From b3dd599874550ab4793fb369e7c69ed01b284f5b Mon Sep 17 00:00:00 2001
From: Pauli Virtanen <pav@iki.fi>
Date: Sun, 12 Oct 2025 02:29:39 +0300
Subject: [PATCH] shared/bap: fix crash when setting initial metadata of a
 stream

bt_bap_stream_metadata() when stream is IDLE causes IDLE->IDLE
transition and crashes due to UAF. This occurs if SelectProperties
provides a Metadata.

Fix by not updating state if stream is IDLE.

Log:

ERROR: AddressSanitizer: heap-use-after-free
READ of size 8 at 0x7ca9d83ec448 thread T0
    #0 0x000000927dce in bt_bap_stream_metadata src/shared/bap.c:6525
    #1 0x00000056ae75 in setup_config profiles/audio/bap.c:1790
    #2 0x00000056b865 in bap_config_setup profiles/audio/bap.c:1831
0x7ca9d83ec448 is located 8 bytes inside of 160-byte region [0x7ca9d83ec440,0x7ca9d83ec4e0)
freed by thread T0 here:
    #0 0x7fc9da2e5beb in free.part.0 (/lib64/libasan.so.8+0xe5beb)
    #1 0x0000008e3481 in bap_stream_free src/shared/bap.c:1259
    #2 0x0000008e4586 in bt_bap_stream_unref src/shared/bap.c:1342
    #3 0x0000008e4b6e in bap_ucast_detach src/shared/bap.c:1366
    #4 0x0000008e6b63 in bap_stream_state_changed src/shared/bap.c:1496
    #5 0x0000008ec17d in bap_ucast_set_state src/shared/bap.c:1857
    #6 0x0000008e75e4 in stream_set_state src/shared/bap.c:1543
    #7 0x0000008f268c in stream_metadata src/shared/bap.c:2250
    #8 0x0000008f2801 in bap_ucast_metadata src/shared/bap.c:2274
    #9 0x000000927d3f in bt_bap_stream_metadata src/shared/bap.c:6523
---
 src/shared/bap.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/shared/bap.c b/src/shared/bap.c
index 710b89984..fd52db316 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -2246,8 +2246,14 @@ static uint8_t stream_metadata(struct bt_bap_stream *stream, struct iovec *meta,
 	util_iov_free(stream->meta, 1);
 	stream->meta = util_iov_dup(meta, 1);
 
-	/* Force state change to the same state to update the metadata */
-	stream_set_state(stream, bt_bap_stream_get_state(stream));
+	switch (bt_bap_stream_get_state(stream)) {
+	case BT_BAP_STREAM_STATE_IDLE:
+		/* Initial metadata */
+		break;
+	default:
+		/* Force state change to the same state to update metadata */
+		stream_set_state(stream, bt_bap_stream_get_state(stream));
+	}
 
 	return 0;
 }
-- 
2.47.3