From 9e76fb9f6ce830cebb71a0b54a662ea8bb50bd54 Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Mon, 13 Oct 2025 13:39:30 -0400 Subject: [PATCH] bthost: Fix crash on l2cap_ecred_conn_rsp This fixes the following crash: Invalid read of size 2 at 0x4019907: l2cap_ecred_conn_rsp (bthost.c:2554) by 0x4019907: l2cap_le_sig (bthost.c:2650) by 0x4019907: process_l2cap (bthost.c:3137) by 0x401BBA3: process_acl (bthost.c:3242) by 0x401BBA3: bthost_receive_h4 (bthost.c:3402) by 0x4008835: receive_bthost (bluetooth.c:2989) by 0x493B862: ??? (in /usr/lib64/libglib-2.0.so.0.8400.4) by 0x49447A7: ??? (in /usr/lib64/libglib-2.0.so.0.8400.4) by 0x4944A4E: g_main_loop_run (in /usr/lib64/libglib-2.0.so.0.8400.4) by 0x402645D: mainloop_run (mainloop-glib.c:65) by 0x4026A34: mainloop_run_with_signal (mainloop-notify.c:196) by 0x4025C55: tester_run (tester.c:1084) by 0x4002A7B: main (l2cap-tester.c:2799) Address 0x400bc02a4 is not stack'd, malloc'd or (recently) free'd --- emulator/bthost.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/emulator/bthost.c b/emulator/bthost.c index b00f8f2b6..079f14fb3 100644 --- a/emulator/bthost.c +++ b/emulator/bthost.c @@ -2535,7 +2535,7 @@ static bool l2cap_ecred_conn_rsp(struct bthost *bthost, struct btconn *conn, uint8_t ident, const void *data, uint16_t len) { const struct { - const struct bt_l2cap_pdu_ecred_conn_rsp *pdu; + const struct bt_l2cap_pdu_ecred_conn_rsp pdu; uint16_t scid[5]; } __attribute__ ((packed)) *rsp = data; int num_scid, i; @@ -2551,7 +2551,7 @@ static bool l2cap_ecred_conn_rsp(struct bthost *bthost, struct btconn *conn, l2conn = bthost_add_l2cap_conn(bthost, conn, 0, le16_to_cpu(rsp->scid[i]), 0); l2conn->mode = L2CAP_MODE_LE_ENH_CRED; - l2conn->tx_credits = rsp->pdu->credits; + l2conn->tx_credits = rsp->pdu.credits; l2conn->rx_credits = 1; } -- 2.47.3