[Bluez,v2] avdtp: Fix crashes in avdtp_abort

Message ID	20200324112129.Bluez.v2.1.I6c78c0eb9826eb17c944c4903132ee75c1324136@changeid (mailing list archive)
State	Accepted
Delegated to:	Luiz Von Dentz
Headers	show Return-Path: <SRS0=2tab=5J=vger.kernel.org=linux-bluetooth-owner@kernel.org> Date: Tue, 24 Mar 2020 11:21:45 +0800 Message-Id: <20200324112129.Bluez.v2.1.I6c78c0eb9826eb17c944c4903132ee75c1324136@changeid> Mime-Version: 1.0 Subject: [Bluez PATCH v2] avdtp: Fix crashes in avdtp_abort From: Howard Chung <howardchung@google.com> To: linux-bluetooth@vger.kernel.org, luiz.von.dentz@intel.com Cc: chromeos-bluetooth-upstreaming@chromium.org, Howard Chung <howardchung@google.com> Content-Type: text/plain; charset="UTF-8" Sender: linux-bluetooth-owner@vger.kernel.org Precedence: bulk
Series	[Bluez,v2] avdtp: Fix crashes in avdtp_abort \| expand [Bluez,v2] avdtp: Fix crashes in avdtp_abort

Message ID

20200324112129.Bluez.v2.1.I6c78c0eb9826eb17c944c4903132ee75c1324136@changeid (mailing list archive)

State

Accepted

Delegated to:

Luiz Von Dentz

Headers

Date: Tue, 24 Mar 2020 11:21:45 +0800
Message-Id: 
 <20200324112129.Bluez.v2.1.I6c78c0eb9826eb17c944c4903132ee75c1324136@changeid>
Mime-Version: 1.0
Subject: [Bluez PATCH v2] avdtp: Fix crashes in avdtp_abort
From: Howard Chung <howardchung@google.com>
To: linux-bluetooth@vger.kernel.org, luiz.von.dentz@intel.com
Cc: chromeos-bluetooth-upstreaming@chromium.org,
        Howard Chung <howardchung@google.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-bluetooth-owner@vger.kernel.org
Precedence: bulk

Series

[Bluez,v2] avdtp: Fix crashes in avdtp_abort | expand

In avdtp_abort, if setup->stream is NULL, trying to access stream->lsep will crash. --- Changes in v2: - Remove variable 'sep' profiles/audio/avdtp.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)

Comments

Luiz Augusto von Dentz March 24, 2020, 6:04 a.m. UTC | #1

Hi Howard,

On Mon, Mar 23, 2020 at 8:28 PM Howard Chung <howardchung@google.com> wrote:
>
> In avdtp_abort, if setup->stream is NULL, trying to access
> stream->lsep will crash.
> ---
>
> Changes in v2:
> - Remove variable 'sep'
>
>  profiles/audio/avdtp.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
> index 0e075f9ff..aabc5ce51 100644
> --- a/profiles/audio/avdtp.c
> +++ b/profiles/audio/avdtp.c
> @@ -3566,7 +3566,6 @@ int avdtp_abort(struct avdtp *session, struct avdtp_stream *stream)
>  {
>         struct seid_req req;
>         int ret;
> -       struct avdtp_local_sep *sep = stream->lsep;
>
>         if (!stream && session->discover) {
>                 /* Don't call cb since it being aborted */
> @@ -3581,7 +3580,7 @@ int avdtp_abort(struct avdtp *session, struct avdtp_stream *stream)
>         if (stream->lsep->state == AVDTP_STATE_ABORTING)
>                 return -EINVAL;
>
> -       avdtp_sep_set_state(session, sep, AVDTP_STATE_ABORTING);
> +       avdtp_sep_set_state(session, stream->lsep, AVDTP_STATE_ABORTING);
>
>         if (session->req && stream == session->req->stream)
>                 return cancel_request(session, ECANCELED);
> --
> 2.25.1.696.g5e7596f4ac-goog

Applied, thanks.

diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
index 0e075f9ff..aabc5ce51 100644
--- a/profiles/audio/avdtp.c
+++ b/profiles/audio/avdtp.c
@@ -3566,7 +3566,6 @@  int avdtp_abort(struct avdtp *session, struct avdtp_stream *stream)
 {
 	struct seid_req req;
 	int ret;
-	struct avdtp_local_sep *sep = stream->lsep;
 
 	if (!stream && session->discover) {
 		/* Don't call cb since it being aborted */
@@ -3581,7 +3580,7 @@  int avdtp_abort(struct avdtp *session, struct avdtp_stream *stream)
 	if (stream->lsep->state == AVDTP_STATE_ABORTING)
 		return -EINVAL;
 
-	avdtp_sep_set_state(session, sep, AVDTP_STATE_ABORTING);
+	avdtp_sep_set_state(session, stream->lsep, AVDTP_STATE_ABORTING);
 
 	if (session->req && stream == session->req->stream)
 		return cancel_request(session, ECANCELED);

[Bluez,v2] avdtp: Fix crashes in avdtp_abort

Commit Message

Comments

Patch