Null dereference in profiles/audio/avrcp.c

Thomas Eriksson <thomas.eriksson@xxxxxxxxx> · Tue, 5 Oct 2021 10:53:18 +0200

Hi,

When trying to pair my "3M Peltor WS Alert XPI" headset with Bluez i
get a null dereference in profiles/audio/avrcp.c.

The following small patch avoids the problem:

diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 7c280203c..6064ab40b 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -3740,10 +3740,13 @@ static void avrcp_status_changed(struct avrcp *session,
                                                struct avrcp_header *pdu)
 {
        struct avrcp_player *player = session->controller->player;
-       struct media_player *mp = player->user_data;
+       struct media_player *mp = NULL;
        uint8_t value;
        const char *curval, *strval;

+       if (player == NULL)
+               return;
+       mp = player->user_data;
        value = pdu->params[1];

        curval = media_player_get_status(mp);



Below is the backtrace from GDB:

GNU gdb (Debian 10.1-2) 10.1.90.20210103-git
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/local/libexec/bluetooth/bluetoothd...
(gdb) run
Starting program: /usr/local/libexec/bluetooth/bluetoothd
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".



Program received signal SIGSEGV, Segmentation fault.
0x0000555555594f14 in avrcp_status_changed (pdu=0x5555556d1b36,
pdu=0x5555556d1b36, session=0x5555556a9800) at
profiles/audio/avrcp.c:3743
3743 struct media_player *mp = player->user_data;
(gdb)
(gdb)
(gdb) bt
#0  0x0000555555594f14 in avrcp_status_changed (pdu=0x5555556d1b36,
pdu=0x5555556d1b36, session=0x5555556a9800) at
profiles/audio/avrcp.c:3743
#1  avrcp_handle_event (conn=0x5555556c98e0, code=15 '\017',
subunit=<optimized out>, transaction=<optimized out>,
operands=0x5555556d1b36 "", operand_count=9, user_data=0x5555556a9800)
    at profiles/audio/avrcp.c:3884
#2  0x000055555558f3c7 in control_response (operand_count=9,
operands=0x5555556d1b36 "", avc=<optimized out>, avctp=<optimized
out>, control=<optimized out>) at profiles/audio/avctp.c:938
#3  session_cb (chan=<optimized out>, cond=<optimized out>,
data=<optimized out>) at profiles/audio/avctp.c:1107
#4  0x00007ffff7ebdc0f in g_main_context_dispatch () from
/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#5  0x00007ffff7ebdfb8 in ?? () from /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#6  0x00007ffff7ebe2ab in g_main_loop_run () from
/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0
#7  0x0000555555617415 in mainloop_run () at src/shared/mainloop-glib.c:66
#8  0x00005555556177f2 in mainloop_run_with_signal
(func=func@entry=0x5555555af8d0 <signal_callback>,
user_data=user_data@entry=0x0) at src/shared/mainloop-notify.c:188
#9  0x0000555555577147 in main (argc=<optimized out>, argv=<optimized
out>) at src/main.c:1210


Best regards
/Thomas Eriksson






