a2dp: Fix crash when SEP codec has not been initialized

Message ID	20220325092706.17135-1-frederic.danis@collabora.com (mailing list archive)
State	Superseded
Headers	show Return-Path: <linux-bluetooth-owner@kernel.org> sender: fdanis) with ESMTPSA id 0859E1F45EF3 From: =?utf-8?q?Fr=C3=A9d=C3=A9ric_Danis?= <frederic.danis@collabora.com> To: linux-bluetooth@vger.kernel.org Subject: [PATCH] a2dp: Fix crash when SEP codec has not been initialized Date: Fri, 25 Mar 2022 10:27:06 +0100 Message-Id: <20220325092706.17135-1-frederic.danis@collabora.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Precedence: bulk
Series	a2dp: Fix crash when SEP codec has not been initialized \| expand a2dp: Fix crash when SEP codec has not been initialized

Message ID

20220325092706.17135-1-frederic.danis@collabora.com (mailing list archive)

State

Superseded

Headers

From: =?utf-8?q?Fr=C3=A9d=C3=A9ric_Danis?=  <frederic.danis@collabora.com>
To: linux-bluetooth@vger.kernel.org
Subject: [PATCH] a2dp: Fix crash when SEP codec has not been initialized
Date: Fri, 25 Mar 2022 10:27:06 +0100
Message-Id: <20220325092706.17135-1-frederic.danis@collabora.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

a2dp: Fix crash when SEP codec has not been initialized | expand

Checks

Context	Check	Description
tedd_an/pre-ci_am	success	Success
tedd_an/checkpatch	success	Checkpatch PASS
tedd_an/gitlint	success	Gitlint PASS
tedd_an/setupell	success	Setup ELL PASS
tedd_an/buildprep	success	Build Prep PASS
tedd_an/build	success	Build Configuration PASS
tedd_an/makecheck	success	Make Check PASS
tedd_an/makecheckvalgrind	success	Make Check PASS
tedd_an/makedistcheck	success	Make Distcheck PASS
tedd_an/build_extell	success	Build External ELL PASS
tedd_an/build_extell_make	success	Build Make with External ELL PASS

Context

Check

Description

tedd_an/pre-ci_am

success

Success

tedd_an/checkpatch

success

Checkpatch PASS

tedd_an/gitlint

success

Gitlint PASS

tedd_an/setupell

success

Setup ELL PASS

tedd_an/buildprep

success

Build Prep PASS

tedd_an/build

success

Build Configuration PASS

tedd_an/makecheck

success

Make Check PASS

tedd_an/makecheckvalgrind

success

Make Check PASS

tedd_an/makedistcheck

success

Make Distcheck PASS

tedd_an/build_extell

success

Build External ELL PASS

tedd_an/build_extell_make

success

Build Make with External ELL PASS

Commit Message

Frédéric Danis March 25, 2022, 9:27 a.m. UTC

If SEP has not been properly discovered avdtp_get_codec may return NULL
thus causing crashes such as when running AVRCP/TG/VLH/BI-01-C after
AVRCP/TG/RCR/BV-04-C
---
 profiles/audio/a2dp.c | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

Comments

bluez.test.bot@gmail.com March 25, 2022, 11:01 a.m. UTC | #1

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=626269

---Test result---

Test Summary:
CheckPatch                    PASS      1.59 seconds
GitLint                       PASS      1.10 seconds
Prep - Setup ELL              PASS      52.73 seconds
Build - Prep                  PASS      0.92 seconds
Build - Configure             PASS      10.45 seconds
Build - Make                  PASS      1841.06 seconds
Make Check                    PASS      12.83 seconds
Make Check w/Valgrind         PASS      544.85 seconds
Make Distcheck                PASS      292.04 seconds
Build w/ext ELL - Configure   PASS      10.58 seconds
Build w/ext ELL - Make        PASS      1798.41 seconds
Incremental Build with patchesPASS      0.00 seconds



---
Regards,
Linux Bluetooth

Luiz Augusto von Dentz March 25, 2022, 8:06 p.m. UTC | #2

Hi Frédéric,

On Fri, Mar 25, 2022 at 12:53 PM Frédéric Danis
<frederic.danis@collabora.com> wrote:
>
> If SEP has not been properly discovered avdtp_get_codec may return NULL
> thus causing crashes such as when running AVRCP/TG/VLH/BI-01-C after
> AVRCP/TG/RCR/BV-04-C
> ---
>  profiles/audio/a2dp.c | 17 ++++++++++++++---
>  1 file changed, 14 insertions(+), 3 deletions(-)
>
> diff --git a/profiles/audio/a2dp.c b/profiles/audio/a2dp.c
> index f761dbe54..7da008071 100644
> --- a/profiles/audio/a2dp.c
> +++ b/profiles/audio/a2dp.c
> @@ -1995,7 +1995,12 @@ static gboolean get_codec(const GDBusPropertyTable *property,
>  {
>         struct a2dp_remote_sep *sep = data;
>         struct avdtp_service_capability *cap = avdtp_get_codec(sep->sep);
> -       struct avdtp_media_codec_capability *codec = (void *) cap->data;
> +       struct avdtp_media_codec_capability *codec;
> +
> +       if (!cap)
> +               return FALSE;
> +
> +       codec = (void *) cap->data;
>
>         dbus_message_iter_append_basic(iter, DBUS_TYPE_BYTE,
>                                                 &codec->media_codec_type);
> @@ -2008,10 +2013,16 @@ static gboolean get_capabilities(const GDBusPropertyTable *property,
>  {
>         struct a2dp_remote_sep *sep = data;
>         struct avdtp_service_capability *service = avdtp_get_codec(sep->sep);
> -       struct avdtp_media_codec_capability *codec = (void *) service->data;
> -       uint8_t *caps = codec->data;
> +       struct avdtp_media_codec_capability *codec;
> +       uint8_t *caps;
>         DBusMessageIter array;
>
> +       if (!service)
> +               return FALSE;
> +
> +       codec = (void *) service->data;
> +       caps = codec->data;
> +
>         dbus_message_iter_open_container(iter, DBUS_TYPE_ARRAY,
>                                         DBUS_TYPE_BYTE_AS_STRING, &array);
>
> --
> 2.25.1

We should either have a .exist callback or not have the endpoint
registered if its codec is not available, I'm leaning toward the
latter given that it is useless to have the endpoint if it cannot be
used without the codec information.

