Skip to content

Commit 5d79e8c

Browse files
MarkWangChinesehenrikbrixandersen
MarkWangChinese
authored and
henrikbrixandersen
committed
bluetooth: avdtp: fix dereferencing null pointer sep
Get seid from buf not sep. CID 548589 CID 548590 Signed-off-by: Mark Wang <[email protected]>
1 parent f7dbf5f commit 5d79e8c

File tree

1 file changed

+27
-11
lines changed
  • subsys/bluetooth/host/classic

1 file changed

+27
-11
lines changed

subsys/bluetooth/host/classic/avdtp.c

Lines changed: 27 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -342,17 +342,30 @@ static struct bt_avdtp_sep *avdtp_get_sep(uint8_t stream_endpoint_id)
342342
return sep;
343343
}
344344

345-
static struct bt_avdtp_sep *avdtp_get_cmd_sep(struct net_buf *buf, uint8_t *error_code)
345+
static struct bt_avdtp_sep *avdtp_get_cmd_sep(struct net_buf *buf, uint8_t *error_code,
346+
uint8_t *seid)
346347
{
347348
struct bt_avdtp_sep *sep;
349+
uint8_t id;
348350

349351
if (buf->len < 1U) {
350352
*error_code = BT_AVDTP_BAD_LENGTH;
353+
LOG_WRN("Malformed packet");
354+
return NULL;
355+
}
356+
357+
id = net_buf_pull_u8(buf) >> 2;
358+
if ((id < BT_AVDTP_MIN_SEID) || (id > BT_AVDTP_MAX_SEID)) {
359+
*error_code = BT_AVDTP_BAD_ACP_SEID;
351360
LOG_WRN("Invalid ACP SEID");
352361
return NULL;
353362
}
354363

355-
sep = avdtp_get_sep(net_buf_pull_u8(buf) >> 2);
364+
if (seid != NULL) {
365+
*seid = id;
366+
}
367+
368+
sep = avdtp_get_sep(id);
356369
return sep;
357370
}
358371

@@ -364,7 +377,7 @@ static void avdtp_get_caps_cmd_internal(struct bt_avdtp *session, struct net_buf
364377
struct bt_avdtp_sep *sep;
365378
uint8_t error_code = 0;
366379

367-
sep = avdtp_get_cmd_sep(buf, &error_code);
380+
sep = avdtp_get_cmd_sep(buf, &error_code, NULL);
368381

369382
if ((sep == NULL) || (session->ops->get_capabilities_ind == NULL)) {
370383
err = -ENOTSUP;
@@ -539,7 +552,7 @@ static void avdtp_process_configuration_cmd(struct bt_avdtp *session, struct net
539552
struct net_buf_simple_state state;
540553
uint8_t service_category = 0;
541554

542-
sep = avdtp_get_cmd_sep(buf, &avdtp_err_code);
555+
sep = avdtp_get_cmd_sep(buf, &avdtp_err_code, NULL);
543556
avdtp_sep_lock(sep);
544557

545558
if (sep == NULL) {
@@ -692,7 +705,7 @@ static void avdtp_open_cmd(struct bt_avdtp *session, struct net_buf *buf, uint8_
692705
struct net_buf *rsp_buf;
693706
uint8_t avdtp_err_code = 0;
694707

695-
sep = avdtp_get_cmd_sep(buf, &avdtp_err_code);
708+
sep = avdtp_get_cmd_sep(buf, &avdtp_err_code, NULL);
696709
avdtp_sep_lock(sep);
697710

698711
if ((sep == NULL) || (session->ops->open_ind == NULL)) {
@@ -787,8 +800,10 @@ static void avdtp_start_cmd(struct bt_avdtp *session, struct net_buf *buf, uint8
787800
struct bt_avdtp_sep *sep;
788801
struct net_buf *rsp_buf;
789802
uint8_t avdtp_err_code = 0;
803+
uint8_t acp_seid = 0;
804+
805+
sep = avdtp_get_cmd_sep(buf, &avdtp_err_code, &acp_seid);
790806

791-
sep = avdtp_get_cmd_sep(buf, &avdtp_err_code);
792807
avdtp_sep_lock(sep);
793808

794809
if ((sep == NULL) || (session->ops->start_ind == NULL)) {
@@ -815,7 +830,7 @@ static void avdtp_start_cmd(struct bt_avdtp *session, struct net_buf *buf, uint8
815830
}
816831

817832
LOG_DBG("start err code:%d", avdtp_err_code);
818-
net_buf_add_u8(rsp_buf, sep->sep_info.id << 2);
833+
net_buf_add_u8(rsp_buf, acp_seid);
819834
net_buf_add_u8(rsp_buf, avdtp_err_code);
820835
}
821836

@@ -866,7 +881,7 @@ static void avdtp_close_cmd(struct bt_avdtp *session, struct net_buf *buf, uint8
866881
struct net_buf *rsp_buf;
867882
uint8_t avdtp_err_code = 0;
868883

869-
sep = avdtp_get_cmd_sep(buf, &avdtp_err_code);
884+
sep = avdtp_get_cmd_sep(buf, &avdtp_err_code, NULL);
870885
avdtp_sep_lock(sep);
871886

872887
if ((sep == NULL) || (session->ops->close_ind == NULL)) {
@@ -943,8 +958,9 @@ static void avdtp_suspend_cmd(struct bt_avdtp *session, struct net_buf *buf, uin
943958
struct bt_avdtp_sep *sep;
944959
struct net_buf *rsp_buf;
945960
uint8_t avdtp_err_code = 0;
961+
uint8_t acp_seid = 0;
946962

947-
sep = avdtp_get_cmd_sep(buf, &avdtp_err_code);
963+
sep = avdtp_get_cmd_sep(buf, &avdtp_err_code, &acp_seid);
948964
avdtp_sep_lock(sep);
949965

950966
if ((sep == NULL) || (session->ops->suspend_ind == NULL)) {
@@ -971,7 +987,7 @@ static void avdtp_suspend_cmd(struct bt_avdtp *session, struct net_buf *buf, uin
971987
}
972988

973989
LOG_DBG("suspend err code:%d", avdtp_err_code);
974-
net_buf_add_u8(rsp_buf, sep->sep_info.id << 2);
990+
net_buf_add_u8(rsp_buf, acp_seid);
975991
net_buf_add_u8(rsp_buf, avdtp_err_code);
976992
}
977993

@@ -1022,7 +1038,7 @@ static void avdtp_abort_cmd(struct bt_avdtp *session, struct net_buf *buf, uint8
10221038
struct net_buf *rsp_buf;
10231039
uint8_t avdtp_err_code = 0;
10241040

1025-
sep = avdtp_get_cmd_sep(buf, &avdtp_err_code);
1041+
sep = avdtp_get_cmd_sep(buf, &avdtp_err_code, NULL);
10261042
avdtp_sep_lock(sep);
10271043

10281044
if ((sep == NULL) || (session->ops->abort_ind == NULL)) {

0 commit comments

Comments
 (0)