From ef8f820d4a379044fc71329b803e75df32239cb8 Mon Sep 17 00:00:00 2001 From: "Christian F.K. Schaller" Date: Tue, 7 Apr 2026 07:24:34 -0400 Subject: [PATCH] module-avb: fix potential NULL pointer dereference in MSRP/MVRP notify The msrp_notify() and mvrp_notify() functions call dispatch table notify callbacks without checking for NULL. In MSRP, the TALKER_FAILED attribute type has a NULL notify callback, which would crash if a talker-failed attribute received a registrar state change notification (e.g. RX_NEW triggering NOTIFY_NEW). Add NULL checks before calling the dispatch notify callbacks, matching the defensive pattern used in the encode path. Co-Authored-By: Claude Opus 4.6 --- src/modules/module-avb/msrp.c | 3 ++- src/modules/module-avb/mvrp.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/src/modules/module-avb/msrp.c b/src/modules/module-avb/msrp.c index 92d1e65b4..40cb57268 100644 --- a/src/modules/module-avb/msrp.c +++ b/src/modules/module-avb/msrp.c @@ -332,7 +332,8 @@ static void msrp_notify(void *data, uint64_t now, uint8_t notify) { struct attr *a = data; struct msrp *msrp = a->msrp; - return dispatch[a->attr.type].notify(msrp, now, a, notify); + if (dispatch[a->attr.type].notify) + dispatch[a->attr.type].notify(msrp, now, a, notify); } static const struct avb_mrp_attribute_events mrp_attr_events = { diff --git a/src/modules/module-avb/mvrp.c b/src/modules/module-avb/mvrp.c index 20862c2ae..e2667ce40 100644 --- a/src/modules/module-avb/mvrp.c +++ b/src/modules/module-avb/mvrp.c @@ -171,7 +171,8 @@ static void mvrp_notify(void *data, uint64_t now, uint8_t notify) { struct attr *a = data; struct mvrp *mvrp = a->mvrp; - return dispatch[a->attr.type].notify(mvrp, now, a, notify); + if (dispatch[a->attr.type].notify) + dispatch[a->attr.type].notify(mvrp, now, a, notify); } static const struct avb_mrp_attribute_events mrp_attr_events = {