Luiz Augusto von Dentz March 28, 2022, 6:16 p.m. UTC | #3

Hi Frédéric,

On Fri, Mar 25, 2022 at 1:06 PM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> Hi Frédéric,
>
> On Fri, Mar 25, 2022 at 12:53 PM Frédéric Danis
> <frederic.danis@collabora.com> wrote:
> >
> > If SEP has not been properly discovered avdtp_get_codec may return NULL
> > thus causing crashes such as when running AVRCP/TG/VLH/BI-01-C after
> > AVRCP/TG/RCR/BV-04-C
> > ---
> >  profiles/audio/a2dp.c | 17 ++++++++++++++---
> >  1 file changed, 14 insertions(+), 3 deletions(-)
> >
> > diff --git a/profiles/audio/a2dp.c b/profiles/audio/a2dp.c
> > index f761dbe54..7da008071 100644
> > --- a/profiles/audio/a2dp.c
> > +++ b/profiles/audio/a2dp.c
> > @@ -1995,7 +1995,12 @@ static gboolean get_codec(const GDBusPropertyTable *property,
> >  {
> >         struct a2dp_remote_sep *sep = data;
> >         struct avdtp_service_capability *cap = avdtp_get_codec(sep->sep);
> > -       struct avdtp_media_codec_capability *codec = (void *) cap->data;
> > +       struct avdtp_media_codec_capability *codec;
> > +
> > +       if (!cap)
> > +               return FALSE;
> > +
> > +       codec = (void *) cap->data;
> >
> >         dbus_message_iter_append_basic(iter, DBUS_TYPE_BYTE,
> >                                                 &codec->media_codec_type);
> > @@ -2008,10 +2013,16 @@ static gboolean get_capabilities(const GDBusPropertyTable *property,
> >  {
> >         struct a2dp_remote_sep *sep = data;
> >         struct avdtp_service_capability *service = avdtp_get_codec(sep->sep);
> > -       struct avdtp_media_codec_capability *codec = (void *) service->data;
> > -       uint8_t *caps = codec->data;
> > +       struct avdtp_media_codec_capability *codec;
> > +       uint8_t *caps;
> >         DBusMessageIter array;
> >
> > +       if (!service)
> > +               return FALSE;
> > +
> > +       codec = (void *) service->data;
> > +       caps = codec->data;
> > +
> >         dbus_message_iter_open_container(iter, DBUS_TYPE_ARRAY,
> >                                         DBUS_TYPE_BYTE_AS_STRING, &array);
> >
> > --
> > 2.25.1
>
> We should either have a .exist callback or not have the endpoint
> registered if its codec is not available, I'm leaning toward the
> latter given that it is useless to have the endpoint if it cannot be
> used without the codec information.

In case you missed my response on slack, here is the suggestion change:

diff --git a/profiles/audio/a2dp.c b/profiles/audio/a2dp.c
index c3ac432a7..28654924b 100644
--- a/profiles/audio/a2dp.c
+++ b/profiles/audio/a2dp.c
@@ -2074,6 +2074,11 @@ static struct a2dp_remote_sep
*register_remote_sep(void *data, void *user_data)
        if (sep)
                return sep;

+       if (avdtp_get_codec(rsep)) {
+               error("Unable to get remote sep codec");
+               return NULL;
+       }
+
        sep = new0(struct a2dp_remote_sep, 1);
        sep->chan = chan;
        sep->sep = rsep;


>
>
>
> --
> Luiz Augusto von Dentz

diff --git a/profiles/audio/a2dp.c b/profiles/audio/a2dp.c
index f761dbe54..7da008071 100644
--- a/profiles/audio/a2dp.c
+++ b/profiles/audio/a2dp.c
@@ -1995,7 +1995,12 @@  static gboolean get_codec(const GDBusPropertyTable *property,
 {
 	struct a2dp_remote_sep *sep = data;
 	struct avdtp_service_capability *cap = avdtp_get_codec(sep->sep);
-	struct avdtp_media_codec_capability *codec = (void *) cap->data;
+	struct avdtp_media_codec_capability *codec;
+
+	if (!cap)
+		return FALSE;
+
+	codec = (void *) cap->data;
 
 	dbus_message_iter_append_basic(iter, DBUS_TYPE_BYTE,
 						&codec->media_codec_type);
@@ -2008,10 +2013,16 @@  static gboolean get_capabilities(const GDBusPropertyTable *property,
 {
 	struct a2dp_remote_sep *sep = data;
 	struct avdtp_service_capability *service = avdtp_get_codec(sep->sep);
-	struct avdtp_media_codec_capability *codec = (void *) service->data;
-	uint8_t *caps = codec->data;
+	struct avdtp_media_codec_capability *codec;
+	uint8_t *caps;
 	DBusMessageIter array;
 
+	if (!service)
+		return FALSE;
+
+	codec = (void *) service->data;
+	caps = codec->data;
+
 	dbus_message_iter_open_container(iter, DBUS_TYPE_ARRAY,
 					DBUS_TYPE_BYTE_AS_STRING, &array);