From f65cd924f2e60e7bd41dc27443c020e131880e8c Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Mon, 26 Feb 2024 09:53:46 -0500 Subject: [PATCH] btdev: Fix UAF on page_timeout When the page_timeout is run perhaps the btdev had been freed already so it needs to be checked if it still valid. --- emulator/btdev.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/emulator/btdev.c b/emulator/btdev.c index 139ab69b4..3224b73bf 100644 --- a/emulator/btdev.c +++ b/emulator/btdev.c @@ -319,6 +319,18 @@ static inline int del_btdev(struct btdev *btdev) return index; } +static inline bool valid_btdev(struct btdev *btdev) +{ + int i; + + for (i = 0; i < MAX_BTDEV_ENTRIES; i++) { + if (btdev_list[i] == btdev) + return true; + } + + return false; +} + static inline struct btdev *find_btdev_by_bdaddr(const uint8_t *bdaddr) { int i; @@ -1301,7 +1313,8 @@ static bool page_timeout(void *user_data) timeout_remove(pt_data->timeout_id); pt_data->timeout_id = 0; - conn_complete(btdev, bdaddr, BT_HCI_ERR_PAGE_TIMEOUT); + if (valid_btdev(btdev)) + conn_complete(btdev, bdaddr, BT_HCI_ERR_PAGE_TIMEOUT); free(pt_data); return false; -- 2.47.3