Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp915446pxj; Fri, 11 Jun 2021 15:18:01 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzSR7PQ/NbY9ZM5YMPaVOnXZPzwGSeFdHCnQgEoZJwXZgUTOB6Foy0Nb0Q+stR6RzyikPdE X-Received: by 2002:a50:ee18:: with SMTP id g24mr5849075eds.11.1623449880790; Fri, 11 Jun 2021 15:18:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623449880; cv=none; d=google.com; s=arc-20160816; b=rCUJuUcw2rcIlu/lLW0uNhPBuqAdnGAuRMAHU7g34GTZsOIrjL/HdeFBJCSA5WFNXj KHU72/zAQ3R/OtfpCwdeliio2si36YCtTnHubjq3S8cco1Whj3iGrJnsLh3GpIqQpCnl IOIj1jiIWHgNGLtcupp4yBW/8BAVS6UCb9W0leD90UnuUTpbCvvkVi2uil3Ny3z/pCu9 lUQ5c/irbEil2r/DuBWbts+au1+DEH9Rr+6kZY6vLJPLWLPOvOx1fgtI+/DN6E8KYWOc PDk61svY6K2XdXlTnIEtmEJlrIO3DvJ6T9/gZC9ftHMFdMZzC9DPmxwlXBPeQltIZH7+ ZD0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=0rCHhAsGLCgsxBu4NS8eS34kTv5wY4x3bvnFh7VmHjQ=; b=jV6UhMTkQxai7Lz/xruPNEnveoudwd+ZhOQTVEoZbDDT53jGa/bzO2MjzElWOg+YzU Yg6bChFyu6GtAbtsObpXy+9Xgr94mYXC7R3ERGRk13EH1IfZVe1eAx9BxNyrSbBcrqww 7NHV3vf352+aubzTbDIrqlrk8fESEy1JRFcIGNJcW9Q2DtalCvnf80YBTSy9Yke0x/3H eioD4dFZKCULKtAnckShLAIZdI5IW4fZSy9AzNMEhSSei9woHNvYdjksRAOutEtT1wfT 4NtEvrREl5OG9r7bv7C4zQozYxWMhBanMjgYO8GO99isWifg/UhgnblUM4sfgmBi6Ef8 TUWw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=YtGuFaxk; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id yh29si2875566ejb.592.2021.06.11.15.17.19; Fri, 11 Jun 2021 15:18:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=YtGuFaxk; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229931AbhFKWQQ (ORCPT + 99 others); Fri, 11 Jun 2021 18:16:16 -0400 Received: from mail-yb1-f174.google.com ([209.85.219.174]:41591 "EHLO mail-yb1-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229777AbhFKWQP (ORCPT ); Fri, 11 Jun 2021 18:16:15 -0400 Received: by mail-yb1-f174.google.com with SMTP id q21so6340049ybg.8 for ; Fri, 11 Jun 2021 15:14:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0rCHhAsGLCgsxBu4NS8eS34kTv5wY4x3bvnFh7VmHjQ=; b=YtGuFaxkik0i5o8PRje7O7h/gqRjN5huUo7OWosMT3LqvGoZygEzWAMXKdOpaH34XW j7ThaFQSO0ubCzYzdG5eJZsCwuCxlTMYM5H1J0JiOWguKtRqnUKkgo3r4nqCI4dDaYDO 0C8vXnOhLThHmdM+Vio27vTw5BIAyZJV8GQFLmtP844alPxOqdIQ7glwGKy8WPZzPT0x yg/TX+u+jP08mYxORjrNDhPrAhQITF/zSHSTl9E1GV4s7ZIwkkLvGGHVm8zS+VXoG7s4 YQOyvqsdTl9eTotB/G78jQ0CWKQVIkjIM4HyzvGbl+Dia9QitEW/ugSU1XcbHiExNjaG pHEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0rCHhAsGLCgsxBu4NS8eS34kTv5wY4x3bvnFh7VmHjQ=; b=MDC3yBrOIp720gQGTvzVsvygwRNxa7bqFsX40s1FRH17e8dy4ROBYpBZwDBKlmbvGy csTZc8rPxiCZIsb5y1QWnjPDlyjEyxbTdHNBKCnaNPovDaX7gpzJliC8iM26Xc1nY0Z7 0wsY6CrQQfsgmWfNnehZB091SS5D3Y+BHAYXYLymvAWynS1cv4p1SARz/IcZ/3wLEQ1D xCuVLxLrdkN36QsawToAW38qAhkxE+wvZWslPiHKgk/tamLf/+aQwVTaBaG9RNzXyjak qM8sNmCAOE1tNrNxJvqS0UifQ/bjmFaKsP7gMc0JeZWjqS7Z6BIWFz9ztKV8WCDETn68 ne4g== X-Gm-Message-State: AOAM532bFebZ82DyvSKZVnjK4ogYUjE8GjNcwO8glvoINaP1qi/pnRG4 JFItg9VmcpN9f3Ym4dFUxEpI3UWKcbX8QU1o4Uyo8r0l41liQw== X-Received: by 2002:a05:6902:102d:: with SMTP id x13mr9188722ybt.408.1623449596585; Fri, 