[bluez/bluez] 87ad4c: transport: fix crash when freeing transport

linux-bluetooth.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [bluez/bluez] 87ad4c: transport: fix crash when freeing transport
@ 2024-06-17 19:11 Pauli Virtanen
  0 siblings, 0 replies; only message in thread
From: Pauli Virtanen @ 2024-06-17 19:11 UTC (permalink / raw)
  To: linux-bluetooth

  Branch: refs/heads/master
  Home:   https://github.com/bluez/bluez
  Commit: 87ad4c66b934b1280bc8843589856313ef1bc912
      https://github.com/bluez/bluez/commit/87ad4c66b934b1280bc8843589856313ef1bc912
  Author: Pauli Virtanen <pav@iki.fi>
  Date:   2024-06-17 (Mon, 17 Jun 2024)

  Changed paths:
    M profiles/audio/transport.c

  Log Message:
  -----------
  transport: fix crash when freeing transport

Fix UAF by freeing transport->remote_endpoint in media_transport_free,
which also frees the struct (not in destroy after the struct is freed).

ERROR: AddressSanitizer: heap-use-after-free
READ of size 8 at 0x508000022ab8 thread T0
    #0 0x493624 in media_transport_destroy profiles/audio/transport.c:223
...
freed by thread T0 here:
    #1 0x7fb057d10294 in g_free (/lib64/libglib-2.0.so.0+0x5d294)
    #2 0x49dd2d in media_transport_free profiles/audio/transport.c:1276
    #3 0x7e0e99 in remove_interface gdbus/object.c:682
    #4 0x7e8f40 in g_dbus_unregister_interface gdbus/object.c:1430
    #5 0x4935a2 in media_transport_destroy profiles/audio/transport.c:220


  Commit: 52bda9d45572ab4629bf2f686616c0398f489dad
      https://github.com/bluez/bluez/commit/52bda9d45572ab4629bf2f686616c0398f489dad
  Author: Pauli Virtanen <pav@iki.fi>
  Date:   2024-06-17 (Mon, 17 Jun 2024)

  Changed paths:
    M src/shared/bap-defs.h

  Log Message:
  -----------
  shared/bap: make BT_BAP_* direction defines valid bitmasks

The directions appear to be intended as bitmasks, as
bt_bap_stream_io_dir() will bitwise or linked stream directions.

Fix the defines to be separate bits.

Fixes confusion due to BT_BAP_BCAST_SOURCE == BT_BAP_SINK|BT_BAP_SOURCE,
which causes e.g. unicast transports to be in PENDING state after QoS
although this does not make sense for BAP unicast Client.


Compare: https://github.com/bluez/bluez/compare/7ff745c2bd0c...52bda9d45572

To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2024-06-17 19:11 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-06-17 19:11 [bluez/bluez] 87ad4c: transport: fix crash when freeing transport Pauli Virtanen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).