setup_free() may re-enable the CIG update callback. If this occurs in bap_data_free(), the callback crashes with UAF. Fix by moving clearing the callback after all setups are freed. --- profiles/audio/bap.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c index 3dc4cd92e..2c7942843 100644 --- a/profiles/audio/bap.c +++ b/profiles/audio/bap.c @@ -189,9 +189,6 @@ static void bap_data_free(struct bap_data *data) if (data->io_id) g_source_remove(data->io_id); - if (data->cig_update_id) - g_source_remove(data->cig_update_id); - if (data->service && btd_service_get_user_data(data->service) == data) btd_service_set_user_data(data->service, NULL); @@ -204,6 +201,10 @@ static void bap_data_free(struct bap_data *data) bt_bap_state_unregister(data->bap, data->state_id); bt_bap_pac_unregister(data->bap, data->pac_id); bt_bap_unref(data->bap); + + if (data->cig_update_id) + g_source_remove(data->cig_update_id); + free(data); } -- 2.50.1
