Hello,
I am using bluez 5.36 on Debian.
I tried to export a media source from an application. However, when
the SelectConfiguration call finishes bluetoothd crashes.
Looking at the code there is no check that the return from the
callback actually contains an array before trying to extract the array
content.
Adding a check avoids the crash in bluetoothd.
I am not sure why the return value does not contain a proper
capabilities array but that is another issue.
Sending a patch that fixes the problem for me.
Thanks
Michal
Index: bluez-5.36/profiles/audio/media.c
===================================================================
--- bluez-5.36.orig/profiles/audio/media.c
+++ bluez-5.36/profiles/audio/media.c
@@ -292,6 +292,12 @@ static void endpoint_reply(DBusPendingCa
dbus_message_iter_init(reply, &args);
+ if (dbus_message_iter_get_arg_type(&args) != DBUS_TYPE_ARRAY) {
+ error("SelectConfiguration did not return an array: %s",
+ dbus_message_get_signature(reply));
+ goto done;
+ }
+
dbus_message_iter_recurse(&args, &array);
dbus_message_iter_get_fixed_array(&array, &configuration, &size);
