Return-Path: Date: Thu, 11 Nov 2010 23:00:32 +0200 From: Johan Hedberg To: Luiz Augusto von Dentz Cc: Vinicius Costa Gomes , linux-bluetooth@vger.kernel.org, Bruna Moreira Subject: Re: [PATCH v2 1/7] Fix invalid memory access when EIR field length is zero Message-ID: <20101111210032.GA24514@jh-x301> References: <1289501521-21825-1-git-send-email-vinicius.gomes@openbossa.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 In-Reply-To: Sender: linux-bluetooth-owner@vger.kernel.org List-ID: Hi Luiz, On Thu, Nov 11, 2010, Luiz Augusto von Dentz wrote: > > ? ? ? ?while (len < EIR_DATA_LENGTH - 1) { > > - ? ? ? ? ? ? ? uint8_t type = eir_data[1]; > > ? ? ? ? ? ? ? ?uint8_t field_len = eir_data[0]; > > > > ? ? ? ? ? ? ? ?/* Check for the end of EIR */ > > ? ? ? ? ? ? ? ?if (field_len == 0) > > ? ? ? ? ? ? ? ? ? ? ? ?break; > > > > - ? ? ? ? ? ? ? switch (type) { > > + ? ? ? ? ? ? ? switch (eir_data[1]) { > > ? ? ? ? ? ? ? ?case EIR_UUID16_SOME: > > ? ? ? ? ? ? ? ?case EIR_UUID16_ALL: > > ? ? ? ? ? ? ? ? ? ? ? ?uuid16_count = field_len / 2; > > IMO type is easier to understand here, we just need to initialize it > latter after the length check. True, however I wasn't bothered enough about this and went ahead and pushed the patch anyway upstream. If someone feels like it, feel free to reintroduce the variable ;) Johan