2009-07-20 08:46:58

by [email protected]

[permalink] [raw]
Subject: sdp update record

Hi everyone

Working with BlueZ 4.46, bluetoothd process makes an segfault when an
"update sdp record" request is processed. Running with valgrind memcheck
I checked that when an "search attr" request arrives after the "update sdp
record",
this record handle not exists because this memory has been freed in the
"update sdp record" stage. The code block when "update spd record" is made

is below:


int service_update_req(sdp_req_t *req, sdp_buf_t *rsp)
{
sdp_record_t *orec;
int status = 0, scanned = 0;
uint8_t *p = req->buf + sizeof(sdp_pdu_hdr_t);
int bufsize = req->len - sizeof(sdp_pdu_hdr_t);
uint32_t handle = ntohl(bt_get_unaligned((uint32_t *) p));

SDPDBG("Svc Rec Handle: 0x%x", handle);

p += sizeof(uint32_t);
bufsize -= sizeof(uint32_t);

orec = sdp_record_find(handle);

SDPDBG("SvcRecOld: %p", orec);

if (orec) {
sdp_record_t *nrec = extract_pdu_server(BDADDR_ANY, p,
bufsize,
handle, &scanned);
if (nrec && handle == nrec->handle) {
update_db_timestamp();
update_svclass_list(BDADDR_ANY);
} else {
SDPDBG("SvcRecHandle : 0x%x", handle);
SDPDBG("SvcRecHandleNew : 0x%x", nrec->handle);
SDPDBG("SvcRecNew : %p", nrec);
SDPDBG("SvcRecOld : %p", orec);
SDPDBG("Failure to update, restore old value");

status = SDP_INVALID_SYNTAX;
}

if (nrec)
sdp_record_free(nrec);
} else
status = SDP_INVALID_RECORD_HANDLE;

p = rsp->data;
bt_put_unaligned(htons(status), (uint16_t *) p);
rsp->data_size = sizeof(uint16_t);
return status;
}

If I comment the "sdp_record_free(nrec)" line, no segfault occurs.
If "extract_pdu_server" works like I think, first find the record, later
delete all attrs and add the new attrs.
So that, sdp_record_free(nrec) is freeing the updated record, no?

I'm not in list, pleases cc'me.

Thanks and regards






2009-07-21 18:02:04

by Luiz Augusto von Dentz

[permalink] [raw]
Subject: Re: sdp update record

Hi,

On Mon, Jul 20, 2009 at 5:46 AM,
[email protected]<[email protected]> wrote:
> Hi everyone
>
> Working with BlueZ 4.46, bluetoothd process makes an segfault when an
> "update sdp record" request is processed. Running with valgrind memcheck
> I checked that when an "search attr" request arrives after the "update sdp
> record",
> ?this record handle not exists because this memory has been freed in the
> "update sdp record" stage. The code block when "update spd record" is made
>

Thanks for reporting this, a patch has been pushed upstream to solve this:

http://git.kernel.org/?p=bluetooth/bluez.git;a=commitdiff;h=8c677a559dbaa7c9b53fea05f91081c05244ec1f

Note that nrec should reuse the memory from orec thus the assert.

--
Luiz Augusto von Dentz
Engenheiro de Computa??o