Return-Path: MIME-Version: 1.0 In-Reply-To: <1469795647-9372-1-git-send-email-michal.narajowski@codecoup.pl> References: <1469795647-9372-1-git-send-email-michal.narajowski@codecoup.pl> From: Luiz Augusto von Dentz Date: Fri, 12 Aug 2016 22:51:57 +0300 Message-ID: Subject: Re: [PATCH BlueZ v2] monitor/l2cap: Fix buffer overflow when printing UUIDs To: =?UTF-8?Q?Micha=C5=82_Narajowski?= Cc: "linux-bluetooth@vger.kernel.org" Content-Type: text/plain; charset=UTF-8 Sender: linux-bluetooth-owner@vger.kernel.org List-ID: Hi Michał, On Fri, Jul 29, 2016 at 3:34 PM, Michał Narajowski wrote: >> ACL Data RX: Handle 76 flags 0x02 dlen 18 [hci0] 22.985107 > ATT: Read By Group Type Response (0x11) len 13 > Attribute data length: 6 > Attribute group list: 2 entries > Handle range: 0x0001-0x0007 > UUID: Generic Access Profile (0x1800) > Handle range: 0x0008-0x000b > UUID: Generic Attribute Profile (0x1801) > < ACL Data TX: Handle 76 flags 0x00 dlen 11 [hci0] 22.985304 > ATT: Read By Group Type Request (0x10) len 6 > Handle range: 0x000c-0xffff > Attribute group type: Primary Service (0x2800) >> HCI Event: Number of Completed Packets (0x13) plen 5 [hci0] 23.051113 > Num handles: 1 > Handle: 76 > Count: 1 >> ACL Data RX: Handle 76 flags 0x02 dlen 26 [hci0] 23.115103 > ATT: Read By Group Type Response (0x11) len 21 > Attribute data length: 20 > Attribute group list: 1 entry > Handle range: 0x000c-0x0010 > *** buffer overflow detected ***: monitor/btmon terminated > > ==14384== Process terminating with default action of signal 6 (SIGABRT) > ==14384== at 0x4E6F418: raise (raise.c:54) > ==14384== by 0x4E71019: abort (abort.c:89) > ==14384== by 0x4EB1729: __libc_message (libc_fatal.c:175) > ==14384== by 0x4F5289B: __fortify_fail (fortify_fail.c:37) > ==14384== by 0x4F5089F: __chk_fail (chk_fail.c:28) > ==14384== by 0x4F4FE08: _IO_str_chk_overflow (vsprintf_chk.c:31) > ==14384== by 0x4EB55DF: _IO_default_xsputn (genops.c:455) > ==14384== by 0x4E87DBF: vfprintf (vfprintf.c:1631) > ==14384== by 0x4F4FE93: __vsprintf_chk (vsprintf_chk.c:82) > ==14384== by 0x4F4FDEC: __sprintf_chk (sprintf_chk.c:31) > ==14384== by 0x422826: sprintf (stdio2.h:33) > ==14384== by 0x422826: print_uuid (l2cap.c:2014) > ==14384== by 0x423373: print_group_list (l2cap.c:2334) > ==14384== by 0x423373: att_read_group_type_rsp (l2cap.c:2348) > --- > monitor/l2cap.c | 2 +- > monitor/uuid.h | 2 ++ > 2 files changed, 3 insertions(+), 1 deletion(-) > > diff --git a/monitor/l2cap.c b/monitor/l2cap.c > index 59a3206..f4b54af 100644 > --- a/monitor/l2cap.c > +++ b/monitor/l2cap.c > @@ -1999,7 +1999,7 @@ static void print_hex_field(const char *label, const uint8_t *data, > static void print_uuid(const char *label, const void *data, uint16_t size) > { > const char *str; > - char uuidstr[36]; > + char uuidstr[MAX_LEN_UUID_STR]; > > switch (size) { > case 2: > diff --git a/monitor/uuid.h b/monitor/uuid.h > index 6ffc0ee..22d2363 100644 > --- a/monitor/uuid.h > +++ b/monitor/uuid.h > @@ -24,6 +24,8 @@ > > #include > > +#define MAX_LEN_UUID_STR 37 > + > const char *uuid16_to_str(uint16_t uuid); > const char *uuid32_to_str(uint32_t uuid); > const char *uuidstr_to_str(const char *uuid); > -- > 2.7.4 Applied, thanks. -- Luiz Augusto von Dentz