Bluetooth: Audio: Dereference null return value in cap_initiator.c

Null pointer dereferences in functions: bt_cap_initiator_unicast_audio_update (Line 1478) bt_cap_initiator_unicast_audio_stop (Line 1693) Fixes #74729 and #74739 (cherry picked from commit 0c611d0) Original-Signed-off-by: Babak Arisian <bbaa@demant.com> GitOrigin-RevId: 0c611d0 Change-Id: I11440c7a73b212a36ef86d7be971dd83ab52434f Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/zephyr/+/5666205 Reviewed-by: Ting Shen <phoenixshen@chromium.org> Tested-by: Ting Shen <phoenixshen@chromium.org> Tested-by: ChromeOS Prod (Robot) <chromeos-ci-prod@chromeos-bot.iam.gserviceaccount.com> Commit-Queue: Ting Shen <phoenixshen@chromium.org>
coreboot · Jun 28, 2024 · e514ebe · e514ebe
1 parent 813df49
commit e514ebe
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/subsys/bluetooth/audio/cap_initiator.c b/subsys/bluetooth/audio/cap_initiator.c
@@ -1475,6 +1475,8 @@ int bt_cap_initiator_unicast_audio_update(const struct bt_cap_unicast_audio_upda
  bt_cap_common_set_subproc(BT_CAP_COMMON_SUBPROC_TYPE_META_UPDATE);
 
  proc_param = get_next_proc_param(active_proc);
+ __ASSERT(proc_param != NULL, "proc is not done, but could not get next proc_param");
+
  bap_stream = &proc_param->stream->bap_stream;
  meta_len = proc_param->meta_update.meta_len;
  meta = proc_param->meta_update.meta;
@@ -1690,6 +1692,8 @@ int bt_cap_initiator_unicast_audio_stop(const struct bt_cap_unicast_audio_stop_p
  * procedure should be used.
  */
  proc_param = get_next_proc_param(active_proc);
+ __ASSERT(proc_param != NULL, "proc is not done, but could not get next proc_param");
+
  bap_stream = &proc_param->stream->bap_stream;
  active_proc->proc_initiated_cnt++;