diff options
| author | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2023-01-23 13:27:14 -0800 |
|---|---|---|
| committer | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2023-01-23 13:27:14 -0800 |
| commit | 414c8650acfe871ea6ae860d7dca1b5fa9044b77 (patch) | |
| tree | f8e7794276c43dec355a47fd34e49150186c090d /profiles | |
| parent | d159973ecec8e65add01cb5ed8213e0ba8703965 (diff) | |
| download | bluez-414c8650acfe871ea6ae860d7dca1b5fa9044b77.tar.gz | |
bap: Fix not setting stream to NULL
If the stream state is idle the ep->stream shall be set to NULL
otherwise it may be reused causing the following trace:
==32623==ERROR: AddressSanitizer: heap-use-after-free on address ...
READ of size 8 at 0x60b000103550 thread T0
#0 0x7bf7b7 in bap_stream_valid src/shared/bap.c:4065
#1 0x7bf981 in bt_bap_stream_config src/shared/bap.c:4082
#2 0x51a7c8 in bap_config profiles/audio/bap.c:584
#3 0x71b907 in queue_foreach src/shared/queue.c:207
#4 0x51b61f in select_cb profiles/audio/bap.c:626
#5 0x4691ed in pac_select_cb profiles/audio/media.c:884
#6 0x4657ea in endpoint_reply profiles/audio/media.c:369
Fixes: https://github.com/bluez/bluez/issues/457#issuecomment-1399232486
Diffstat (limited to 'profiles')
| -rw-r--r-- | profiles/audio/bap.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c index ae944b617..8f2411768 100644 --- a/profiles/audio/bap.c +++ b/profiles/audio/bap.c @@ -998,9 +998,10 @@ static void bap_state(struct bt_bap_stream *stream, uint8_t old_state, switch (new_state) { case BT_BAP_STREAM_STATE_IDLE: /* Release stream if idle */ - if (ep) + if (ep) { bap_io_close(ep); - else + ep->stream = NULL; + } else queue_remove(data->streams, stream); break; case BT_BAP_STREAM_STATE_CONFIG: |