2014-09-23 12:19:17

by Bharat Bhusan Panda

[permalink] [raw]
Subject: [PATCH ] attrib: Fix condition check for attr delete

Checks handle value for non-zero as well as >= 0xffff, to avoid
infinite loop and deletion of unspecified attrib handles.
---
attrib/gatt-service.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/attrib/gatt-service.c b/attrib/gatt-service.c
index 874552b..bcf360e 100644
--- a/attrib/gatt-service.c
+++ b/attrib/gatt-service.c
@@ -295,7 +295,12 @@ static void service_attr_del(struct btd_adapter *adapter, uint16_t start_handle,
{
uint16_t handle;

- for (handle = start_handle; handle <= end_handle; handle++)
+ /* For a 128-bit category primary service below handle should be checked
+ * for both non-zero as well as >= 0xffff. As on last iteration the handle
+ * will turn to 0 from 0xffff and loop will be infinite.
+ */
+
+ for (handle = start_handle; (handle != 0 && handle <= end_handle); handle++)
if (attrib_db_del(adapter, handle) < 0)
error("Can't delete handle 0x%04x", handle);
}
--
1.9.1



2015-02-13 14:49:41

by Luiz Augusto von Dentz

[permalink] [raw]
Subject: Re: [PATCH ] attrib: Fix condition check for attr delete

Hi Bharat,

On Fri, Feb 13, 2015 at 2:32 PM, Bharat Bhusan Panda
<[email protected]> wrote:
> Ping
>
>> -----Original Message-----
>> From: [email protected] [mailto:linux-bluetooth-
>> [email protected]] On Behalf Of Bharat Panda
>> Sent: Tuesday, September 23, 2014 5:49 PM
>> To: [email protected]
>> Cc: [email protected]; Bharat Panda
>> Subject: [PATCH ] attrib: Fix condition check for attr delete
>>
>> Checks handle value for non-zero as well as >= 0xffff, to avoid infinite
> loop
>> and deletion of unspecified attrib handles.
>> ---
>> attrib/gatt-service.c | 7 ++++++-
>> 1 file changed, 6 insertions(+), 1 deletion(-)
>>
>> diff --git a/attrib/gatt-service.c b/attrib/gatt-service.c index
> 874552b..bcf360e
>> 100644
>> --- a/attrib/gatt-service.c
>> +++ b/attrib/gatt-service.c
>> @@ -295,7 +295,12 @@ static void service_attr_del(struct btd_adapter
>> *adapter, uint16_t start_handle, {
>> uint16_t handle;
>>
>> - for (handle = start_handle; handle <= end_handle; handle++)
>> + /* For a 128-bit category primary service below handle should be
>> checked
>> + * for both non-zero as well as >= 0xffff. As on last iteration the
>> handle
>> + * will turn to 0 from 0xffff and loop will be infinite.
>> + */
>> +
>> + for (handle = start_handle; (handle != 0 && handle <= end_handle);
>> +handle++)
>> if (attrib_db_del(adapter, handle) < 0)
>> error("Can't delete handle 0x%04x", handle); }
>> --
>> 1.9.1
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-bluetooth"
> in
>> the body of a message to [email protected] More majordomo
>> info at http://vger.kernel.org/majordomo-info.html

Applied after fixing the coding style, thanks.


--
Luiz Augusto von Dentz

2015-02-13 12:32:37

by Bharat Bhusan Panda

[permalink] [raw]
Subject: RE: [PATCH ] attrib: Fix condition check for attr delete

Ping

> -----Original Message-----
> From: [email protected] [mailto:linux-bluetooth-
> [email protected]] On Behalf Of Bharat Panda
> Sent: Tuesday, September 23, 2014 5:49 PM
> To: [email protected]
> Cc: [email protected]; Bharat Panda
> Subject: [PATCH ] attrib: Fix condition check for attr delete
>
> Checks handle value for non-zero as well as >= 0xffff, to avoid infinite
loop
> and deletion of unspecified attrib handles.
> ---
> attrib/gatt-service.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/attrib/gatt-service.c b/attrib/gatt-service.c index
874552b..bcf360e
> 100644
> --- a/attrib/gatt-service.c
> +++ b/attrib/gatt-service.c
> @@ -295,7 +295,12 @@ static void service_attr_del(struct btd_adapter
> *adapter, uint16_t start_handle, {
> uint16_t handle;
>
> - for (handle = start_handle; handle <= end_handle; handle++)
> + /* For a 128-bit category primary service below handle should be
> checked
> + * for both non-zero as well as >= 0xffff. As on last iteration the
> handle
> + * will turn to 0 from 0xffff and loop will be infinite.
> + */
> +
> + for (handle = start_handle; (handle != 0 && handle <= end_handle);
> +handle++)
> if (attrib_db_del(adapter, handle) < 0)
> error("Can't delete handle 0x%04x", handle); }
> --
> 1.9.1
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-bluetooth"
in
> the body of a message to [email protected] More majordomo
> info at http://vger.kernel.org/majordomo-info.html