Received: by 2002:a05:6358:11c7:b0:104:8066:f915 with SMTP id i7csp7386184rwl; Thu, 23 Mar 2023 03:44:25 -0700 (PDT) X-Google-Smtp-Source: AK7set9TTdzGe2Cr/sxUF0Ve/2VIBame2NV4E1wps+HKAG2BMVlV9OWvbO6TtIH2ICTHTYz5g2wy X-Received: by 2002:aa7:d913:0:b0:4ac:b69a:2f06 with SMTP id a19-20020aa7d913000000b004acb69a2f06mr10662899edr.0.1679568265283; Thu, 23 Mar 2023 03:44:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1679568265; cv=none; d=google.com; s=arc-20160816; b=GidqpPSmmdfnWXAPBLX+1XXClpsJw82akfjKp4TikfAKzrK0QrzrfHQ7E3CTgE3exG CSyI904fvy8ZmS7gWo/4ZTCvW2yPDPb2PU9wp5UHAKGX3h0KfQq4LtWILjD2HgAOEucM ihgRWcHlePzmL2vIbwkZaQGqbTa2yzaJdmqqhDofw8ZeZ0N/V0invyI4HrFIbZFqkeV1 szozJuGdVjkNG5OZ2ZQYN/YjLc5kSqYQ+s7LSCw/7lsXe1xY9DFJO2nP9vpPa6ivIU6f 2yRXAf6gcs/dJNTlJRHm6rzH33FmFXH6bmK6/NGs/v7UJQUvp5yK0dfKtom0p7+bv1SR thAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=aDpTmnFPgLCUUWvLBnYjiNs0oMm44vUfcnwVasp4Px4=; b=ydTJsR3cscH2pGrD7hkWj2uOR9M0WXyWvmULZlwhiL026Q3YUjZq6iYOjnB45h5wr3 Wt3HM5H+hcR5diRTStG2orKgZ1anKfLkofC4fLny1t9p7ZV8TS+5a/XohuHDmFXypo74 ygtB0nnv7CFtR3t4D9jWbMifD7C5tlV7xrm8E3O8Rmtxomw1U3bpKI+Qbobv7fX2A4lA rm2B8MIElIJarwjjxXfAcjIzM0WK6B0Foa07eG/nMVFZujOzvIJHwMQuMUShOZ6AaCuk Dyn+XrDPFsvAZ7oAzUobR7yt2YK7AfUTMqiDwVVpB1C9iPViLEyUrTk5dfbp5U7GxiwB UfEA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@streamunlimited.com header.s=google header.b="vx9OK/CO"; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=streamunlimited.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id r5-20020a170906a20500b008c4abcbbddbsi17580904ejy.291.2023.03.23.03.44.01; Thu, 23 Mar 2023 03:44:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@streamunlimited.com header.s=google header.b="vx9OK/CO"; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=streamunlimited.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229838AbjCWKl4 (ORCPT + 99 others); Thu, 23 Mar 2023 06:41:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34486 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231206AbjCWKla (ORCPT ); Thu, 23 Mar 2023 06:41:30 -0400 Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E71963609B for ; Thu, 23 Mar 2023 03:38:40 -0700 (PDT) Received: by mail-ed1-x52b.google.com with SMTP id w9so84434301edc.3 for ; Thu, 23 Mar 2023 03:38:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=streamunlimited.com; s=google; t=1679567919; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=aDpTmnFPgLCUUWvLBnYjiNs0oMm44vUfcnwVasp4Px4=; b=vx9OK/COmF1WomGouYbeE8+sW2zI3CWPBGxZjXhaBijLl3DXDgZJEYQcwTnjpvOB/z /TuVEltl2vKmZGq3TD3k8ZMReb8VlyRKkNOu1v8XHZFeGL+cNgnmg/AtzjxSfykt/MFV JaPxpoXvBOmS/1bVktVoin4uegcYzFzIUqOik= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679567919; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=aDpTmnFPgLCUUWvLBnYjiNs0oMm44vUfcnwVasp4Px4=; b=lI2sQEiBv2GMEZcYZxAevyRUKHgkFCBwRGwol+wjFpiw7dvHiiWRPm3cZLX7Wnh64p Q0Lm4MVvBZGrv5sK42NKL/a1cQAXPTpTt8IeOk/iamdMHokCcjm6P13hHZqAaAKg7rmc