shared/bap: fix crash when setting initial metadata of a stream bt_bap_stream_metadata() when stream is IDLE causes IDLE->IDLE transition and crashes due to UAF. This occurs if SelectProperties provides a Metadata. Fix by not updating state if stream is IDLE. Log: ERROR: AddressSanitizer: heap-use-after-free READ of size 8 at 0x7ca9d83ec448 thread T0 #0 0x000000927dce in bt_bap_stream_metadata src/shared/bap.c:6525 #1 0x00000056ae75 in setup_config profiles/audio/bap.c:1790 #2 0x00000056b865 in bap_config_setup profiles/audio/bap.c:1831 0x7ca9d83ec448 is located 8 bytes inside of 160-byte region [0x7ca9d83ec440,0x7ca9d83ec4e0) freed by thread T0 here: #0 0x7fc9da2e5beb in free.part.0 (/lib64/libasan.so.8+0xe5beb) #1 0x0000008e3481 in bap_stream_free src/shared/bap.c:1259 #2 0x0000008e4586 in bt_bap_stream_unref src/shared/bap.c:1342 #3 0x0000008e4b6e in bap_ucast_detach src/shared/bap.c:1366 #4 0x0000008e6b63 in bap_stream_state_changed src/shared/bap.c:1496 #5 0x0000008ec17d in bap_ucast_set_state src/shared/bap.c:1857 #6 0x0000008e75e4 in stream_set_state src/shared/bap.c:1543 #7 0x0000008f268c in stream_metadata src/shared/bap.c:2250 #8 0x0000008f2801 in bap_ucast_metadata src/shared/bap.c:2274 #9 0x000000927d3f in bt_bap_stream_metadata src/shared/bap.c:6523

Diffstat

1 files changed, 8 insertions(+), 2 deletions(-)