11 Jun 2021 15:13:16 -0700 (PDT) MIME-Version: 1.0 References: <20210611122915.21068-1-surban@surban.net> In-Reply-To: <20210611122915.21068-1-surban@surban.net> From: Luiz Augusto von Dentz Date: Fri, 11 Jun 2021 15:13:05 -0700 Message-ID: Subject: Re: [PATCH BlueZ] gatt-server: Flush notify multiple buffer when full and fix overflow To: Sebastian Urban Cc: "linux-bluetooth@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Hi Sebastian, On Fri, Jun 11, 2021 at 5:31 AM Sebastian Urban wrote: > > This fixes the calculation of available buffer space in > bt_gatt_server_send_notification and sends pending notifications > immediately when there is no more room to add a notification. > > Previously there was a buffer overflow caused by incorrect calculation > of available buffer space: data->offset can equal data->len > from a previous call to this function, leading > (data->len - data->offset) to underflow after data->offset += 2. > --- > src/shared/gatt-server.c | 23 +++++++++++++++++++---- > 1 file changed, 19 insertions(+), 4 deletions(-) > > diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c > index 970c35f94..d53efe782 100644 > --- a/src/shared/gatt-server.c > +++ b/src/shared/gatt-server.c > @@ -1700,20 +1700,35 @@ bool bt_gatt_server_send_notification(struct bt_gatt_server *server, > if (!server || (length && !value)) > return false; > > - if (multiple) > + if (multiple) { > data = server->nfy_mult; > > + /* flush buffered data if this request hits buffer size limit */ > + if (data && data->offset > 0 && > + data->len - data->offset < 4 + length) { > + if (server->nfy_mult->id) > + timeout_remove(server->nfy_mult->id); > + notify_multiple(server); > + data = NULL; > + } > + } > + > if (!data) { > data = new0(struct nfy_mult_data, 1); > data->len = bt_att_get_mtu(server->att) - 1; > data->pdu = malloc(data->len); > } > > + if (multiple) { > + if (data->len - data->offset < 4 + length) > + return false; > + } else { > + if (data->len - data->offset < 2 + length) > + return false; > + } We are missing free(data) when the code returns above, beside I think it is better to group the code in something like this: bool notify_append_le16(struct nfy_mult_data *data, uin16_t value) { if (data->offset + sizeof(value) > data->size) return false; put_le16(value, data->pdu + data->offset); data->offset += 2; return true; } So this can be called for both adding handle and length, it may also be cleaner to add a similar function but taking arbitrary length which will deal with checking if the data fits and memcpy. > + > put_le16(handle, data->pdu + data->offset); > data->offset += 2; > - > - length = MIN(data->len - data->offset, length); This was supposed to truncate the data if it was bigger than MTU, I'm not sure we shall remove this logic or this was actually intentional? > - > if (multiple) { > put_le16(length, data->pdu + data->offset); > data->offset += 2; > -- > 2.25.1 > -- Luiz Augusto von Dentz