-proxy.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tools/mpris-proxy.c b/tools/mpris-proxy.c index 1d7a421e9278..eb607347aa32 100644 --- a/tools/mpris-proxy.c +++ b/tools/mpris-proxy.c @@ -2816,8 +2816,12 @@ static struct player *find_player_by_obex(const char *path) for (l = players; l; l = l->next) { struct player *player = l->data; struct obex_session *session = player->obex; - const char *obex_path = g_dbus_proxy_get_path(session->obex); + const char *obex_path = NULL; + if (session == NULL) + continue; + + obex_path = g_dbus_proxy_get_path(session->obex); if (g_str_has_prefix(path, obex_path)) return player; } -- 2.54.0 ^ permalink raw reply related [flat|nested] 3+ messages in thread
* [BlueZ v2 2/2] mpris-proxy: Avoid session->obex dereference 2026-05-05 10:48 [BlueZ v2 1/2] mpris-proxy: Fix possible crash Bastien Nocera @ 2026-05-05 10:48 ` Bastien Nocera 2026-05-05 12:29 ` [BlueZ,v2,1/2] mpris-proxy: Fix possible crash bluez.test.bot 1 sibling, 0 replies; 3+ messages in thread From: Bastien Nocera @ 2026-05-05 10:48 UTC (permalink / raw) To: linux-bluetooth Protect against trying to access session->obex variable that might be null after failure to create the session object. --- tools/mpris-proxy.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/tools/mpris-proxy.c b/tools/mpris-proxy.c index eb607347aa32..b6fdf15da40b 100644 --- a/tools/mpris-proxy.c +++ b/tools/mpris-proxy.c @@ -1306,7 +1306,7 @@ static int parse_track_entry(DBusMessageIter *entry, const char *key, const char *handle, *path; char *filename, *uri; - if (!player || !player->obex) + if (!player || !player->obex || !player->obex->obex) return -EINVAL; path = g_dbus_proxy_get_path(player->obex->obex); @@ -2614,9 +2614,13 @@ static void obex_get_image(struct player *player, const char *handle) DBusMessage *msg; DBusMessageIter iter, array; struct obex_session *obex_session = player->obex; - const char *path = g_dbus_proxy_get_path(obex_session->obex); + const char *path; char *filename; + if (!player->obex) + return; + + path = g_dbus_proxy_get_path(obex_session->obex); player->filename = g_strconcat(g_get_tmp_dir(), "/", path + strlen(BLUEZ_OBEX_CLIENT_PATH "/"), "-", handle, NULL); @@ -2674,7 +2678,7 @@ static void device_property_changed(GDBusProxy *proxy, const char *name, player->obex = NULL; } - g_dbus_proxy_unref(session->obex); + g_clear_pointer(&session->obex, g_dbus_proxy_unref); g_dbus_proxy_unref(session->device); obex_sessions = g_slist_remove(obex_sessions, session); g_free(session); -- 2.54.0 ^ permalink raw reply related [flat|nested] 3+ messages in thread
* RE: [BlueZ,v2,1/2] mpris-proxy: Fix possible crash 2026-05-05 10:48 [BlueZ v2 1/2] mpris-proxy: Fix possible crash Bastien Nocera 2026-05-05 10:48 ` [BlueZ v2 2/2] mpris-proxy: Avoid session->obex dereference Bastien Nocera @ 2026-05-05 12:29 ` bluez.test.bot 1 sibling, 0 replies; 3+ messages in thread From: bluez.test.bot @ 2026-05-05 12:29 UTC (permalink / raw) To: linux-bluetooth, hadess [-- Attachment #1: Type: text/plain, Size: 826 bytes --] This is automated email and please do not reply to this email! Dear submitter, Thank you for submitting the patches to the linux bluetooth mailing list. This is a CI test results with your patch series: PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1089833 ---Test result--- Test Summary: CheckPatch PASS 0.97 seconds GitLint PASS 0.66 seconds BuildEll PASS 19.94 seconds BluezMake PASS 644.19 seconds CheckSmatch PASS 347.95 seconds bluezmakeextell PASS 180.52 seconds IncrementalBuild PASS 652.82 seconds ScanBuild PASS 1007.53 seconds https://github.com/bluez/bluez/pull/2098 --- Regards, Linux Bluetooth ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-05 12:29 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-05-05 10:48 [BlueZ v2 1/2] mpris-proxy: Fix possible crash Bastien Nocera 2026-05-05 10:48 ` [BlueZ v2 2/2] mpris-proxy: Avoid session->obex dereference Bastien Nocera 2026-05-05 12:29 ` [BlueZ,v2,1/2] mpris-proxy: Fix possible crash bluez.test.bot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox