diff mbox series

[BlueZ] transport: fix crash when freeing transport

Message ID ee5b81f6306bb9ac014b02c028d159295acc469a.1718644267.git.pav@iki.fi
State New
Headers show
Series [BlueZ] transport: fix crash when freeing transport | expand

Commit Message

Pauli Virtanen June 17, 2024, 5:11 p.m. UTC
Fix UAF by freeing transport->remote_endpoint in media_transport_free,
which also frees the struct (not in destroy after the struct is freed).

ERROR: AddressSanitizer: heap-use-after-free
READ of size 8 at 0x508000022ab8 thread T0
    #0 0x493624 in media_transport_destroy profiles/audio/transport.c:223
...
freed by thread T0 here:
    #1 0x7fb057d10294 in g_free (/lib64/libglib-2.0.so.0+0x5d294)
    #2 0x49dd2d in media_transport_free profiles/audio/transport.c:1276
    #3 0x7e0e99 in remove_interface gdbus/object.c:682
    #4 0x7e8f40 in g_dbus_unregister_interface gdbus/object.c:1430
    #5 0x4935a2 in media_transport_destroy profiles/audio/transport.c:220
---
 profiles/audio/transport.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)
diff mbox series

Patch

diff --git a/profiles/audio/transport.c b/profiles/audio/transport.c
index 0ce94bae3..922911cf3 100644
--- a/profiles/audio/transport.c
+++ b/profiles/audio/transport.c
@@ -220,9 +220,6 @@  void media_transport_destroy(struct media_transport *transport)
 	g_dbus_unregister_interface(btd_get_dbus_connection(), path,
 						MEDIA_TRANSPORT_INTERFACE);
 
-	if (transport->remote_endpoint)
-		g_free(transport->remote_endpoint);
-
 	g_free(path);
 }
 
@@ -1271,6 +1268,7 @@  static void media_transport_free(void *data)
 	if (transport->ops && transport->ops->destroy)
 		transport->ops->destroy(transport->data);
 
+	g_free(transport->remote_endpoint);
 	g_free(transport->configuration);
 	g_free(transport->path);
 	g_free(transport);