|
 |
67d7dc |
From f853012bc0142ab6056f3d9ef4abf621b1e8a756 Mon Sep 17 00:00:00 2001
|
|
|
67d7dc |
From: Gopal Tiwari <gtiwari@redhat.com>
|
|
|
67d7dc |
Date: Tue, 24 May 2022 16:45:56 +0530
|
|
|
67d7dc |
Subject: [PATCH BlueZ] gatt: Fix double free and freed memory dereference
|
|
|
67d7dc |
|
|
|
67d7dc |
commit 3627eddea13042ffc0848ae37356f30335ce2e4b
|
|
|
67d7dc |
Author: Ildar Kamaletdinov <i.kamaletdinov@omp.ru>
|
|
|
67d7dc |
Date: Fri Apr 1 15:16:47 2022 +0300
|
|
|
67d7dc |
|
|
|
67d7dc |
gatt: Fix double free and freed memory dereference
|
|
|
67d7dc |
|
|
|
67d7dc |
If device is no longer exists or not paired when notifications send it
|
|
|
67d7dc |
is possible to get double free and dereference of already freed memory.
|
|
|
67d7dc |
|
|
|
67d7dc |
To avoid this we need to recheck the state of device after sending
|
|
|
67d7dc |
notification.
|
|
|
67d7dc |
|
|
|
67d7dc |
Found by Linux Verification Center (linuxtesting.org) with the SVACE
|
|
|
67d7dc |
static analysis tool.
|
|
|
67d7dc |
---
|
|
|
67d7dc |
src/gatt-database.c | 4 ++++
|
|
|
67d7dc |
1 file changed, 4 insertions(+)
|
|
|
67d7dc |
|
|
|
67d7dc |
diff --git a/src/gatt-database.c b/src/gatt-database.c
|
|
|
67d7dc |
index d6c94058c..d32f616a9 100644
|
|
|
67d7dc |
--- a/src/gatt-database.c
|
|
|
67d7dc |
+++ b/src/gatt-database.c
|
|
|
67d7dc |
@@ -3877,6 +3877,10 @@ void btd_gatt_database_server_connected(struct btd_gatt_database *database,
|
|
|
67d7dc |
|
|
|
67d7dc |
send_notification_to_device(state, state->pending);
|
|
|
67d7dc |
|
|
|
67d7dc |
+ state = find_device_state(database, &bdaddr, bdaddr_type);
|
|
|
67d7dc |
+ if (!state || !state->pending)
|
|
|
67d7dc |
+ return;
|
|
|
67d7dc |
+
|
|
|
67d7dc |
free(state->pending->value);
|
|
|
67d7dc |
free(state->pending);
|
|
|
67d7dc |
state->pending = NULL;
|
|
|
67d7dc |
--
|
|
|
67d7dc |
2.26.2
|
|
|
67d7dc |
|