diff mbox series

[1/1] transport: Check if transport is bcast before it's cast to bap_transport

Message ID 20231219124916.44173-2-vlad.pruteanu@nxp.com
State New
Headers show
Series transport: Check if transport is bcast before it's cast to bap_transport | expand

Commit Message

Vlad Pruteanu Dec. 19, 2023, 12:49 p.m. UTC 
Currently, when a transport is released it is cast to bap_transport without
checking if the transport is actually a broadcast one. Then, based on this
cast it is released. Problems may occur with transports that are not
broadcast, but are still cast to bap_transport. This commit fixes this
problem.
---
 profiles/audio/transport.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

Comments

bluez.test.bot@gmail.com Dec. 19, 2023, 2:10 p.m. UTC | #1 
This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=811394

---Test result---

Test Summary:
CheckPatch                    PASS      0.48 seconds
GitLint                       PASS      0.66 seconds
BuildEll                      PASS      24.09 seconds
BluezMake                     PASS      724.68 seconds
MakeCheck                     PASS      12.23 seconds
MakeDistcheck                 PASS      161.22 seconds
CheckValgrind                 PASS      221.22 seconds
CheckSmatch                   PASS      329.59 seconds
bluezmakeextell               PASS      107.36 seconds
IncrementalBuild              PASS      691.09 seconds
ScanBuild                     PASS      949.26 seconds



---
Regards,
Linux Bluetooth
Ronan Pigott Dec. 20, 2023, 10:49 a.m. UTC | #2 
Hi Vlad,

This appears to fix the use-after-free in bluez 5.71. Thanks.

Tested-by: Ronan Pigott <ronan@rjp.ie>

Cheers,

Ronan
diff mbox series

Patch

diff --git a/profiles/audio/transport.c b/profiles/audio/transport.c
index e2073451c..555da99a8 100644
--- a/profiles/audio/transport.c
+++ b/profiles/audio/transport.c
@@ -643,7 +643,6 @@  static DBusMessage *release(DBusConnection *conn, DBusMessage *msg,
 {
 	struct media_transport *transport = data;
 	struct media_owner *owner = transport->owner;
-	struct bap_transport *bap = transport->data;
 	const char *sender;
 	struct media_request *req;
 	guint id;
@@ -675,9 +674,17 @@  static DBusMessage *release(DBusConnection *conn, DBusMessage *msg,
 	req = media_request_create(msg, id);
 	media_owner_add(owner, req);
 
-	if (bt_bap_stream_get_type(bap->stream) ==
-			BT_BAP_STREAM_TYPE_BCAST) {
-		bap_disable_complete(bap->stream, 0x00, 0x00, owner);
+	if (!strcmp(media_endpoint_get_uuid(transport->endpoint),
+					BAA_SERVICE_UUID)
+		|| !strcmp(media_endpoint_get_uuid(transport->endpoint),
+						BCAA_SERVICE_UUID)) {
+
+		struct bap_transport *bap = transport->data;
+
+		if (bt_bap_stream_get_type(bap->stream) ==
+				BT_BAP_STREAM_TYPE_BCAST) {
+			bap_disable_complete(bap->stream, 0x00, 0x00, owner);
+		}
 	}
 
 	return NULL;