Skip to content

Commit

Permalink
bap: Fix not setting stream to NULL
Browse files Browse the repository at this point in the history 
If the stream state is idle the ep->stream shall be set to NULL
otherwise it may be reused causing the following trace:

==32623==ERROR: AddressSanitizer: heap-use-after-free on address ...
 READ of size 8 at 0x60b000103550 thread T0
    #0 0x7bf7b7 in bap_stream_valid src/shared/bap.c:4065
    ruundii#1 0x7bf981 in bt_bap_stream_config src/shared/bap.c:4082
    bluez#2 0x51a7c8 in bap_config profiles/audio/bap.c:584
    bluez#3 0x71b907 in queue_foreach src/shared/queue.c:207
    bluez#4 0x51b61f in select_cb profiles/audio/bap.c:626
    bluez#5 0x4691ed in pac_select_cb profiles/audio/media.c:884
    bluez#6 0x4657ea in endpoint_reply profiles/audio/media.c:369

Fixes: bluez#457 (comment)
  • Loading branch information
@Vudentz
Vudentz committed Jan 23, 2023
1 parent d159973 commit 414c865
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions profiles/audio/bap.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -998,9 +998,10 @@ static void bap_state(struct bt_bap_stream *stream, uint8_t old_state,
switch (new_state) {
case BT_BAP_STREAM_STATE_IDLE:
/* Release stream if idle */
if (ep)
if (ep) {
bap_io_close(ep);
else
ep->stream = NULL;
} else
queue_remove(data->streams, stream);
break;
case BT_BAP_STREAM_STATE_CONFIG:
Expand Down

0 comments on commit 414c865

Please sign in to comment.