From 414c8650acfe871ea6ae860d7dca1b5fa9044b77 Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Mon, 23 Jan 2023 13:27:14 -0800 Subject: [PATCH] bap: Fix not setting stream to NULL If the stream state is idle the ep->stream shall be set to NULL otherwise it may be reused causing the following trace: ==32623==ERROR: AddressSanitizer: heap-use-after-free on address ... READ of size 8 at 0x60b000103550 thread T0 #0 0x7bf7b7 in bap_stream_valid src/shared/bap.c:4065 #1 0x7bf981 in bt_bap_stream_config src/shared/bap.c:4082 #2 0x51a7c8 in bap_config profiles/audio/bap.c:584 #3 0x71b907 in queue_foreach src/shared/queue.c:207 #4 0x51b61f in select_cb profiles/audio/bap.c:626 #5 0x4691ed in pac_select_cb profiles/audio/media.c:884 #6 0x4657ea in endpoint_reply profiles/audio/media.c:369 Fixes: https://github.com/bluez/bluez/issues/457#issuecomment-1399232486 --- profiles/audio/bap.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c index ae944b617b..8f24117681 100644 --- a/profiles/audio/bap.c +++ b/profiles/audio/bap.c @@ -998,9 +998,10 @@ static void bap_state(struct bt_bap_stream *stream, uint8_t old_state, switch (new_state) { case BT_BAP_STREAM_STATE_IDLE: /* Release stream if idle */ - if (ep) + if (ep) { bap_io_close(ep); - else + ep->stream = NULL; + } else queue_remove(data->streams, stream); break; case BT_BAP_STREAM_STATE_CONFIG: