Hi Pauli,
On Thu, Jun 19, 2025 at 2:53 PM Pauli Virtanen <pav@xxxxxx> wrote:
>
> If metadata is same, it should not be freed as it may be stream's own.
>
> Fixes:
>
> ERROR: AddressSanitizer: heap-use-after-free
> READ of size 8 at 0x7b86a76f5d18 thread T0
> #0 0x000000836745 in util_iov_dup src/shared/util.c:353
> #1 0x0000008ea96b in bap_stream_metadata src/shared/bap.c:1991
> #2 0x0000008ebfbe in bap_ucast_enable src/shared/bap.c:2072
> #3 0x0000009226e7 in bt_bap_stream_enable src/shared/bap.c:6392
> #4 0x00000044037d in transport_bap_resume profiles/audio/transport.c:1981
> freed by thread T0 here:
> #0 0x7f66a92e5bcb in free.part.0 (/lib64/libasan.so.8+0xe5bcb)
> #1 0x000000837002 in util_iov_free src/shared/util.c:392
> #2 0x0000008ea94e in bap_stream_metadata src/shared/bap.c:1990
> #3 0x0000008ebfbe in bap_ucast_enable src/shared/bap.c:2072
> ---
> src/shared/bap.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/shared/bap.c b/src/shared/bap.c
> index 8d1c69d47..070f4fc05 100644
> --- a/src/shared/bap.c
> +++ b/src/shared/bap.c
> @@ -1986,7 +1986,7 @@ static unsigned int bap_stream_metadata(struct bt_bap_stream *stream,
> iov[0].iov_base = &meta;
> iov[0].iov_len = sizeof(meta);
>
> - if (data) {
> + if (data && util_iov_memcmp(stream->meta, data)) {
> util_iov_free(stream->meta, 1);
> stream->meta = util_iov_dup(data, 1);
> }
This makes sense but I do wonder if we shouldn't just be checking if
data and stream->meta pointer are the same, or perhaps we shouldn't be
passing it own stream->meta to bap_stream_metadata since that
internally already uses it anyway.
> --
> 2.49.0
>
>
--
Luiz Augusto von Dentz
