Stream owned metadata pointers may be invalidated in bt_bap_stream
operations. Callers should make copies and not rely on details of their
invalidation semantics.
Fixes:
ERROR: AddressSanitizer: heap-use-after-free
READ of size 8 at 0x7b86a76f5d18 thread T0
#0 0x000000836745 in util_iov_dup src/shared/util.c:353
#1 0x0000008ea96b in bap_stream_metadata src/shared/bap.c:1991
#2 0x0000008ebfbe in bap_ucast_enable src/shared/bap.c:2072
#3 0x0000009226e7 in bt_bap_stream_enable src/shared/bap.c:6392
#4 0x00000044037d in transport_bap_resume profiles/audio/transport.c:1981
freed by thread T0 here:
#0 0x7f66a92e5bcb in free.part.0 (/lib64/libasan.so.8+0xe5bcb)
#1 0x000000837002 in util_iov_free src/shared/util.c:392
#2 0x0000008ea94e in bap_stream_metadata src/shared/bap.c:1990
#3 0x0000008ebfbe in bap_ucast_enable src/shared/bap.c:2072
---
Notes:
The other option is to do like in v1 and specify the semantics. In that
case, it's best to be the same as in the other bt_bap functions, which
use util_iov_memcmp.
profiles/audio/transport.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/profiles/audio/transport.c b/profiles/audio/transport.c
index 9bf3b47ee..62abd83d7 100644
--- a/profiles/audio/transport.c
+++ b/profiles/audio/transport.c
@@ -1977,9 +1977,10 @@ static guint transport_bap_resume(struct media_transport *transport,
return bap->resume_id;
}
- meta = bt_bap_stream_get_metadata(bap->stream);
+ meta = util_iov_dup(bt_bap_stream_get_metadata(bap->stream), 1);
id = bt_bap_stream_enable(bap->stream, bap->linked, meta,
bap_enable_complete, owner);
+ util_iov_free(meta, 1);
if (!id)
return 0;
--
2.49.0
