Received: by 2002:a05:7412:e794:b0:fa:551:50a7 with SMTP id o20csp1650168rdd; Thu, 11 Jan 2024 05:40:33 -0800 (PST) X-Google-Smtp-Source: AGHT+IE+pDFJ7heL+oeXC7AzybQzz+uMaL+lipWqOrldXpH9/M4g/qlMlfUF2YcxvBP5OPMUdgvA X-Received: by 2002:ac8:580c:0:b0:429:c98e:53c7 with SMTP id g12-20020ac8580c000000b00429c98e53c7mr202116qtg.131.1704980433522; Thu, 11 Jan 2024 05:40:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1704980433; cv=none; d=google.com; s=arc-20160816; b=ro7cSMe09wXS9kxTD51Y1Rr3tc//jhjRWpU0je8IHwbRIzBRAGBj7uYTIywo4Jvgl6 IGr9dWMgO6bFhC50Da0ZA9bp0ELM6+7BQdN7nPL5Hbt2h0pOwjW7+gwhxkU8Yoq1yHcO laXYH+zaoQ/cEQlKH7k0yrF+ILF07Sc8q9Ps2ARyZYd+iPneKW/tl73wsmY/WEHL94TI 9t4QaqVWwGMGcM6PaR2T/lgtE3mO7CTykPRWmT1qGVFLn0XX/6mhpDgDEqyDnz89ZCPe E739p5pYXfPW/febo2SEDpDe3Oh/SnOhri101RL8X3QRp3CxvL77VpgdDbOOYGnJli7p OYHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:date:subject:to:from :dkim-signature; bh=9Y8VDmd2+JJkvHog4UTxoUkWRMVGKRH4FySn4Trld24=; fh=4lGQI6056MBa4/oovMyIYaKLn+Wz/24RGvUivMmQP8E=; b=ZVQUmuIXEcpQ9kHWpyIls22JMa6k/S3GB5eXMY8Lkp7j4kNbTk41TSoJ2YN+KcwrWI DJrdqOAFqVKO4unLsUq4P2BtF4N5YX6HzlUt7pn0dM0oUvHcDJku+N90JcWYxBuPtDPT a7PlAEm7chnHY+nlLSpjS60gr/qd/aLdsfy5wMq5Pns2LeOj8pQX/uKYEpyiJXwx7iqx SxSzGpKgp/IoYNrn1LRnhFcHS6vLo2kWVT0rd5Y34lHmpCKHQLHbTALNoTTwCUh2g3LZ 8P0Jb+CS5jycwWp8TrQJP2QPaVcYc6s8sNLUbJ1kCMl/C2SUmgXtn5sHk7bfhmlKXR4J 6Gqw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=HVMUdvQ0; spf=pass (google.com: domain of linux-bluetooth+bounces-1050-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-1050-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id y15-20020a05622a120f00b0042791d5bf47si901513qtx.754.2024.01.11.05.40.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 11 Jan 2024 05:40:33 -0800 (PST) Received-SPF: pass (google.com: domain of linux-bluetooth+bounces-1050-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=HVMUdvQ0; spf=pass (google.com: domain of linux-bluetooth+bounces-1050-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-1050-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 86A671C246E4 for ; Thu, 11 Jan 2024 13:40:13 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id E7D101804A; Thu, 11 Jan 2024 13:40:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=collabora.com header.i=@collabora.com header.b="HVMUdvQ0" X-Original-To: linux-bluetooth@vger.kernel.org Received: from madrid.collaboradmins.com (madrid.collaboradmins.com [46.235.227.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BC2EA2837F for ; Thu, 11 Jan 2024 13:40:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=collabora.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=collabora.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=collabora.com; s=mail; t=1704980404; bh=jV1P8haOArA3cYjyOSXuH6XfZyVAAIyJr8yPYrWPBh0=; h=From:To:Subject:Date:From; b=HVMUdvQ0cQP4dV8FMWvePZ3wqYH8hpVQtNEtVt1alnAslH05SLYvwA+Uinqmvh1ax 53KnpeD8xe+iaSZVglzlfp0pBZxOUKXXCPpBPJWg+Vqzzw3xbJn90clJOT0ZbBhhgA v2sGl/ZSRWAzbygPRmf4XvS7cZjvjUBrAxXhG5ZXOoxhCZ6vP+/yh1cmT6lWXAFjD/ 0xbjktZj/ZZn2ZNLBSe8vS7BjlrGjy4efgCxMFBQO3/9Z7TKhT4wDDdFQuTa2kcRpa WKvfpuY4pDPFwlQxN/BoHz1ot290O4kRtb6wJmUF+QKyG4ZVCEil7UWBg+KvNdHOji whjteucDZyVvg== Received: from fdanis-XPS-13-9370.. (cola.collaboradmins.com [195.201.22.229]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: fdanis) by madrid.collaboradmins.com (Postfix) with ESMTPSA id F30CC3780894 for ; Thu, 11 Jan 2024 13:40:03 +0000 (UTC) From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Danis?= To: linux-bluetooth@vger.kernel.org Subject: [PATCH v4 0/2] Fix gatt-db munmap_chunk invalid pointer Date: Thu, 11 Jan 2024 14:39:53 +0100 Message-Id: <20240111133955.65686-1-frederic.danis@collabora.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit PTS test GATT/CL/GAD/BV-03-C published a service starting at handle 0xfffd and ending at 0xffff. This resets the next_handle to 0 in gatt_db_insert_service() instead of setting it to 0x10000. Other services are added later. This could end-up by a crash in db_hash_update() if not enough space has been allocated for hash.iov and some entries are overwritten. Next_handle can be replaced by a last_handle variable which will not loop over. This can be replaced by queue_peek_tail() and computing the value, but keeping last_handle will avoid this sort of lookup. Add a unit test to check regression. v1 -> v2: Replace next_handle by last_handle Check empty db using gatt_db_isempty(db) instead of next_handle == 0 Add robustness unit test to check that gatt_db_get_hash() doesn't crash v2 -> v3: Fix line length checkpatch errors v3 -> v4: Update commit comment to explain reason for keeping last_handle Split unit test to its own commit Rephrase db setup comment in unit test Frédéric Danis (2): shared/gatt-db: Fix munmap_chunk invalid pointer unit/test-gatt: Add unordered setup db test src/shared/gatt-db.c | 19 ++++++------ unit/test-gatt.c | 73 +++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 82 insertions(+), 10 deletions(-) -- 2.34.1