[v2] a2dp: Check for valid SEP in a2dp_reconfigure

Commit Message

Pali Rohár May 3, 2020, 11:06 a.m. UTC

a2dp_reconfigure() is called as callback when local and remote SEP does not
have to be valid anymore, sep->lsep can be NULL.

This change fixes bluetoothd daemon crash (dereferencing NULL sep->lsep)
when audio agent disconnect in the middle of the reconfigure call.
---
 profiles/audio/a2dp.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

Comments

Luiz Augusto von Dentz May 4, 2020, 11:39 p.m. UTC | #1

Hi Pali,

On Sun, May 3, 2020 at 4:06 AM Pali Rohár <pali@kernel.org> wrote:
>
> a2dp_reconfigure() is called as callback when local and remote SEP does not
> have to be valid anymore, sep->lsep can be NULL.
>
> This change fixes bluetoothd daemon crash (dereferencing NULL sep->lsep)
> when audio agent disconnect in the middle of the reconfigure call.
> ---
>  profiles/audio/a2dp.c | 12 ++++++++++++
>  1 file changed, 12 insertions(+)
>
> diff --git a/profiles/audio/a2dp.c b/profiles/audio/a2dp.c
> index c31aaf187..a2ce3204d 100644
> --- a/profiles/audio/a2dp.c
> +++ b/profiles/audio/a2dp.c
> @@ -1178,6 +1178,12 @@ static gboolean a2dp_reconfigure(gpointer data)
>         struct avdtp_media_codec_capability *rsep_codec;
>         struct avdtp_service_capability *cap;
>
> +       if (!sep->lsep) {
> +               error("no valid local SEP");
> +               posix_err = -EINVAL;
> +               goto failed;
> +       }
> +
>         if (setup->rsep) {
>                 cap = avdtp_get_codec(setup->rsep->sep);
>                 rsep_codec = (struct avdtp_media_codec_capability *) cap->data;
> @@ -1186,6 +1192,12 @@ static gboolean a2dp_reconfigure(gpointer data)
>         if (!setup->rsep || sep->codec != rsep_codec->media_codec_type)
>                 setup->rsep = find_remote_sep(setup->chan, sep);
>
> +       if (!setup->rsep) {
> +               error("unable to find remote SEP");
> +               posix_err = -EINVAL;
> +               goto failed;
> +       }
> +
>         posix_err = avdtp_set_configuration(setup->session, setup->rsep->sep,
>                                                 sep->lsep,
>                                                 setup->caps,
> --
> 2.20.1

Applied, thanks.

Patch

diff --git a/profiles/audio/a2dp.c b/profiles/audio/a2dp.c
index c31aaf187..a2ce3204d 100644
--- a/profiles/audio/a2dp.c
+++ b/profiles/audio/a2dp.c
@@ -1178,6 +1178,12 @@  static gboolean a2dp_reconfigure(gpointer data)
 	struct avdtp_media_codec_capability *rsep_codec;
 	struct avdtp_service_capability *cap;
 
+	if (!sep->lsep) {
+		error("no valid local SEP");
+		posix_err = -EINVAL;
+		goto failed;
+	}
+
 	if (setup->rsep) {
 		cap = avdtp_get_codec(setup->rsep->sep);
 		rsep_codec = (struct avdtp_media_codec_capability *) cap->data;
@@ -1186,6 +1192,12 @@  static gboolean a2dp_reconfigure(gpointer data)
 	if (!setup->rsep || sep->codec != rsep_codec->media_codec_type)
 		setup->rsep = find_remote_sep(setup->chan, sep);
 
+	if (!setup->rsep) {
+		error("unable to find remote SEP");
+		posix_err = -EINVAL;
+		goto failed;
+	}
+
 	posix_err = avdtp_set_configuration(setup->session, setup->rsep->sep,
 						sep->lsep,
 						setup->caps,