Fix UAF by freeing transport->remote_endpoint in media_transport_free,
which also frees the struct (not in destroy after the struct is freed).
ERROR: AddressSanitizer: heap-use-after-free
READ of size 8 at 0x508000022ab8 thread T0
#0 0x493624 in media_transport_destroy profiles/audio/transport.c:223
...
freed by thread T0 here:
#1 0x7fb057d10294 in g_free (/lib64/libglib-2.0.so.0+0x5d294)
#2 0x49dd2d in media_transport_free profiles/audio/transport.c:1276
#3 0x7e0e99 in remove_interface gdbus/object.c:682
#4 0x7e8f40 in g_dbus_unregister_interface gdbus/object.c:1430
#5 0x4935a2 in media_transport_destroy profiles/audio/transport.c:220
---
profiles/audio/transport.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/profiles/audio/transport.c b/profiles/audio/transport.c
index 0ce94bae3..922911cf3 100644
--- a/profiles/audio/transport.c
+++ b/profiles/audio/transport.c
@@ -220,9 +220,6 @@ void media_transport_destroy(struct media_transport *transport)
g_dbus_unregister_interface(btd_get_dbus_connection(), path,
MEDIA_TRANSPORT_INTERFACE);
- if (transport->remote_endpoint)
- g_free(transport->remote_endpoint);
-
g_free(path);
}
@@ -1271,6 +1268,7 @@ static void media_transport_free(void *data)
if (transport->ops && transport->ops->destroy)
transport->ops->destroy(transport->data);
+ g_free(transport->remote_endpoint);
g_free(transport->configuration);
g_free(transport->path);
g_free(transport);
--
2.45.2
