bluez5: fix wrong use of send_with_reply in HFP backends

The pattern if (!send_with_reply(...)) leaks DBusPendingCall and is UAF prone. Replace these with proper tracking and cancellation of the pending calls in HFP backends.
2026-05-27 21:37:37 -04:00 · 2026-05-04 19:52:46 +03:00 · 2026-05-04 19:52:46 +03:00 · 31f0300c48
commit 31f0300c48
parent 81470db44f
3 changed files with 43 additions and 14 deletions
--- a/spa/plugins/bluez5/backend-ofono.c
+++ b/spa/plugins/bluez5/backend-ofono.c
@ -44,6 +44,7 @@ struct impl {
 	struct spa_dbus *dbus;
 	struct spa_loop_utils *loop_utils;
 	DBusConnection *conn;
+	DBusPendingCall *pending_get_cards;

 	const struct spa_bt_quirks *quirks;

@ -637,7 +638,8 @@ static void ofono_getcards_reply(DBusPendingCall *pending, void *user_data)
 	struct impl *backend = user_data;
 	DBusMessageIter i, array_i, struct_i, props_i;

-	spa_autoptr(DBusMessage) r = steal_reply_and_unref(&pending);
+	spa_assert(backend->pending_get_cards == pending);
+	spa_autoptr(DBusMessage) r = steal_reply_and_unref(&backend->pending_get_cards);
 	if (r == NULL)
 		return;

@ -736,12 +738,16 @@ static int ofono_getcards(struct impl *backend)
 {
 	spa_autoptr(DBusMessage) m = NULL;

+	if (backend->pending_get_cards)
+		return -EBUSY;
+
 	m = dbus_message_new_method_call(OFONO_SERVICE, "/",
 			OFONO_HF_AUDIO_MANAGER_INTERFACE, "GetCards");
 	if (m == NULL)
 		return -ENOMEM;

-	if (!send_with_reply(backend->conn, m, ofono_getcards_reply, backend))
+	backend->pending_get_cards = send_with_reply(backend->conn, m, ofono_getcards_reply, backend);
+	if (!backend->pending_get_cards)
 		return -EIO;

 	return 0;
@ -825,6 +831,8 @@ static int backend_ofono_free(void *data)
 {
 	struct impl *backend = data;

+	cancel_and_unref(&backend->pending_get_cards);
+
 	if (backend->filters_added) {
 		dbus_connection_remove_filter(backend->conn, ofono_filter_cb, backend);
 		backend->filters_added = false;