From: "Inga Stotland" <ingas@codeaurora.org>
To: "'Anderson Lizardo'" <anderson.lizardo@openbossa.org>,
"'Vinicius Costa Gomes'" <vinicius.gomes@openbossa.org>,
<linux-bluetooth@vger.kernel.org>,
"'Bruna Moreira'" <bruna.moreira@openbossa.org>
Subject: RE: [PATCH v2 1/7] Fix invalid memory access when EIR field length is zero
Date: Mon, 15 Nov 2010 16:41:07 -0800 [thread overview]
Message-ID: <000001cb8526$f580edf0$e082c9d0$@org> (raw)
In-Reply-To: <AANLkTi=J39omUnYYWLpB0ncd6Kd8LukdFopM4WDyWNJ1@mail.gmail.com>
Hi Anderson,
-----Original Message-----
From: linux-bluetooth-owner@vger.kernel.org
[mailto:linux-bluetooth-owner@vger.kernel.org] On Behalf Of Anderson Lizardo
Sent: Friday, November 12, 2010 5:01 PM
To: Inga Stotland; Vinicius Costa Gomes; linux-bluetooth@vger.kernel.org;
Bruna Moreira
Subject: Re: [PATCH v2 1/7] Fix invalid memory access when EIR field length
is zero
On 11/12/10, Johan Hedberg <johan.hedberg@gmail.com> wrote:
> Hi Inga,
>
> On Thu, Nov 11, 2010, Inga Stotland wrote:
>> Was there a bug to begin with? :)
>> The access to eir_data[1] was always valid due to the check (len <
>> EIR_DATA_LENGTH - 1)
>> and the fact that eir_data is a buffer of fixed length of EIR_DATA_LENGTH
>> (240 bytes).
>
> On closer inspection it seems you might be right, however it'd be nice
> to get some comments from the original patch author about this (were
> there e.g. crashes or some valgrind warnings observed or was this just
> speculation based on looking at the code).
There were valgrind "unintialized value" warnings related to this
after we started using it for parsing adv data (which is max 31 bytes
long but may be smaller because spec allows radio to strip non
significant bytes before sending, which explains why we added a length
parameter in a later patch). Actually I dont think the current code is
"safe" as it assumes the EIR data is aways 240 bytes long, which seems
true as per spec , but less data could be sent, causing reading beyond
buffer.
---------------
Just a note...
When Extended Inquiry Response HCI event comes to the upper layer parser
from
HCI layer it is guaranteed to contain 240 bytes where of course the non
significant part is zeroed out. This is ensured by internal implementation
in BlueZ and is spec compliant.
The fix is fine since it takes care of warnings, but personally I am a big
fan of
keeping meaningful variable names :)
Regards,
Inga Stotland
Sent by an employee of the Qualcomm Innovation Center, Inc.
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum.
prev parent reply other threads:[~2010-11-16 0:41 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-11 18:51 [PATCH v2 1/7] Fix invalid memory access when EIR field length is zero Vinicius Costa Gomes
2010-11-11 18:51 ` [PATCH v2 2/7] Refactor get_eir_uuids() to get EIR data length parameter Vinicius Costa Gomes
2010-11-11 21:09 ` Johan Hedberg
2010-11-11 18:51 ` [PATCH v2 3/7] Refactoring adapter_update_found_devices() function Vinicius Costa Gomes
2010-11-11 20:49 ` Luiz Augusto von Dentz
2010-11-11 21:10 ` Johan Hedberg
2010-11-11 18:51 ` [PATCH v2 4/7] Initial advertising data parsing implementation Vinicius Costa Gomes
2010-11-11 21:10 ` Luiz Augusto von Dentz
2010-11-11 21:16 ` Johan Hedberg
2010-11-11 18:51 ` [PATCH v2 5/7] Advertising data: extract local name Vinicius Costa Gomes
2010-11-11 18:52 ` [PATCH v2 6/7] Extract service UUIDs from advertising data Vinicius Costa Gomes
2010-11-11 18:52 ` [PATCH v2 7/7] Emit "DeviceFound" signal for LE devices Vinicius Costa Gomes
2010-11-11 20:54 ` [PATCH v2 1/7] Fix invalid memory access when EIR field length is zero Luiz Augusto von Dentz
2010-11-11 21:00 ` Johan Hedberg
2010-11-11 21:07 ` Johan Hedberg
2010-11-12 0:24 ` Inga Stotland
2010-11-12 16:54 ` Johan Hedberg
2010-11-12 17:38 ` Gustavo F. Padovan
2010-11-13 1:00 ` Anderson Lizardo
2010-11-16 0:41 ` Inga Stotland [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='000001cb8526$f580edf0$e082c9d0$@org' \
--to=ingas@codeaurora.org \
--cc=anderson.lizardo@openbossa.org \
--cc=bruna.moreira@openbossa.org \
--cc=linux-bluetooth@vger.kernel.org \
--cc=vinicius.gomes@openbossa.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.