From aba67693b934a0e67e7ab11538d43d1c3c838a3b Mon Sep 17 00:00:00 2001 From: Pauli Virtanen Date: Fri, 8 Aug 2025 21:50:38 +0300 Subject: [PATCH] bap: clear server streams when ucast disconnects Streams are freed by bap_detach() without state change callback. Clear data->server_streams explicitly before bap_detach(). Fixes UAF due to stale stream pointers in server_streams. --- profiles/audio/bap.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/profiles/audio/bap.c b/profiles/audio/bap.c index cbc3c3311..bc67c1ef9 100644 --- a/profiles/audio/bap.c +++ b/profiles/audio/bap.c @@ -3768,6 +3768,9 @@ static int bap_disconnect(struct btd_service *service) queue_remove_all(data->snks, ep_remove, NULL, NULL); queue_remove_all(data->srcs, ep_remove, NULL, NULL); + queue_destroy(data->server_streams, NULL); + data->server_streams = NULL; + bt_bap_detach(data->bap); btd_service_disconnecting_complete(service, 0); -- 2.47.3