From 1a478c7147816db3672ede0ae6cb321512a219e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Danis?= Date: Fri, 30 Jan 2026 10:36:26 +0100 Subject: [PATCH] bluez5: Fix stack smashing crash in remote_endpoint_update_props() Commit 2942bae0342259976dcb1344c6aa32fbc1e5534f introduced parsing of "SupportedFeatures" which uses a third DBusMessageIter pointer. *** stack smashing detected ***: terminated ==389050== ==389050== Process terminating with default action of signal 6 (SIGABRT) ==389050== at 0x4F57B2C: __pthread_kill_implementation (pthread_kill.c:44) ==389050== by 0x4F57B2C: __pthread_kill_internal (pthread_kill.c:78) ==389050== by 0x4F57B2C: pthread_kill@@GLIBC_2.34 (pthread_kill.c:89) ==389050== by 0x4EFE27D: raise (raise.c:26) ==389050== by 0x4EE18FE: abort (abort.c:79) ==389050== by 0x4EE27B5: __libc_message_impl.cold (libc_fatal.c:134) ==389050== by 0x4FEFC48: __fortify_fail (fortify_fail.c:24) ==389050== by 0x4FF0ED3: __stack_chk_fail (stack_chk_fail.c:24) ==389050== by 0xBC1D1A1: remote_endpoint_update_props (bluez5-dbus.c:3137) ==389050== by 0xB53609F: ??? ==389050== by 0x1DF: ??? ==389050== by 0x61C17BF: ??? (in /usr/lib/x86_64-linux-gnu/libdbus-1.so.3.32.4) ==389050== by 0x1DF: ??? ==389050== by 0xC5ED113: ??? --- spa/plugins/bluez5/bluez5-dbus.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/spa/plugins/bluez5/bluez5-dbus.c b/spa/plugins/bluez5/bluez5-dbus.c index 926b1b3c4..6b5fb173e 100644 --- a/spa/plugins/bluez5/bluez5-dbus.c +++ b/spa/plugins/bluez5/bluez5-dbus.c @@ -3102,11 +3102,13 @@ static int remote_endpoint_update_props(struct spa_bt_remote_endpoint *remote_en spa_log_debug(monitor->log, "remote_endpoint %p: %s=%"PRIu64, remote_endpoint, key, remote_endpoint->hisyncid); } else if (spa_streq(key, "SupportedFeatures")) { + DBusMessageIter iter; + if (!check_iter_signature(&it[1], "a{sv}")) goto next; - dbus_message_iter_recurse(&it[1], &it[2]); - parse_supported_features(monitor, &it[2], &remote_endpoint->bap_features); + dbus_message_iter_recurse(&it[1], &iter); + parse_supported_features(monitor, &iter, &remote_endpoint->bap_features); } else { unhandled: spa_log_debug(monitor->log, "remote_endpoint %p: unhandled key %s", remote_endpoint, key);