Fix to avoid memory overwrite during ASE stream enable operation.
Abhay Maheta (1):
shared/bap: Fix handling memory overwrite during ASE Enable Operation
src/shared/bap.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--
2.25.1
This fixes memory overwrite during ASE Enable operation handling.
It avoids crashing of bluetoothd if metadata of more than sizeo of
size_t is received.
This also fixes storing metadata to stream structure.
---
src/shared/bap.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/shared/bap.c b/src/shared/bap.c
index 178407387..c3c0d596f 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -958,10 +958,14 @@ static void stream_notify_metadata(struct bt_bap_stream *stream)
struct bt_ascs_ase_status *status;
struct bt_ascs_ase_status_metadata *meta;
size_t len;
+ size_t meta_len = 0;
DBG(stream->bap, "stream %p", stream);
- len = sizeof(*status) + sizeof(*meta) + sizeof(stream->meta->iov_len);
+ if (stream->meta)
+ meta_len = stream->meta->iov_len;
+
+ len = sizeof(*status) + sizeof(*meta) + meta_len;
status = malloc(len);
memset(status, 0, len);
@@ -1743,7 +1747,7 @@ static uint8_t ep_enable(struct bt_bap_endpoint *ep, struct bt_bap *bap,
return 0;
}
- return stream_enable(ep->stream, iov, rsp);
+ return stream_enable(ep->stream, &meta, rsp);
}
static uint8_t ascs_enable(struct bt_ascs *ascs, struct bt_bap *bap,
--
2.25.1
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=683730
---Test result---
Test Summary:
CheckPatch PASS 1.08 seconds
GitLint FAIL 0.80 seconds
Prep - Setup ELL PASS 31.61 seconds
Build - Prep PASS 0.92 seconds
Build - Configure PASS 10.17 seconds
Build - Make PASS 1137.58 seconds
Make Check PASS 12.56 seconds
Make Check w/Valgrind PASS 342.61 seconds
Make Distcheck PASS 281.81 seconds
Build w/ext ELL - Configure PASS 10.11 seconds
Build w/ext ELL - Make PASS 103.11 seconds
Incremental Build w/ patches PASS 0.00 seconds
Scan Build PASS 675.30 seconds
Details
##############################
Test: GitLint - FAIL
Desc: Run gitlint with rule in .gitlint
Output:
[BlueZ,1/1] shared/bap: Fix handling memory overwrite during ASE Enable Operation
1: T1 Title exceeds max length (81>80): "[BlueZ,1/1] shared/bap: Fix handling memory overwrite during ASE Enable Operation"
---
Regards,
Linux Bluetooth