This patch fix problem with reading data from out of the array range in
function used to create EIR response.
---
src/adapter.c | 2 +-
src/sdpd-service.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/adapter.c b/src/adapter.c
index 73ea6e4..bf32e19 100644
--- a/src/adapter.c
+++ b/src/adapter.c
@@ -205,7 +205,7 @@ static void dev_info_free(struct remote_dev_info *dev)
static void update_ext_inquiry_response(struct btd_adapter *adapter)
{
- uint8_t data[240];
+ uint8_t data[242];
struct hci_dev *dev = &adapter->dev;
int ret;
diff --git a/src/sdpd-service.c b/src/sdpd-service.c
index 26ab9a5..67dd9af 100644
--- a/src/sdpd-service.c
+++ b/src/sdpd-service.c
@@ -204,7 +204,7 @@ static void eir_generate_uuid128(sdp_list_t *list,
for (i = 0; i < index; i++) {
for (k = 0; k < SIZEOF_UUID128; k++) {
if (uuid128[i * SIZEOF_UUID128 + k] !=
- uuid128_data[SIZEOF_UUID128 - k])
+ uuid128_data[SIZEOF_UUID128 - 1 - k])
break;
}
if (k == SIZEOF_UUID128)
--
1.7.0.4
Hi Lukasz,
On Fri, Oct 08, 2010, Lukasz Pawlik wrote:
> Attaching patch without change in src/adapter.c file.
Thanks. The patch is now upstream.
Johan
Attaching patch without change in src/adapter.c file.
Lukasz Pawlik
2010/10/6 Lukasz Pawlik <[email protected]>:
> Hi,
>
> Sorry. My bad. It was never my intention to change src/adapter.c. I've
> prepared two patches with the same name and of course send the wrong
> one. Problem with invalid read fix change made in src/sdpd-service.c
> file.
>
> Lukasz
>
> 2010/10/6 Johan Hedberg <[email protected]>:
>> Hi Lukasz,
>>
>> On Wed, Oct 06, 2010, Lukasz Pawlik wrote:
>>> This patch fix problem with reading data from out of the array range in
>>> function used to create EIR response.
>>
>> You'll need to explain in more detail exactly what was wrong with the
>> old code and how your patch fixes it (and why it is the correct fix).
>>
>>> - ? ? uint8_t data[240];
>>> + ? ? uint8_t data[242];
>>
>> Why 242? The core spec defines the EIR data as a 240 byte field.
>>
>>> - ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? uuid128_data[SIZEOF_UUID128 - k])
>>> + ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? uuid128_data[SIZEOF_UUID128 - 1 - k])
>>
>> This change looks fine (the index of the last byte is sizeof(uuid128) - 1).
>>
>> Johan
>>
>
Hi,
Sorry. My bad. It was never my intention to change src/adapter.c. I've
prepared two patches with the same name and of course send the wrong
one. Problem with invalid read fix change made in src/sdpd-service.c
file.
Lukasz
2010/10/6 Johan Hedberg <[email protected]>:
> Hi Lukasz,
>
> On Wed, Oct 06, 2010, Lukasz Pawlik wrote:
>> This patch fix problem with reading data from out of the array range in
>> function used to create EIR response.
>
> You'll need to explain in more detail exactly what was wrong with the
> old code and how your patch fixes it (and why it is the correct fix).
>
>> - ? ? uint8_t data[240];
>> + ? ? uint8_t data[242];
>
> Why 242? The core spec defines the EIR data as a 240 byte field.
>
>> - ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? uuid128_data[SIZEOF_UUID128 - k])
>> + ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? uuid128_data[SIZEOF_UUID128 - 1 - k])
>
> This change looks fine (the index of the last byte is sizeof(uuid128) - 1).
>
> Johan
>
Hi Lukasz,
On Wed, Oct 06, 2010, Lukasz Pawlik wrote:
> This patch fix problem with reading data from out of the array range in
> function used to create EIR response.
You'll need to explain in more detail exactly what was wrong with the
old code and how your patch fixes it (and why it is the correct fix).
> - uint8_t data[240];
> + uint8_t data[242];
Why 242? The core spec defines the EIR data as a 240 byte field.
> - uuid128_data[SIZEOF_UUID128 - k])
> + uuid128_data[SIZEOF_UUID128 - 1 - k])
This change looks fine (the index of the last byte is sizeof(uuid128) - 1).
Johan