All of lore.kernel.org
 help / color / mirror / Atom feed
* [Bluez PATCH v2] avdtp: Fix crashes in avdtp_abort
@ 2020-03-24  3:21 Howard Chung
  2020-03-24  6:04 ` Luiz Augusto von Dentz
  0 siblings, 1 reply; 2+ messages in thread
From: Howard Chung @ 2020-03-24  3:21 UTC (permalink / raw)
  To: linux-bluetooth, luiz.von.dentz
  Cc: chromeos-bluetooth-upstreaming, Howard Chung

In avdtp_abort, if setup->stream is NULL, trying to access
stream->lsep will crash.
---

Changes in v2:
- Remove variable 'sep'

 profiles/audio/avdtp.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
index 0e075f9ff..aabc5ce51 100644
--- a/profiles/audio/avdtp.c
+++ b/profiles/audio/avdtp.c
@@ -3566,7 +3566,6 @@ int avdtp_abort(struct avdtp *session, struct avdtp_stream *stream)
 {
 	struct seid_req req;
 	int ret;
-	struct avdtp_local_sep *sep = stream->lsep;
 
 	if (!stream && session->discover) {
 		/* Don't call cb since it being aborted */
@@ -3581,7 +3580,7 @@ int avdtp_abort(struct avdtp *session, struct avdtp_stream *stream)
 	if (stream->lsep->state == AVDTP_STATE_ABORTING)
 		return -EINVAL;
 
-	avdtp_sep_set_state(session, sep, AVDTP_STATE_ABORTING);
+	avdtp_sep_set_state(session, stream->lsep, AVDTP_STATE_ABORTING);
 
 	if (session->req && stream == session->req->stream)
 		return cancel_request(session, ECANCELED);
-- 
2.25.1.696.g5e7596f4ac-goog


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [Bluez PATCH v2] avdtp: Fix crashes in avdtp_abort
  2020-03-24  3:21 [Bluez PATCH v2] avdtp: Fix crashes in avdtp_abort Howard Chung
@ 2020-03-24  6:04 ` Luiz Augusto von Dentz
  0 siblings, 0 replies; 2+ messages in thread
From: Luiz Augusto von Dentz @ 2020-03-24  6:04 UTC (permalink / raw)
  To: Howard Chung
  Cc: linux-bluetooth, Luiz Augusto Von Dentz, ChromeOS Bluetooth Upstreaming

Hi Howard,

On Mon, Mar 23, 2020 at 8:28 PM Howard Chung <howardchung@google.com> wrote:
>
> In avdtp_abort, if setup->stream is NULL, trying to access
> stream->lsep will crash.
> ---
>
> Changes in v2:
> - Remove variable 'sep'
>
>  profiles/audio/avdtp.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
> index 0e075f9ff..aabc5ce51 100644
> --- a/profiles/audio/avdtp.c
> +++ b/profiles/audio/avdtp.c
> @@ -3566,7 +3566,6 @@ int avdtp_abort(struct avdtp *session, struct avdtp_stream *stream)
>  {
>         struct seid_req req;
>         int ret;
> -       struct avdtp_local_sep *sep = stream->lsep;
>
>         if (!stream && session->discover) {
>                 /* Don't call cb since it being aborted */
> @@ -3581,7 +3580,7 @@ int avdtp_abort(struct avdtp *session, struct avdtp_stream *stream)
>         if (stream->lsep->state == AVDTP_STATE_ABORTING)
>                 return -EINVAL;
>
> -       avdtp_sep_set_state(session, sep, AVDTP_STATE_ABORTING);
> +       avdtp_sep_set_state(session, stream->lsep, AVDTP_STATE_ABORTING);
>
>         if (session->req && stream == session->req->stream)
>                 return cancel_request(session, ECANCELED);
> --
> 2.25.1.696.g5e7596f4ac-goog

Applied, thanks.

-- 
Luiz Augusto von Dentz

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-03-24  6:05 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-24  3:21 [Bluez PATCH v2] avdtp: Fix crashes in avdtp_abort Howard Chung
2020-03-24  6:04 ` Luiz Augusto von Dentz

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.