Fix to avoid memory overwrite during ASE stream enable operation.
Abhay Maheta (1):
shared/bap: Fixing memory overwrite during ASE Enable Operation
src/shared/bap.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--
2.25.1
This fixes memory overwrite during ASE Enable operation handling.
It avoids crashing of bluetoothd if metadata of more than sizeo of
size_t is received.
This also fixes storing metadata to stream structure.
---
src/shared/bap.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/shared/bap.c b/src/shared/bap.c
index 178407387..c3c0d596f 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -958,10 +958,14 @@ static void stream_notify_metadata(struct bt_bap_stream *stream)
struct bt_ascs_ase_status *status;
struct bt_ascs_ase_status_metadata *meta;
size_t len;
+ size_t meta_len = 0;
DBG(stream->bap, "stream %p", stream);
- len = sizeof(*status) + sizeof(*meta) + sizeof(stream->meta->iov_len);
+ if (stream->meta)
+ meta_len = stream->meta->iov_len;
+
+ len = sizeof(*status) + sizeof(*meta) + meta_len;
status = malloc(len);
memset(status, 0, len);
@@ -1743,7 +1747,7 @@ static uint8_t ep_enable(struct bt_bap_endpoint *ep, struct bt_bap *bap,
return 0;
}
- return stream_enable(ep->stream, iov, rsp);
+ return stream_enable(ep->stream, &meta, rsp);
}
static uint8_t ascs_enable(struct bt_ascs *ascs, struct bt_bap *bap,
--
2.25.1
This fixes memory overwrite during ASE Enable operation handling.
It avoids crashing of bluetoothd if metadata of more than sizeo of
size_t is received.
This also fixes storing metadata to stream structure.
---
src/shared/bap.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/shared/bap.c b/src/shared/bap.c
index 178407387..c3c0d596f 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -958,10 +958,14 @@ static void stream_notify_metadata(struct bt_bap_stream *stream)
struct bt_ascs_ase_status *status;
struct bt_ascs_ase_status_metadata *meta;
size_t len;
+ size_t meta_len = 0;
DBG(stream->bap, "stream %p", stream);
- len = sizeof(*status) + sizeof(*meta) + sizeof(stream->meta->iov_len);
+ if (stream->meta)
+ meta_len = stream->meta->iov_len;
+
+ len = sizeof(*status) + sizeof(*meta) + meta_len;
status = malloc(len);
memset(status, 0, len);
@@ -1743,7 +1747,7 @@ static uint8_t ep_enable(struct bt_bap_endpoint *ep, struct bt_bap *bap,
return 0;
}
- return stream_enable(ep->stream, iov, rsp);
+ return stream_enable(ep->stream, &meta, rsp);
}
static uint8_t ascs_enable(struct bt_ascs *ascs, struct bt_bap *bap,
--
2.25.1
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=683768
---Test result---
Test Summary:
CheckPatch PASS 1.10 seconds
GitLint FAIL 0.79 seconds
Prep - Setup ELL PASS 26.37 seconds
Build - Prep PASS 0.70 seconds
Build - Configure PASS 8.23 seconds
Build - Make PASS 738.27 seconds
Make Check PASS 11.82 seconds
Make Check w/Valgrind PASS 288.32 seconds
Make Distcheck PASS 235.30 seconds
Build w/ext ELL - Configure PASS 8.28 seconds
Build w/ext ELL - Make PASS 83.71 seconds
Incremental Build w/ patches PASS 0.00 seconds
Scan Build PASS 511.94 seconds
Details
##############################
Test: GitLint - FAIL
Desc: Run gitlint with rule in .gitlint
Output:
[BlueZ,1/1] shared/bap: Fix handling memory overwrite during ASE Enable Operation
1: T1 Title exceeds max length (81>80): "[BlueZ,1/1] shared/bap: Fix handling memory overwrite during ASE Enable Operation"
---
Regards,
Linux Bluetooth
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=683769
---Test result---
Test Summary:
CheckPatch PASS 1.44 seconds
GitLint PASS 0.99 seconds
Prep - Setup ELL FAIL 22.29 seconds
Build - Prep PASS 0.85 seconds
Build - Configure PASS 8.60 seconds
Build - Make PASS 829.16 seconds
Make Check PASS 11.32 seconds
Make Check w/Valgrind PASS 290.40 seconds
Make Distcheck PASS 235.65 seconds
Build w/ext ELL - Configure FAIL 5.82 seconds
Build w/ext ELL - Make SKIPPED 0.38 seconds
Incremental Build w/ patches PASS 0.00 seconds
Scan Build PASS 534.74 seconds
Details
##############################
Test: Prep - Setup ELL - FAIL
Desc: Clone, build, and install ELL
Output:
writing RSA key
writing RSA key
writing RSA key
writing RSA key
writing RSA key
make[1]: *** [Makefile:3276: unit/cert-intca.pem] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:1264: all] Error 2
##############################
Test: Build w/ext ELL - Configure - FAIL
Desc: Configure BlueZ source with '--enable-external-ell' configuration
Output:
configure.ac:21: installing './compile'
configure.ac:36: installing './config.guess'
configure.ac:36: installing './config.sub'
configure.ac:5: installing './install-sh'
configure.ac:5: installing './missing'
Makefile.am: installing './depcomp'
parallel-tests: installing './test-driver'
configure: error: Embedded Linux library >= 0.39 is required
##############################
Test: Build w/ext ELL - Make - SKIPPED
Desc: Build BlueZ source with '--enable-external-ell' configuration
Output:
build_extell test did not pass
---
Regards,
Linux Bluetooth
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=683769
---Test result---
Test Summary:
CheckPatch PASS 0.65 seconds
GitLint PASS 0.48 seconds
Prep - Setup ELL PASS 31.74 seconds
Build - Prep PASS 0.80 seconds
Build - Configure PASS 9.83 seconds
Build - Make PASS 1073.29 seconds
Make Check PASS 12.13 seconds
Make Check w/Valgrind PASS 339.06 seconds
Make Distcheck PASS 278.58 seconds
Build w/ext ELL - Configure PASS 10.05 seconds
Build w/ext ELL - Make PASS 102.59 seconds
Incremental Build w/ patches PASS 0.00 seconds
Scan Build PASS 681.59 seconds
---
Regards,
Linux Bluetooth
Hello:
This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <[email protected]>:
On Fri, 7 Oct 2022 23:15:17 +0530 you wrote:
> This fixes memory overwrite during ASE Enable operation handling.
> It avoids crashing of bluetoothd if metadata of more than sizeo of
> size_t is received.
>
> This also fixes storing metadata to stream structure.
> ---
> src/shared/bap.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
Here is the summary with links:
- [BlueZ,v2,1/1] shared/bap: Fixing memory overwrite during ASE Enable Operation
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=3da439ae3c76
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
Hello:
This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <[email protected]>:
On Fri, 7 Oct 2022 23:15:15 +0530 you wrote:
> Fix to avoid memory overwrite during ASE stream enable operation.
>
> Abhay Maheta (1):
> shared/bap: Fixing memory overwrite during ASE Enable Operation
>
> src/shared/bap.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
Here is the summary with links:
- [BlueZ,1/1] shared/bap: Fix handling memory overwrite during ASE Enable Operation
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=3da439ae3c76
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html