[v2] a2dp: Check for valid SEP in a2dp_reconfigure

Message ID	20200503110629.11068-1-pali@kernel.org
State	New
Headers	show Return-Path: <SRS0=w4jJ=6R=vger.kernel.org=linux-bluetooth-owner@kernel.org> From: =?utf-8?q?Pali_Roh=C3=A1r?= <pali@kernel.org> To: linux-bluetooth@vger.kernel.org Cc: Luiz Augusto von Dentz <luiz.dentz@gmail.com> Subject: [PATCH v2] a2dp: Check for valid SEP in a2dp_reconfigure Date: Sun, 3 May 2020 13:06:29 +0200 Message-Id: <20200503110629.11068-1-pali@kernel.org> In-Reply-To: <5ea9d716.1c69fb81.92030.0ba2@mx.google.com> References: <5ea9d716.1c69fb81.92030.0ba2@mx.google.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-bluetooth-owner@vger.kernel.org Precedence: bulk
Series	[v2] a2dp: Check for valid SEP in a2dp_reconfigure \| expand [v2] a2dp: Check for valid SEP in a2dp_reconfigure

Message ID

20200503110629.11068-1-pali@kernel.org

State

New

Headers

From: =?utf-8?q?Pali_Roh=C3=A1r?= <pali@kernel.org>
To: linux-bluetooth@vger.kernel.org
Cc: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Subject: [PATCH v2] a2dp: Check for valid SEP in a2dp_reconfigure
Date: Sun,  3 May 2020 13:06:29 +0200
Message-Id: <20200503110629.11068-1-pali@kernel.org>
In-Reply-To: <5ea9d716.1c69fb81.92030.0ba2@mx.google.com>
References: <5ea9d716.1c69fb81.92030.0ba2@mx.google.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-bluetooth-owner@vger.kernel.org
Precedence: bulk

Series

[v2] a2dp: Check for valid SEP in a2dp_reconfigure | expand

Commit Message

Pali Rohár May 3, 2020, 11:06 a.m. UTC

a2dp_reconfigure() is called as callback when local and remote SEP does not
have to be valid anymore, sep->lsep can be NULL.

This change fixes bluetoothd daemon crash (dereferencing NULL sep->lsep)
when audio agent disconnect in the middle of the reconfigure call.
---
 profiles/audio/a2dp.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/profiles/audio/a2dp.c b/profiles/audio/a2dp.c
index c31aaf187..a2ce3204d 100644
--- a/profiles/audio/a2dp.c
+++ b/profiles/audio/a2dp.c
@@ -1178,6 +1178,12 @@  static gboolean a2dp_reconfigure(gpointer data)
 	struct avdtp_media_codec_capability *rsep_codec;
 	struct avdtp_service_capability *cap;
 
+	if (!sep->lsep) {
+		error("no valid local SEP");
+		posix_err = -EINVAL;
+		goto failed;
+	}
+
 	if (setup->rsep) {
 		cap = avdtp_get_codec(setup->rsep->sep);
 		rsep_codec = (struct avdtp_media_codec_capability *) cap->data;
@@ -1186,6 +1192,12 @@  static gboolean a2dp_reconfigure(gpointer data)
 	if (!setup->rsep || sep->codec != rsep_codec->media_codec_type)
 		setup->rsep = find_remote_sep(setup->chan, sep);
 
+	if (!setup->rsep) {
+		error("unable to find remote SEP");
+		posix_err = -EINVAL;
+		goto failed;
+	}
+
 	posix_err = avdtp_set_configuration(setup->session, setup->rsep->sep,
 						sep->lsep,
 						setup->caps,

[v2] a2dp: Check for valid SEP in a2dp_reconfigure

Commit Message

Patch