[PATCH BlueZ] avdtp: Fix runtime errors passing NULL to memcpy

Luiz Augusto von Dentz <luiz.dentz@xxxxxxxxx> · Fri, 7 Jan 2022 13:32:16 -0800

From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>

Passing NULL to memcpy is considered undefined behavior which leads to
the following runtime errors:

profiles/audio/avdtp.c:2709:2: runtime error: null pointer passed as
argument 1, which is declared to never be null
profiles/audio/avdtp.c:2709:2: runtime error: null pointer passed as
argument 2, which is declared to never be null
profiles/audio/avdtp.c:3326:2: runtime error: null pointer passed as
argument 2, which is declared to never be null
profiles/audio/avdtp.c:500:3: runtime error: null pointer passed as
argument 2, which is declared to never be null
---
 profiles/audio/avdtp.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
index f2b461330..da4114e0f 100644
--- a/profiles/audio/avdtp.c
+++ b/profiles/audio/avdtp.c
@@ -497,7 +497,9 @@ static gboolean avdtp_send(struct avdtp *session, uint8_t transaction,
 		single.signal_id = signal_id;
 
 		memcpy(session->buf, &single, sizeof(single));
-		memcpy(session->buf + sizeof(single), data, len);
+
+		if (data)
+			memcpy(session->buf + sizeof(single), data, len);
 
 		return try_send(sock, session->buf, sizeof(single) + len);
 	}
@@ -569,7 +571,7 @@ static void pending_req_free(void *data)
 
 	if (req->timeout)
 		timeout_remove(req->timeout);
-	g_free(req->data);
+	free(req->data);
 	g_free(req);
 }
 
@@ -2687,7 +2689,7 @@ static int send_req(struct avdtp *session, gboolean priority,
 	return 0;
 
 failed:
-	g_free(req->data);
+	free(req->data);
 	g_free(req);
 	return err;
 }
@@ -2705,8 +2707,7 @@ static int send_request(struct avdtp *session, gboolean priority,
 
 	req = g_new0(struct pending_req, 1);
 	req->signal_id = signal_id;
-	req->data = g_malloc(size);
-	memcpy(req->data, buffer, size);
+	req->data = util_memdup(buffer, size);
 	req->data_size = size;
 	req->stream = stream;
 
@@ -3323,7 +3324,9 @@ struct avdtp_service_capability *avdtp_service_cap_new(uint8_t category,
 	cap = g_malloc(sizeof(struct avdtp_service_capability) + length);
 	cap->category = category;
 	cap->length = length;
-	memcpy(cap->data, data, length);
+
+	if (data)
+		memcpy(cap->data, data, length);
 
 	return cap;
 }
-- 
2.33.1







