2009-05-12 15:23:27

by Unai Uribarri

[permalink] [raw]
Subject: Segmentation fault in bluetoothd

I've being investigating this Ubuntu 9.04 bug
https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/332119

I've verified that the bug is reproducible with bluez-4.32, bluez-4.34
and git-tip (today at 15.00 UTC).

The root of the bug is that sdp_gen_pdu doesn't check if the given
buffer is big enough to contain the requested data. It's being called
from sdp_append_to_pdu, which uses a 512 byte array at the stack but,
when pairing with my Nokia 6161, it's called with a d parameter that
sums more that 17KB. So the stack is corrupted and the back-trace isn't
very useful.

All the other callers of sdp_gen_pdu seems to use dynamic memory
(malloc), so I've rewritten sdp_append_to_pdu to use dynamic memory
and fixed sdp_gen_pdu to grow the given buffer when it gets full.

Attachments:
bluez-sdp-fix.diff (3.05 kB)

2009-05-12 16:14:32

by Unai Uribarri

[permalink] [raw]
Subject: Re: Segmentation fault in bluetoothd

The previous patch prevents bluetoothd from crashing, but my phone
doesn't work either.

Following jhl (irc nick) suggestions, instead of growing the buffer
dynamically, I modified sdp_gen_pdu to return -1 if the buffer isn't big
enough to contain the passed data, and all the invokers of this function
to check for errors.

This new patch allow to pair with my phone and retrieve all its services
(serial, DUN, obex...).


El mar, 12-05-2009 a las 17:23 +0200, Unai Uribarri escribió:
> I've being investigating this Ubuntu 9.04 bug
> https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/332119
>
> I've verified that the bug is reproducible with bluez-4.32, bluez-4.34
> and git-tip (today at 15.00 UTC).
>
> The root of the bug is that sdp_gen_pdu doesn't check if the given
> buffer is big enough to contain the requested data. It's being called
> from sdp_append_to_pdu, which uses a 512 byte array at the stack but,
> when pairing with my Nokia 6161, it's called with a d parameter that
> sums more that 17KB. So the stack is corrupted and the back-trace isn't
> very useful.
>
> All the other callers of sdp_gen_pdu seems to use dynamic memory
> (malloc), so I've rewritten sdp_append_to_pdu to use dynamic memory
> and fixed sdp_gen_pdu to grow the given buffer when it gets full.

Attachments:
bluez-sdp-fix2.diff (3.84 kB)