2020-05-07 21:48:22

by Łukasz Rymanowski

[permalink] [raw]
Subject: [PATCH BlueZ] client: Fix possible stack corruption

DBUS_TYPE_BOOLEAN is 'int', which does not have to be the same size as
'bool'.
On architecture where bool is smaller than in, getting prepare-authorize
will corrupt the stack
---
client/gatt.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/client/gatt.c b/client/gatt.c
index 416eda953..9d35b54fa 100644
--- a/client/gatt.c
+++ b/client/gatt.c
@@ -1860,9 +1860,12 @@ static int parse_options(DBusMessageIter *iter, uint16_t *offset, uint16_t *mtu,
} else if (strcasecmp(key, "prepare-authorize") == 0) {
if (var != DBUS_TYPE_BOOLEAN)
return -EINVAL;
- if (prep_authorize)
- dbus_message_iter_get_basic(&value,
- prep_authorize);
+ if (prep_authorize) {
+ int tmp;
+
+ dbus_message_iter_get_basic(&value, &tmp);
+ *prep_authorize = !!tmp;
+ }
}

dbus_message_iter_next(&dict);
--
2.20.1


2020-05-11 13:29:57

by Szymon Janc

[permalink] [raw]
Subject: Re: [PATCH BlueZ] client: Fix possible stack corruption

Hi Łukasz,

On Thursday, 7 May 2020 23:45:37 CEST Łukasz Rymanowski wrote:
> DBUS_TYPE_BOOLEAN is 'int', which does not have to be the same size as
> 'bool'.
> On architecture where bool is smaller than in, getting prepare-authorize
> will corrupt the stack
> ---
> client/gatt.c | 9 ++++++---
> 1 file changed, 6 insertions(+), 3 deletions(-)
>
> diff --git a/client/gatt.c b/client/gatt.c
> index 416eda953..9d35b54fa 100644
> --- a/client/gatt.c
> +++ b/client/gatt.c
> @@ -1860,9 +1860,12 @@ static int parse_options(DBusMessageIter *iter,
> uint16_t *offset, uint16_t *mtu, } else if (strcasecmp(key,
> "prepare-authorize") == 0) {
> if (var != DBUS_TYPE_BOOLEAN)
> return -EINVAL;
> - if (prep_authorize)
> - dbus_message_iter_get_basic(&value,
> -
prep_authorize);
> + if (prep_authorize) {
> + int tmp;
> +
> + dbus_message_iter_get_basic(&value,
&tmp);
> + *prep_authorize = !!tmp;
> + }
> }
>
> dbus_message_iter_next(&dict);

Applied, thanks.

--
pozdrawiam
Szymon Janc