Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp7017551rdb; Wed, 3 Jan 2024 01:28:37 -0800 (PST) X-Google-Smtp-Source: AGHT+IFyesIWRBCnbghkZxatgq9uyjZQYfSerIl+P7oGhSpBs7J0OpxtBU9YD7JZMTqrZdI+LRoM X-Received: by 2002:a05:6808:2396:b0:3bc:2754:944b with SMTP id bp22-20020a056808239600b003bc2754944bmr394553oib.34.1704274116905; Wed, 03 Jan 2024 01:28:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1704274116; cv=none; d=google.com; s=arc-20160816; b=uF7x3GsXk8EIRx/fRvX4mB1iV6umh+LO52MiByT5SECOM09TXNCh2RIxoK5ObW/5NO dirqP24jZiNqhPfew/4IiweS239arfHXWLGCQZ27UFYmRHZ3RqYxIGdFeLxlAR5ZjoD5 Jeugd+UPZ87OHKiNvlOmkZl1o2cgqbIL2qE9ccaj4MJ+kBektKr5L5YK6L0K6T9VzqRf 8PUPxZnu7lDzMc7kZrYyyiQtZGf7kDujYKAlNf/3eM3QTwGMmzhfFb0Ib2mWOGQc+b0S dY1eSrgBUE+5xBIKR+WemYWcwyeb69KwteTB4EN3DXm2BQKjbVP1g3zQjUuMufFhy9Bf Ml1g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:to:from :dkim-signature; bh=D2MTBMNs/jnAt/eKbIIIjYMpneMS6SyR6BcxyIEusmw=; fh=4lGQI6056MBa4/oovMyIYaKLn+Wz/24RGvUivMmQP8E=; b=nceJ7EoRnZZ/zNUX4x6x/FfcVsjc3yR2QIwidTnqqb2ZtuKnZvygkixlJa8nvI9Hdz 1VE7LFWwO8/c3nvbyht3kPG5ZBTGLedDAt8DTG8EYm/z48GY8967MBoRlm1IYlxG4VNh yKQW2UXyURQ4NBjzy/UIzYOxDP362SyooLXZdvw3N/aiXvR50qsfS9lHdBjIq3dbO2XN R3OC4+8SttGwDjlT8J15RMEhMN4XBFF3Pj3HPa1VOYQ2nJu2KGBjz3cLWuoyYVgkDlLJ bQNKGybw9DZ7a4/Hp3ezPM1aLPk1B/ITjCwRnAbf/LEndpKNjq3NeAFoH2jNWDZU0R5h vX0w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=lwiUvDT6; spf=pass (google.com: domain of linux-bluetooth+bounces-846-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-846-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id j63-20020a638042000000b005cdfc01dcd2si8825101pgd.227.2024.01.03.01.28.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Jan 2024 01:28:36 -0800 (PST) Received-SPF: pass (google.com: domain of linux-bluetooth+bounces-846-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=lwiUvDT6; spf=pass (google.com: domain of linux-bluetooth+bounces-846-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-846-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 8BC19285571 for ; Wed, 3 Jan 2024 09:28:36 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 41E90182BE; Wed, 3 Jan 2024 09:28:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=collabora.com header.i=@collabora.com header.b="lwiUvDT6" X-Original-To: linux-bluetooth@vger.kernel.org Received: from madrid.collaboradmins.com (madrid.collaboradmins.com [46.235.227.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2D2FD182B9 for ; Wed, 3 Jan 2024 09:28:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=collabora.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=collabora.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=collabora.com; s=mail; t=1704274100; bh=9Kz/CBJ1xa85T1s7BSJUDW2yUvNmKNKfOZGpQzCjQ/0=; h=From:To:Subject:Date:From; b=lwiUvDT6rl8rJ/+FYvdZckCjGcBtj/3IFcoEU3HRHLnfSvI5SP+c+/lryZSjRX752 SlvvXf2Yz9NxTx5xQTJnWdkDQmn0ZPHbTS1w9Je0rbtmBEF3yWRv3edgNNvRvNJhUW huRGeYlUJyETQc6lba2HxiAClMk66pMh+XPu7zcmVu/npt54tndNJGgn3CoKCjQ7U1 Hh7jwi9aFXD90y1+hSSTdbwwT88CJwk9IRn0cNkikNrK92ryh3blH4IL/KVd1uSBT8 dj5K3iPzTUH+TW0aBkZpw6ylTDw5o2GJ3/AnwTpqH7MVxpBID5CXv8kka+ABNHGj7c tZV8qrIYIvLhA== Received: from fdanis-XPS-13-9370.. (cola.collaboradmins.com [195.201.22.229]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: fdanis) by madrid.collaboradmins.com (Postfix) with ESMTPSA id BA9953780629 for ; Wed, 3 Jan 2024 09:28:20 +0000 (UTC) From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Danis?= To: linux-bluetooth@vger.kernel.org Subject: [PATCH BlueZ] shared/gatt-db: Fix munmap_chunk invalid pointer Date: Wed, 3 Jan 2024 10:28:16 +0100 Message-Id: <20240103092816.22952-1-frederic.danis@collabora.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit PTS test GATT/CL/GAD/BV-03-C published a service starting at handle 0xfffd and ending at 0xffff. This resets the next_handle to 0 in gatt_db_insert_service() instead of setting it to 0x10000. Other services are added later. This could end-up by a crash in db_hash_update() if not enough space has been allocated for hash.iov and some entries are overwritten. --- src/shared/gatt-db.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/shared/gatt-db.c b/src/shared/gatt-db.c index 676f963ec..d32c9a70f 100644 --- a/src/shared/gatt-db.c +++ b/src/shared/gatt-db.c @@ -58,7 +58,7 @@ struct gatt_db { struct bt_crypto *crypto; uint8_t hash[16]; unsigned int hash_id; - uint16_t next_handle; + uint32_t next_handle; struct queue *services; struct queue *notify_list; -- 2.34.1