Received: by 2002:a05:6a10:a852:0:0:0:0 with SMTP id d18csp2931781pxy; Mon, 3 May 2021 11:09:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzdglD7vqqrmM9+AzcxG+YBuQuJMlHERak0aPt2ZvEkuHazFDzU1bPjRcLb6taGWKwqNBhl X-Received: by 2002:a17:906:6d01:: with SMTP id m1mr18721016ejr.501.1620065360591; Mon, 03 May 2021 11:09:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620065360; cv=none; d=google.com; s=arc-20160816; b=iq9KpN1iCAqGvJ4HKh1fVgiKfTSKoi4S1IIjTuY3g85cs9O0sM37tfZYHqYOzTe0W6 wQXx7fKhq1r94cjjmtqsLBlT7NkgGUP0V5T7iCU+mJi47gb9V0fWyadvHp+Y8XD00iqx ej//lxf2FDcpjbDTOg7jYOlEjBdLPYfa9kLFwl3Ec4O9QaGLNfPJ6N9MxHsPGuypb4dn PAKSyrwHNcpXs7+mGrEe8VpEuRHkqMq3gm+FuQe8qom6+NxhQeAQ+RMZImI6Q/BcXWBU 1xsbaA+lvV/qAMkWQpjNSUuiLNW5qDfbvtGyEuqug/4fbYUo9j/k+EFNfa0sNApMhzLJ k1mQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=rWLJVFhFZtArknmtAbrZP3HESsKe1hN+vuxP8GWJ/k8=; b=JDHS8GRmGrUmjljxuJv0Y0XIKrh8P2OSOAP6uhD1JZHUim9/5ieJ5GUmPWXYCWMWn0 b3/KKPrR6tazHiq/XWWwHv/g+K0eXndYt44LiVArLJMKmwe5PuYfafSOkRHVMER7x0bZ W14yNuowl9y0o8NlW3q3KBf2v2ldlRysGyRP9qDuW+eOdGTMy6aKceQO3IoyA7lFaL3E Yi3sci+s7wBJsQYX9hLTrepVRQu055zbrSUNgbrl+oiNBJgiHc4UW1JoS4WX3/6XFQAF 79dbGuJnIYTslD0Aledz21iIbRpjIrQfChlORr8WNsgoLOO0NG/BqIYd9HQQmClk1WPL 0bmg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cr15si546758ejc.676.2021.05.03.11.08.39; Mon, 03 May 2021 11:09:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234165AbhECNNR (ORCPT + 99 others); Mon, 3 May 2021 09:13:17 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60350 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234157AbhECNNR (ORCPT ); Mon, 3 May 2021 09:13:17 -0400 Received: from sipsolutions.net (s3.sipsolutions.net [IPv6:2a01:4f8:191:4433::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 10BBDC06174A for ; Mon, 3 May 2021 06:12:24 -0700 (PDT) Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94) (envelope-from ) id 1ldYN3-003ODA-B3; Mon, 03 May 2021 15:12:21 +0200 From: Benjamin Berg To: linux-bluetooth@vger.kernel.org Cc: Benjamin Berg Subject: [PATCH] rfkill: Fix reading from rfkill socket Date: Mon, 3 May 2021 15:12:10 +0200 Message-Id: <20210503131210.90066-1-benjamin@sipsolutions.net> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org From: Benjamin Berg The kernel will always send exactly one event, but the size of the passed struct will depend on the length of the submitted read() and the kernel version. i.e. the interface can be extended and we need to expect for a read to be longer than expected if we ask for it. Fix this by only requesting the needed length and explicitly check the length against the V1 version of the structure to make the code a bit more future proof in case the internal copy of the struct is updated to contain new fields. --- src/rfkill.c | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/src/rfkill.c b/src/rfkill.c index ec9fcdfdd..2099c5ac5 100644 --- a/src/rfkill.c +++ b/src/rfkill.c @@ -53,12 +53,12 @@ struct rfkill_event { uint8_t soft; uint8_t hard; }; +#define RFKILL_EVENT_SIZE_V1 8 static gboolean rfkill_event(GIOChannel *chan, GIOCondition cond, gpointer data) { - unsigned char buf[32]; - struct rfkill_event *event = (void *) buf; + struct rfkill_event event = { 0 }; struct btd_adapter *adapter; char sysname[PATH_MAX]; ssize_t len; @@ -69,34 +69,32 @@ static gboolean rfkill_event(GIOChannel *chan, fd = g_io_channel_unix_get_fd(chan); - memset(buf, 0, sizeof(buf)); - - len = read(fd, buf, sizeof(buf)); + len = read(fd, &event, sizeof(event)); if (len < 0) { if (errno == EAGAIN) return TRUE; return FALSE; } - if (len != sizeof(struct rfkill_event)) + if (len < RFKILL_EVENT_SIZE_V1) return TRUE; DBG("RFKILL event idx %u type %u op %u soft %u hard %u", - event->idx, event->type, event->op, - event->soft, event->hard); + event.idx, event.type, event.op, + event.soft, event.hard); - if (event->soft || event->hard) + if (event.soft || event.hard) return TRUE; - if (event->op != RFKILL_OP_CHANGE) + if (event.op != RFKILL_OP_CHANGE) return TRUE; - if (event->type != RFKILL_TYPE_BLUETOOTH && - event->type != RFKILL_TYPE_ALL) + if (event.type != RFKILL_TYPE_BLUETOOTH && + event.type != RFKILL_TYPE_ALL) return TRUE; snprintf(sysname, sizeof(sysname) - 1, - "/sys/class/rfkill/rfkill%u/name", event->idx); + "/sys/class/rfkill/rfkill%u/name", event.idx); fd = open(sysname, O_RDONLY); if (fd < 0) -- 2.31.1