From: Bastien Nocera <hadess@hadess.net>
To: BlueZ development <linux-bluetooth@vger.kernel.org>
Subject: Re: [PATCH] Fix another sdp-xml bug
Date: Tue, 24 Mar 2009 12:03:24 +0000 [thread overview]
Message-ID: <1237896204.14805.731.camel@cookie.hadess.net> (raw)
In-Reply-To: <1237895709.14805.722.camel@cookie.hadess.net>
[-- Attachment #1: Type: text/plain, Size: 278 bytes --]
On Tue, 2009-03-24 at 11:55 +0000, Bastien Nocera wrote:
> Spotted by Luiz, another invalid memory access when trying to read past
> the end of a string that's not nul-terminated.
>
> strndup to the rescue.
Never mind, previous patch was off by one. Corrected patch attached.
[-- Attachment #2: 0001-Fix-invalid-memory-access-when-dealing-with-URLs.patch --]
[-- Type: text/x-patch, Size: 1184 bytes --]
>From 0606404a81cc73e7a1ee90da9641a6a87c8f6f43 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Tue, 24 Mar 2009 11:46:18 +0000
Subject: [PATCH] Fix invalid memory access when dealing with URLs
Just like strings attributes, URLs might not be NUL-terminated.
Make sure we don't read past the end of the allocated memory when
copying them.
---
common/sdp-xml.c | 9 ++++++++-
1 files changed, 8 insertions(+), 1 deletions(-)
diff --git a/common/sdp-xml.c b/common/sdp-xml.c
index 608de76..18473d0 100644
--- a/common/sdp-xml.c
+++ b/common/sdp-xml.c
@@ -25,6 +25,7 @@
#include <config.h>
#endif
+#define _GNU_SOURCE
#include <stdio.h>
#include <errno.h>
#include <ctype.h>
@@ -323,11 +324,17 @@ static void convert_raw_data_to_xml(sdp_data_t *value, int indent_level,
case SDP_URL_STR8:
case SDP_URL_STR16:
case SDP_URL_STR32:
+ {
+ char *strBuf;
+
appender(data, indent);
appender(data, "<url value=\"");
- appender(data, value->val.str);
+ strBuf = strndup(value->val.str, value->unitSize - 1);
+ appender(data, strBuf);
+ free(strBuf);
appender(data, "\" />\n");
break;
+ }
case SDP_SEQ8:
case SDP_SEQ16:
--
1.6.0.6
next prev parent reply other threads:[~2009-03-24 12:03 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-24 11:55 [PATCH] Fix another sdp-xml bug Bastien Nocera
2009-03-24 12:03 ` Bastien Nocera [this message]
2009-03-24 12:23 ` Johan Hedberg
2009-03-24 12:12 ` Johan Hedberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1237896204.14805.731.camel@cookie.hadess.net \
--to=hadess@hadess.net \
--cc=linux-bluetooth@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.