shared/bap: Fixing memory overwrite during ASE Enable Operation

This fixes memory overwrite during ASE Enable operation handling. It avoids crashing of bluetoothd if metadata of more than sizeo of size_t is received. This also fixes storing metadata to stream structure.
author: Abhay Maheta <abhay.maheshbhai.maheta@intel.com> 2022-10-07 23:15:17 +0530
committer: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2022-10-10 12:52:42 -0700
commit: 3da439ae3c76e5008d007c2c41f6e7e1828b7321 (patch)
tree: f26ca90727f837b3c6180768463a21b4a416adc4 /src
parent: dabf32b313c1dbfcbb434778541e4ab03bb2121e (diff)
download: bluez-3da439ae3c76e5008d007c2c41f6e7e1828b7321.tar.gz
1 files changed, 6 insertions, 2 deletions
diff --git a/src/shared/bap.c b/src/shared/bap.c
index 178407387..c3c0d596f 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -958,10 +958,14 @@ static void stream_notify_metadata(struct bt_bap_stream *stream)
 	struct bt_ascs_ase_status *status;
 	struct bt_ascs_ase_status_metadata *meta;
 	size_t len;
+	size_t meta_len = 0;
 
 	DBG(stream->bap, "stream %p", stream);
 
-	len = sizeof(*status) + sizeof(*meta) + sizeof(stream->meta->iov_len);
+	if (stream->meta)
+		meta_len = stream->meta->iov_len;
+
+	len = sizeof(*status) + sizeof(*meta) + meta_len;
 	status = malloc(len);
 
 	memset(status, 0, len);
@@ -1743,7 +1747,7 @@ static uint8_t ep_enable(struct bt_bap_endpoint *ep, struct bt_bap *bap,
 		return 0;
 	}
 
-	return stream_enable(ep->stream, iov, rsp);
+	return stream_enable(ep->stream, &meta, rsp);
 }
 
 static uint8_t ascs_enable(struct bt_ascs *ascs, struct bt_bap *bap,
author	Abhay Maheta <abhay.maheshbhai.maheta@intel.com>	2022-10-07 23:15:17 +0530
committer	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>	2022-10-10 12:52:42 -0700
commit	3da439ae3c76e5008d007c2c41f6e7e1828b7321 (patch)
tree	f26ca90727f837b3c6180768463a21b4a416adc4 /src
parent	dabf32b313c1dbfcbb434778541e4ab03bb2121e (diff)
download	bluez-3da439ae3c76e5008d007c2c41f6e7e1828b7321.tar.gz