Streams are freed by bap_detach() without state change callback. Clear data->server_streams explicitly before bap_detach(). Fixes UAF due to stale stream pointers in server_streams. --- profiles/audio/bap.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c index a75919102..c463e6a8a 100644 --- a/profiles/audio/bap.c +++ b/profiles/audio/bap.c @@ -3768,6 +3768,9 @@ static int bap_disconnect(struct btd_service *service) queue_remove_all(data->snks, ep_remove, NULL, NULL); queue_remove_all(data->srcs, ep_remove, NULL, NULL); + queue_destroy(data->server_streams, NULL); + data->server_streams = NULL; + bt_bap_detach(data->bap); btd_service_disconnecting_complete(service, 0); -- 2.50.1
