Stream owned metadata pointers may be invalidated in bt_bap_stream
operations. Just pass in NULL to keep the current value.
Fixes:
ERROR: AddressSanitizer: heap-use-after-free
READ of size 8 at 0x7b86a76f5d18 thread T0
#0 0x000000836745 in util_iov_dup src/shared/util.c:353
#1 0x0000008ea96b in bap_stream_metadata src/shared/bap.c:1991
#2 0x0000008ebfbe in bap_ucast_enable src/shared/bap.c:2072
#3 0x0000009226e7 in bt_bap_stream_enable src/shared/bap.c:6392
#4 0x00000044037d in transport_bap_resume profiles/audio/transport.c:1981
freed by thread T0 here:
#0 0x7f66a92e5bcb in free.part.0 (/lib64/libasan.so.8+0xe5bcb)
#1 0x000000837002 in util_iov_free src/shared/util.c:392
#2 0x0000008ea94e in bap_stream_metadata src/shared/bap.c:1990
#3 0x0000008ebfbe in bap_ucast_enable src/shared/bap.c:2072
---
Notes:
The other option is to specify semantics as in v1. In that case,
because other bt_bap functions invalidate only if util_iov_memcmp() is
different, it's best that it's the same and not only pointer comparison.
profiles/audio/transport.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/profiles/audio/transport.c b/profiles/audio/transport.c
index 9bf3b47ee..4800570d9 100644
--- a/profiles/audio/transport.c
+++ b/profiles/audio/transport.c
@@ -1957,7 +1957,6 @@ static guint transport_bap_resume(struct media_transport *transport,
struct media_owner *owner)
{
struct bap_transport *bap = transport->data;
- struct iovec *meta;
guint id;
if (!bap->stream)
@@ -1977,8 +1976,7 @@ static guint transport_bap_resume(struct media_transport *transport,
return bap->resume_id;
}
- meta = bt_bap_stream_get_metadata(bap->stream);
- id = bt_bap_stream_enable(bap->stream, bap->linked, meta,
+ id = bt_bap_stream_enable(bap->stream, bap->linked, NULL,
bap_enable_complete, owner);
if (!id)
return 0;
--
2.49.0
