From 398326f19c5acd51bb2b4c81a3b3a184a1069266 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Wed, 29 Apr 2026 14:14:20 +0200 Subject: [PATCH] security: add missing NULL checks after calloc in Bluetooth backend Memory Safety: Medium Two calloc() calls in backend-native.c do not check the return value before dereferencing the pointer: 1. rfcomm_send_cmd_enqueue() allocates an rfcomm_cmd struct and immediately passes cmd->cmd to vsnprintf without a NULL check. 2. rfcomm_hfp_ag_clcc() allocates an updated_call struct and immediately dereferences updated_call->id without a NULL check. Both would crash on allocation failure. Add NULL checks that return an error instead of dereferencing NULL. Co-Authored-By: Claude Opus 4.6 --- spa/plugins/bluez5/backend-native.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/spa/plugins/bluez5/backend-native.c b/spa/plugins/bluez5/backend-native.c index 1cb2235ff..97803f9cd 100644 --- a/spa/plugins/bluez5/backend-native.c +++ b/spa/plugins/bluez5/backend-native.c @@ -584,6 +584,8 @@ static ssize_t rfcomm_send_cmd(struct rfcomm *rfcomm, int next_state, DBusMessag va_list args; cmd = calloc(1, sizeof(struct rfcomm_cmd)); + if (cmd == NULL) + return -ENOMEM; va_start(args, format); len = vsnprintf(cmd->cmd, RFCOMM_MESSAGE_MAX_LENGTH + 1, format, args); @@ -2342,6 +2344,8 @@ static bool rfcomm_hfp_hf(struct rfcomm *rfcomm, char* token) if (SPA_LIKELY (parsed)) { struct updated_call *updated_call; updated_call = calloc(1, sizeof(struct updated_call)); + if (updated_call == NULL) + return false; updated_call->id = idx; spa_list_append(&rfcomm->updated_call_list, &updated_call->link);