Hi, in the context of a review of the bluetooth-meshd D-Bus service [1] I noticed a segmentation fault due to NULL pointer dereference. It can be triggered in bluez version 5.51 via the following D-Bus call: $ dbus-send --system --type=method_call --print-reply \ --dest=org.bluez.mesh /org/bluez/mesh org.bluez.mesh.Network1.Join \ objpath:/org/gnome/DisplayManager \ array:byte:1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 After the D-Bus timeout the bluetooth-meshd will crash with the following backtrace: node_init_cb (node=0x0, agent=0x0) at mesh/mesh.c:359 359 reply = dbus_error(join_pending->msg, MESH_ERROR_FAILED, (gdb) bt user_data=0x5555555be170) at mesh/node.c:1760 dbus=<optimized out>) at ell/dbus.c:216 user_data=0x5555555a6e00) at ell/dbus.c:279 user_data=0x5555555a7ef0) at ell/io.c:126 at ell/main.c:642 at mesh/main.c:205 The reason is probably that the `join_pending` data structure has already been freed in a different function. [1]: https://bugzilla.suse.com/show_bug.cgi?id=1151518 Cheers Matthias -- Matthias Gerstner <matthias.gerstner@xxxxxxx> Dipl.-Wirtsch.-Inf. (FH), Security Engineer https://www.suse.com/security Phone: +49 911 740 53 290 GPG Key ID: 0x14C405C971923553 SUSE Software Solutions Germany GmbH HRB 247165, AG München Geschäftsführer: Felix Imendörffer
Attachment:
signature.asc
Description: PGP signature