RNyjPYKGn+GOCSVWE7Q6wvY0mPTcZkjUMaD5XeProuVbobAOjSmezTevJ2c9QEKYeUmM T83Npj5eZPPW+yrZmXwTWy7Dhiuhq+y2cvCj2CvMpKmWdGbuUmNxyn68RAwz71922yGf ZfNZXyHvboWSkSA1JRftEJwdH7xPVhVtnxQAKWAbu5f49AdjlSoQM2mOtHCtKJYR5Y7n FxFA== X-Gm-Message-State: AO0yUKU8UbvjkjLQID0zGlAuWaQC7pN6cxQGN1SWQXf7gtOoWdCF1teA n0vIqIwAMHdoN7SJj/0hqTeBdM3YCZI/PFJlWUg= X-Received: by 2002:a17:906:7008:b0:8b1:32b0:2a24 with SMTP id n8-20020a170906700800b008b132b02a24mr10932009ejj.47.1679567918855; Thu, 23 Mar 2023 03:38:38 -0700 (PDT) Received: from smi-ubuntu.sueba ([2a01:390:0:101:4f8c:7da4:48b2:8bd2]) by smtp.gmail.com with ESMTPSA id bv1-20020a170906b1c100b00939e76a0cabsm3513208ejb.111.2023.03.23.03.38.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Mar 2023 03:38:38 -0700 (PDT) From: Simon Mikuda To: linux-bluetooth@vger.kernel.org Cc: Simon Mikuda Subject: [PATCH BlueZ 1/9] gatt-db: Fix crash during calculating hash from ATT handles Date: Thu, 23 Mar 2023 11:38:27 +0100 Message-Id: <20230323103835.571037-2-simon.mikuda@streamunlimited.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230323103835.571037-1-simon.mikuda@streamunlimited.com> References: <20230323103835.571037-1-simon.mikuda@streamunlimited.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org It happens when next_handle is lower that discovered number of handles. Found by PTS test case: GATT/CL/GAD/BC-01-C --- src/shared/gatt-db.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/shared/gatt-db.c b/src/shared/gatt-db.c index b696fe33d..c9ffbfeed 100644 --- a/src/shared/gatt-db.c +++ b/src/shared/gatt-db.c @@ -297,6 +297,7 @@ static void handle_notify(void *data, void *user_data) struct hash_data { struct iovec *iov; uint16_t i; + size_t size; }; static void gen_hash_m(struct gatt_db_attribute *attr, void *user_data) @@ -327,7 +328,7 @@ static void gen_hash_m(struct gatt_db_attribute *attr, void *user_data) case GATT_CHARAC_AGREG_FMT_UUID: /* Allocate space for handle + type */ len = 2 + 2; - data = malloc(2 + 2 + attr->value_len); + data = malloc(2 + 2); put_le16(attr->handle, data); bt_uuid_to_le(&attr->uuid, data + 2); break; @@ -335,6 +336,13 @@ static void gen_hash_m(struct gatt_db_attribute *attr, void *user_data) return; } + if (hash->i >= hash->size) { + /* double the size of iov if we've run out of space */ + hash->iov = realloc(hash->iov, 2 * hash->size * sizeof(struct iovec)); + memset(hash->iov + hash->size, 0, hash->size * sizeof(struct iovec)); + hash->size *= 2; + } + hash->iov[hash->i].iov_base = data; hash->iov[hash->i].iov_len = len; @@ -361,9 +369,10 @@ static bool db_hash_update(void *user_data) hash.iov = new0(struct iovec, db->next_handle); hash.i = 0; + hash.size = db->next_handle; gatt_db_foreach_service(db, NULL, service_gen_hash_m, &hash); - bt_crypto_gatt_hash(db->crypto, hash.iov, db->next_handle, db->hash); + bt_crypto_gatt_hash(db->crypto, hash.iov, hash.i, db->hash); for (i = 0; i < hash.i; i++) free(hash.iov[i].iov_base); -- 2.34.1