[Pkg-bluetooth-maintainers] Bug#884663: bluez segfault after PIN entry
Fabian Hickert
fabian.hickert at gmail.com
Mon Dec 18 09:16:59 UTC 2017
Package: bluez
Version: 5.46-0ubuntu3
Severity: normal
Tags: patch upstream
Dear Maintainer,
I have a bluetooth low energy enabled home-trainer that causes the 'bluetoothd'
to quit with a seqfault directly after the PIN entry. I've also tested the git-
upstream version of bluez but the result is the same.
I open 'bluetoothctl', search for the device and then try to pair it with 'pair
MAC-address'. The PIN-Entry shows up and I enter the correct PIN. Directly
after pressing enter, to confirm the PIN, I can see that the bluetoothd stops.
Here is the 'gdb' output:
Program received signal SIGSEGV, Segmentation fault.
0x000055555563fa41 in ext_prop_read_cb (success=false, att_ecode=15 '\017',
value=0x0, length=4, user_data=0x5555558db900)
at src/shared/gatt-client.c:692
692 "Ext. prop value: 0x%04x",
(uint16_t)value[0]);
(gdb) bt
#0 0x000055555563fa41 in ext_prop_read_cb (success=false, att_ecode=15 '\017',
value=0x0, length=4, user_data=0x5555558db900)
at src/shared/gatt-client.c:692
#1 0x0000555555642a21 in read_cb (opcode=1 '\001', pdu=0x5555558c53e1,
length=4, user_data=0x5555558db2d0) at src/shared/gatt-client.c:2142
#2 0x000055555563cfd3 in handle_rsp (att=0x5555558d1a30, opcode=1 '\001',
pdu=0x5555558c53e1 "\n<", pdu_len=4) at src/shared/att.c:707
#3 0x000055555563d527 in can_read_data (io=0x5555558d74b0,
user_data=0x5555558d1a30) at src/shared/att.c:879
#4 0x000055555564bbcf in watch_callback (channel=0x5555558c8480, cond=G_IO_IN,
user_data=0x5555558bb410) at src/shared/io-glib.c:170
#5 0x00007ffff7b0be25 in g_main_context_dispatch () from /lib/x86_64-linux-
gnu/libglib-2.0.so.0
#6 0x00007ffff7b0c1f0 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#7 0x00007ffff7b0c502 in g_main_loop_run () from /lib/x86_64-linux-
gnu/libglib-2.0.so.0
#8 0x00005555555cd5b0 in main (argc=1, argv=0x7fffffffe5b8) at src/main.c:770
(gdb)
(gdb) p value
$2 = (const uint8_t *) 0x0
(gdb) p success
$3 = false
(gdb) p att_ecode
$4 = 15 '\017'
(gdb) p length
$5 = 4
(gdb)
I found that the variable 'value' is not initialized in the function 'read_db'
(src/shared/gatt-client.c:~2112) when the opcode is BT_ATT_OP_ERROR_RSP, but
later on in the code the contents of the variable 'value' is used
(src/shared/gatt-client.c:692) despite the fact that it still points to NULL.
Best regards
Fabian
-- System Information:
Debian Release: stretch/sid
APT prefers artful-updates
APT policy: (500, 'artful-updates'), (500, 'artful-security'), (500, 'artful'), (100, 'artful-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.13.0-19-generic (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages bluez depends on:
ii dbus 1.10.22-1ubuntu1
ii init-system-helpers 1.49ubuntu1
ii kmod 24-1ubuntu2
ii libc6 2.26-0ubuntu2
ii libdbus-1-3 1.10.22-1ubuntu1
ii libglib2.0-0 2.54.1-1ubuntu1
ii libreadline7 7.0-0ubuntu2
ii libudev1 234-2ubuntu12.1
ii lsb-base 9.20160110ubuntu5
ii udev 234-2ubuntu12.1
bluez recommends no packages.
bluez suggests no packages.
-- Configuration Files:
/etc/dbus-1/system.d/bluetooth.conf changed [not included]
/etc/init.d/bluetooth changed [not included]
-- no debconf information
-------------- next part --------------
diff --git a/src/shared/gatt-client.c b/src/shared/gatt-client.c
index 4b3f553f1..98dc76a9e 100755
--- a/src/shared/gatt-client.c
+++ b/src/shared/gatt-client.c
@@ -2119,6 +2119,10 @@ static void read_cb(uint8_t opcode, const void *pdu, uint16_t length,
const uint8_t *value = NULL;
uint16_t value_len = 0;
+ value_len = length;
+ if (value_len)
+ value = pdu;
+
if (opcode == BT_ATT_OP_ERROR_RSP) {
success = false;
att_ecode = process_error(pdu, length);
@@ -2131,9 +2135,6 @@ static void read_cb(uint8_t opcode, const void *pdu, uint16_t length,
}
success = true;
- value_len = length;
- if (value_len)
- value = pdu;
done:
if (op->callback)
More information about the Pkg-bluetooth-maintainers
mailing list