From 8b6b9b775615d533383894fce2e6a94927c9df28 Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Fri, 22 Oct 2021 13:10:09 -0700 Subject: [PATCH] adapter: Fix storing IRK causing invalid read When storing an IRK the storage file may not have been created yet since that uses the device address which is likely changed to the identity address causing the following trace: Invalid read of size 8 at 0x196452: store_irk.constprop.0 (adapter.c:8679) by 0x198C92: new_irk_callback (adapter.c:8737) by 0x1CF6DC: queue_foreach (queue.c:207) by 0x1D1394: process_notify (mgmt.c:308) by 0x1D1394: can_read_data (mgmt.c:374) by 0x1E0634: watch_callback (io-glib.c:157) by 0x4954A9E: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.6600.8) by 0x49A6A97: ??? (in /usr/lib64/libglib-2.0.so.0.6600.8) by 0x4954162: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.6600.8) by 0x1E0CD4: mainloop_run (mainloop-glib.c:66) by 0x1E10B1: mainloop_run_with_signal (mainloop-notify.c:188) by 0x12E3FC: main (main.c:1210) Address 0x6534418 is 8 bytes inside a block of size 16 free'd --- src/adapter.c | 6 ++++-- src/device.c | 9 +++++---- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/src/adapter.c b/src/adapter.c index 54b6322cc..d0d38621b 100644 --- a/src/adapter.c +++ b/src/adapter.c @@ -8660,11 +8660,15 @@ static void store_irk(struct btd_adapter *adapter, const bdaddr_t *peer, snprintf(filename, PATH_MAX, STORAGEDIR "/%s/%s/info", btd_adapter_get_storage_dir(adapter), device_addr); + create_file(filename, 0600); + key_file = g_key_file_new(); if (!g_key_file_load_from_file(key_file, filename, 0, &gerr)) { error("Unable to load key file from %s: (%s)", filename, gerr->message); g_error_free(gerr); + g_key_file_free(key_file); + return; } for (i = 0; i < 16; i++) @@ -8672,8 +8676,6 @@ static void store_irk(struct btd_adapter *adapter, const bdaddr_t *peer, g_key_file_set_string(key_file, "IdentityResolvingKey", "Key", str); - create_file(filename, 0600); - store_data = g_key_file_to_data(key_file, &length, NULL); if (!g_file_set_contents(filename, store_data, length, &gerr)) { error("Unable set contents for %s: (%s)", filename, diff --git a/src/device.c b/src/device.c index d5aae9576..8ad338419 100644 --- a/src/device.c +++ b/src/device.c @@ -393,12 +393,15 @@ static gboolean store_device_info_cb(gpointer user_data) snprintf(filename, PATH_MAX, STORAGEDIR "/%s/%s/info", btd_adapter_get_storage_dir(device->adapter), device_addr); + create_file(filename, 0600); key_file = g_key_file_new(); if (!g_key_file_load_from_file(key_file, filename, 0, &gerr)) { error("Unable to load key file from %s: (%s)", filename, gerr->message); g_error_free(gerr); + g_key_file_free(key_file); + return FALSE; } g_key_file_set_string(key_file, "General", "Name", device->name); @@ -469,8 +472,6 @@ static gboolean store_device_info_cb(gpointer user_data) if (device->remote_csrk) store_csrk(device->remote_csrk, key_file, "RemoteSignatureKey"); - create_file(filename, 0600); - str = g_key_file_to_data(key_file, &length, NULL); if (!g_file_set_contents(filename, str, length, &gerr)) { error("Unable set contents for %s: (%s)", filename, @@ -4594,9 +4595,9 @@ static void device_remove_stored(struct btd_device *device) key_file = g_key_file_new(); if (!g_key_file_load_from_file(key_file, filename, 0, &gerr)) { - error("Unable to load key file from %s: (%s)", filename, - gerr->message); g_error_free(gerr); + g_key_file_free(key_file); + return; } g_key_file_remove_group(key_file, "ServiceRecords", NULL); g_key_file_remove_group(key_file, "Attributes", NULL); -- 2.47.3