summaryrefslogtreecommitdiff
path: root/profiles
diff options
context:
space:
mode:
authorLuiz Augusto von Dentz <luiz.von.dentz@intel.com>2022-03-24 14:32:11 -0700
committerLuiz Augusto von Dentz <luiz.von.dentz@intel.com>2022-03-28 10:51:27 -0700
commit18fc3abad28cccd2ac7e31963502973af8b86216 (patch)
treec40f92c819f9452e76c35d7c5fef262b1ca727aa /profiles
parent4fefa24097e45153f99cabbc70534d69a2a35ecd (diff)
downloadbluez-18fc3abad28cccd2ac7e31963502973af8b86216.tar.gz
a2dp: Don't initialize a2dp_sep->destroy until properly registered
On a2dp_add_sep if the record cannot be properly registred a2dp_unregister_sep would be called which would attempt to destroy the user_data causing the following backtrace: Invalid write of size 8 at 0x2F41EB: endpoint_init_a2dp_source (media.c:687) by 0x2F41EB: media_endpoint_create (media.c:1030) by 0x2F6713: register_endpoint (media.c:1155) by 0x46983F: process_message (object.c:246) by 0x4A574A8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.14) by 0x45F0BF: message_dispatch (mainloop.c:59) by 0x495239A: ??? (in /usr/lib64/libglib-2.0.so.0.7000.4) by 0x495605E: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.7000.4) by 0x49AB2A7: ??? (in /usr/lib64/libglib-2.0.so.0.7000.4) by 0x4955772: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.7000.4) by 0x4CA924: mainloop_run (mainloop-glib.c:66) by 0x4CAE1B: mainloop_run_with_signal (mainloop-notify.c:188) by 0x2AE791: main (main.c:1258) Address 0x6e47a30 is 0 bytes inside a block of size 112 free'd at 0x48470E4: free (vg_replace_malloc.c:872) by 0x4957CDC: g_free (in /usr/lib64/libglib-2.0.so.0.7000.4) by 0x2C2D57: a2dp_unregister_sep (a2dp.c:2588) by 0x2D124C: a2dp_add_sep (a2dp.c:2697) by 0x2F41D5: endpoint_init_a2dp_source (media.c:687) by 0x2F41D5: media_endpoint_create (media.c:1030) by 0x2F6713: register_endpoint (media.c:1155) by 0x46983F: process_message (object.c:246) by 0x4A574A8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.14) by 0x45F0BF: message_dispatch (mainloop.c:59) by 0x495239A: ??? (in /usr/lib64/libglib-2.0.so.0.7000.4) by 0x495605E: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.7000.4) by 0x49AB2A7: ??? (in /usr/lib64/libglib-2.0.so.0.7000.4)
Diffstat (limited to 'profiles')
-rw-r--r--profiles/audio/a2dp.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/profiles/audio/a2dp.c b/profiles/audio/a2dp.c
index f761dbe54..d66c22b2b 100644
--- a/profiles/audio/a2dp.c
+++ b/profiles/audio/a2dp.c
@@ -2668,8 +2668,6 @@ struct a2dp_sep *a2dp_add_sep(struct btd_adapter *adapter, uint8_t type,
sep->codec = codec;
sep->type = type;
sep->delay_reporting = delay_reporting;
- sep->user_data = user_data;
- sep->destroy = destroy;
if (type == AVDTP_SEP_TYPE_SOURCE) {
l = &server->sources;
@@ -2713,6 +2711,9 @@ struct a2dp_sep *a2dp_add_sep(struct btd_adapter *adapter, uint8_t type,
add:
*l = g_slist_append(*l, sep);
+ sep->user_data = user_data;
+ sep->destroy = destroy;
+
if (err)
*err = 0;
return sep;
View Lorry Controller Status