Received: by 2002:a05:7412:8521:b0:e2:908c:2ebd with SMTP id t33csp672969rdf; Fri, 3 Nov 2023 11:22:15 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGhTDJ8q3V7/1FeTLwG4KucMycaZLi/mXkcBF13tYLZ72KiElf20w6NsE/WRnxox1cDlA4T X-Received: by 2002:a05:6358:903:b0:168:e737:6b25 with SMTP id r3-20020a056358090300b00168e7376b25mr19205521rwi.20.1699035735397; Fri, 03 Nov 2023 11:22:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1699035735; cv=none; d=google.com; s=arc-20160816; b=SwWOOmxf4gb9pv+FQzhbNilOSxcGWySx9ZUqhhBUfxL5ulmm11lU9xusJPi7M22MoU pmKKRlxNgxvHQIlVYx5VehlPShB0DqZXBBbpjt0JHH8+J5vUxRHMey93udy6I4hNgwCu UvE83RHR+gEGoq4Jsmz2oLCU86/0XYb4vIQOFQxbea8LtFcAOey4wjBQ/N9aATSpbW4G Mk8hOJSzQaC+NQ01getYNQB7sUXxKGZwpENQ+xU8yweSgTCjA39ugyqMJGVG+WI3sCkI CDevM/cFIG9xposvwb5CcTgZxxEPiB49MFVHVcwQEREzYq+loiyftnvCtsg64ckbnw0j vFBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=Xs3eYckdFIPAnJaLR87yJ1bARb4AXNJjcdoxT+1+xP4=; fh=q933pV6NrxIrJEaTU4dblERPskhjd3MnawLueTVokpc=; b=Dl4L20kXD1kdniGxRWH9STYI0T/VhUvpahnw6GxdPye8P0mFbU6jgOG+vlq2tIIspw A7luP7hV5aFxjh7OpJ9EoI8hF7NbUhCXFAtVtMwVQHHwwB6p9PKKEJDtowRA5EXJtxQN iyl+TdCvtyIl6dvlDMD3/+/uD+vZUK5tbB7MgO7o9TbuP6G9sy80ss7+P9OtMDVrCxSB b80RdAGer7OCW6x7rBdXs2VfhRaxdecKoNDnRy8fi6bCcsxO3FxOvWDVY+wIOwEd1b+z pU+KASzDPt3NBfnED1MQ+QnUHwX/rBnrbw4FLWBDWc++FbW027LCD01QapPAOCHoXOfQ d3GQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Return-Path: Received: from groat.vger.email (groat.vger.email. [23.128.96.35]) by mx.google.com with ESMTPS id cb5-20020a056a02070500b005ad11a5ac8fsi2082397pgb.323.2023.11.03.11.22.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Nov 2023 11:22:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 1A056832E359; Fri, 3 Nov 2023 11:22:05 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233774AbjKCSWF (ORCPT + 99 others); Fri, 3 Nov 2023 14:22:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57168 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230197AbjKCSWE (ORCPT ); Fri, 3 Nov 2023 14:22:04 -0400 Received: from mout-p-102.mailbox.org (mout-p-102.mailbox.org [80.241.56.152]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 29845DB for ; Fri, 3 Nov 2023 11:22:01 -0700 (PDT) Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:b231:465::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4SMTbm6dgbz9sdP; Fri, 3 Nov 2023 19:21:56 +0100 (CET) From: =?UTF-8?q?Jonas=20Dre=C3=9Fler?= To: linux-bluetooth@vger.kernel.org Cc: zbrown@gnome.org, =?UTF-8?q?Jonas=20Dre=C3=9Fler?= Subject: [PATCH BlueZ 1/4] lib/sdp: Allocate strings in sdp_data_t with NULL termination Date: Fri, 3 Nov 2023 19:21:47 +0100 Message-ID: <20231103182150.60088-2-verdre@v0yd.nl> In-Reply-To: <20231103182150.60088-1-verdre@v0yd.nl> References: <20231103182150.60088-1-verdre@v0yd.nl> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4SMTbm6dgbz9sdP X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Fri, 03 Nov 2023 11:22:05 -0700 (PDT) In extract_str() we create sdp_data_t with strings and allocate sdp_data_t->val.str an extra 0-byte as NULL termination. In sdp_data_alloc_with_length() we're missing this, and strlen() in sdp_get_string_attr() ends up overrunning the sdpdata->val.str buffer looking for the NULL termination. Allocate the extra 0-byte for sdp_data_t->val.str to ensure this overrun can't happen. Co-developed-by: Zander Brown --- lib/sdp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/sdp.c b/lib/sdp.c index 844ae0d25..1565259a3 100644 --- a/lib/sdp.c +++ b/lib/sdp.c @@ -420,7 +420,7 @@ sdp_data_t *sdp_data_alloc_with_length(uint8_t dtd, const void *value, d->unitSize += length; if (length <= USHRT_MAX) { - d->val.str = malloc(length); + d->val.str = bt_malloc0(length + 1); if (!d->val.str) { free(d); return NULL; -- 2.41.0