[Pkg-bluetooth-maintainers] Bug#884663: bluez segfault after PIN entry

Fabian Hickert fabian.hickert at gmail.com
Mon Dec 18 09:16:59 UTC 2017 

Package: bluez
Version: 5.46-0ubuntu3
Severity: normal
Tags: patch upstream

Dear Maintainer,

I have a bluetooth low energy enabled home-trainer that causes the 'bluetoothd'
to quit with a seqfault directly after the PIN entry. I've also tested the git-
upstream version of bluez but the result is the same.

I open 'bluetoothctl', search for the device and then try to pair it with 'pair
MAC-address'. The PIN-Entry shows up and I enter the correct PIN. Directly
after pressing enter, to confirm the PIN, I can see that the bluetoothd stops.

Here is the 'gdb' output:

Program received signal SIGSEGV, Segmentation fault.
0x000055555563fa41 in ext_prop_read_cb (success=false, att_ecode=15 '\017',
value=0x0, length=4, user_data=0x5555558db900)
    at src/shared/gatt-client.c:692
692                                     "Ext. prop value: 0x%04x",
(uint16_t)value[0]);
(gdb) bt
#0  0x000055555563fa41 in ext_prop_read_cb (success=false, att_ecode=15 '\017',
value=0x0, length=4, user_data=0x5555558db900)
    at src/shared/gatt-client.c:692
#1  0x0000555555642a21 in read_cb (opcode=1 '\001', pdu=0x5555558c53e1,
length=4, user_data=0x5555558db2d0) at src/shared/gatt-client.c:2142
#2  0x000055555563cfd3 in handle_rsp (att=0x5555558d1a30, opcode=1 '\001',
pdu=0x5555558c53e1 "\n<", pdu_len=4) at src/shared/att.c:707
#3  0x000055555563d527 in can_read_data (io=0x5555558d74b0,
user_data=0x5555558d1a30) at src/shared/att.c:879
#4  0x000055555564bbcf in watch_callback (channel=0x5555558c8480, cond=G_IO_IN,
user_data=0x5555558bb410) at src/shared/io-glib.c:170
#5  0x00007ffff7b0be25 in g_main_context_dispatch () from /lib/x86_64-linux-
gnu/libglib-2.0.so.0
#6  0x00007ffff7b0c1f0 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#7  0x00007ffff7b0c502 in g_main_loop_run () from /lib/x86_64-linux-
gnu/libglib-2.0.so.0
#8  0x00005555555cd5b0 in main (argc=1, argv=0x7fffffffe5b8) at src/main.c:770
(gdb)

(gdb) p value
$2 = (const uint8_t *) 0x0
(gdb) p success
$3 = false
(gdb) p att_ecode
$4 = 15 '\017'
(gdb) p length
$5 = 4
(gdb)

I found that the variable 'value' is not initialized in the function 'read_db'
(src/shared/gatt-client.c:~2112) when the opcode is BT_ATT_OP_ERROR_RSP, but
later on in the code the contents of the variable 'value' is used
(src/shared/gatt-client.c:692) despite the fact that it still points to NULL.

Best regards

Fabian




-- System Information:
Debian Release: stretch/sid
  APT prefers artful-updates
  APT policy: (500, 'artful-updates'), (500, 'artful-security'), (500, 'artful'), (100, 'artful-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-19-generic (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages bluez depends on:
ii  dbus                 1.10.22-1ubuntu1
ii  init-system-helpers  1.49ubuntu1
ii  kmod                 24-1ubuntu2
ii  libc6                2.26-0ubuntu2
ii  libdbus-1-3          1.10.22-1ubuntu1
ii  libglib2.0-0         2.54.1-1ubuntu1
ii  libreadline7         7.0-0ubuntu2
ii  libudev1             234-2ubuntu12.1
ii  lsb-base             9.20160110ubuntu5
ii  udev                 234-2ubuntu12.1

bluez recommends no packages.

bluez suggests no packages.

-- Configuration Files:
/etc/dbus-1/system.d/bluetooth.conf changed [not included]
/etc/init.d/bluetooth changed [not included]

-- no debconf information
-------------- next part --------------
diff --git a/src/shared/gatt-client.c b/src/shared/gatt-client.c
index 4b3f553f1..98dc76a9e 100755
--- a/src/shared/gatt-client.c
+++ b/src/shared/gatt-client.c
@@ -2119,6 +2119,10 @@ static void read_cb(uint8_t opcode, const void *pdu, uint16_t length,
 	const uint8_t *value = NULL;
 	uint16_t value_len = 0;
 
+	value_len = length;
+	if (value_len)
+		value = pdu;
+
 	if (opcode == BT_ATT_OP_ERROR_RSP) {
 		success = false;
 		att_ecode = process_error(pdu, length);
@@ -2131,9 +2135,6 @@ static void read_cb(uint8_t opcode, const void *pdu, uint16_t length,
 	}
 
 	success = true;
-	value_len = length;
-	if (value_len)
-		value = pdu;
 
 done:
 	if (op->callback)

More information about the Pkg-bluetooth-maintainers mailing list