Branch: refs/heads/master Home: https://github.com/bluez/bluez Commit: 87ad4c66b934b1280bc8843589856313ef1bc912 https://github.com/bluez/bluez/commit/87ad4c66b934b1280bc8843589856313ef1bc912 Author: Pauli Virtanen <pav@xxxxxx> Date: 2024-06-17 (Mon, 17 Jun 2024) Changed paths: M profiles/audio/transport.c Log Message: ----------- transport: fix crash when freeing transport Fix UAF by freeing transport->remote_endpoint in media_transport_free, which also frees the struct (not in destroy after the struct is freed). ERROR: AddressSanitizer: heap-use-after-free READ of size 8 at 0x508000022ab8 thread T0 #0 0x493624 in media_transport_destroy profiles/audio/transport.c:223 ... freed by thread T0 here: #1 0x7fb057d10294 in g_free (/lib64/libglib-2.0.so.0+0x5d294) #2 0x49dd2d in media_transport_free profiles/audio/transport.c:1276 #3 0x7e0e99 in remove_interface gdbus/object.c:682 #4 0x7e8f40 in g_dbus_unregister_interface gdbus/object.c:1430 #5 0x4935a2 in media_transport_destroy profiles/audio/transport.c:220 Commit: 52bda9d45572ab4629bf2f686616c0398f489dad https://github.com/bluez/bluez/commit/52bda9d45572ab4629bf2f686616c0398f489dad Author: Pauli Virtanen <pav@xxxxxx> Date: 2024-06-17 (Mon, 17 Jun 2024) Changed paths: M src/shared/bap-defs.h Log Message: ----------- shared/bap: make BT_BAP_* direction defines valid bitmasks The directions appear to be intended as bitmasks, as bt_bap_stream_io_dir() will bitwise or linked stream directions. Fix the defines to be separate bits. Fixes confusion due to BT_BAP_BCAST_SOURCE == BT_BAP_SINK|BT_BAP_SOURCE, which causes e.g. unicast transports to be in PENDING state after QoS although this does not make sense for BAP unicast Client. Compare: https://github.com/bluez/bluez/compare/7ff745c2bd0c...52bda9d45572 To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
