a2dp: fix setup->err use-after-free setup->err is set to values that either are on stack of avdtp.c routines, obtained from callbacks, or allocated on heap. This is inconsistent, and use-after-free in some cases. Fix by always allocating setup->err ourselves, copying any values obtained from callbacks. Add setup_error_set/init and do all setup->err manipulation via them. Fixes crash: ==994225==ERROR: AddressSanitizer: stack-use-after-return READ of size 1 at 0x7f15ee5189c0 thread T0 #0 0x445724 in avdtp_error_category profiles/audio/avdtp.c:657 #1 0x41e59e in error_to_errno profiles/audio/a2dp.c:303 #2 0x42bb23 in a2dp_reconfigure profiles/audio/a2dp.c:1336 #3 0x7f15f1512798 in g_timeout_dispatch ... Address 0x7f15ee5189c0 is located in stack of thread T0 at offset 64 in frame #0 0x466b76 in avdtp_parse_rej profiles/audio/avdtp.c:3056 This frame has 2 object(s): [48, 49) 'acp_seid' (line 3058) [64, 72) 'err' (line 3057) <== Memory access at offset 64 is inside this variable

Diffstat

1 files changed, 39 insertions(+), 29 deletions(-)