From 229d411e5a71486e62a13365dfc0049a3d930f62 Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Thu, 30 Oct 2025 12:27:22 -0400 Subject: [PATCH] bthost: Fix crash on bthost_past_set_info This fixes the following crash: Invalid read of size 1 at 0x401DEFE: send_command (bthost.c:1101) by 0x4021F01: bthost_past_set_info (bthost.c:3758) by 0x4006038: test_listen_past (iso-tester.c:3246) by 0x494984A: ??? (in /usr/lib64/libglib-2.0.so.0.8400.4) by 0x4943862: ??? (in /usr/lib64/libglib-2.0.so.0.8400.4) by 0x494C7A7: ??? (in /usr/lib64/libglib-2.0.so.0.8400.4) by 0x494CA4E: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.8400.4) by 0x402CC4D: mainloop_run (mainloop-glib.c:65) by 0x402D224: mainloop_run_with_signal (mainloop-notify.c:196) by 0x402C445: tester_run (tester.c:1084) by 0x4005609: main (iso-tester.c:4335) Address 0x40 is not stack'd, malloc'd or (recently) free'd --- emulator/bthost.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/emulator/bthost.c b/emulator/bthost.c index 79d8305d7..faabbaa36 100644 --- a/emulator/bthost.c +++ b/emulator/bthost.c @@ -3751,6 +3751,9 @@ void bthost_past_set_info(struct bthost *bthost, uint16_t handle) { struct bt_hci_cmd_le_past_set_info cp; + if (!bthost) + return; + memset(&cp, 0, sizeof(cp)); cp.handle = cpu_to_le16(handle); cp.adv_handle = 0x01; -- 2.47.3