From: Founder Fang <founder.fang@gmail.com>
To: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Cc: linux-bluetooth@vger.kernel.org
Subject: Re: [PATCH] hog: fix invalid type cast in discover_descriptor_cb
Date: Thu, 17 Sep 2015 09:21:52 +0800 [thread overview]
Message-ID: <20150917012151.GA9174@gmail.com> (raw)
In-Reply-To: <CABBYNZJw98UJyRrXg3SQ4ZpU5q04qjfrz2YpivZ7zDBru-YQHw@mail.gmail.com>
Hi,
On Wed, Sep 16, 2015 at 12:54:55PM +0300, Luiz Augusto von Dentz wrote:
> Hi,
>
> On Wed, Sep 16, 2015 at 10:23 AM, Founder Fang <founder.fang@gmail.com> wrote:
> > the argument user_data for discover_descriptor_cb can be either
> > a pointer to report or a pointer to hogdev, it is differentiate by
> > uuid. when uuid is GATT_EXTERNAL_REPORT_REFERENCE and actual
> > user_data is a pointer to a report, the user_data is wrongly cast
> > to hogdev, hence cause memory corruption.
> > create another function discover_descriptor_no_report_cb, avoid
> > type cast based on uuid fix the problem.
> > ---
> > profiles/input/hog.c | 43 +++++++++++++++++++++++++++++++++++++++----
> > 1 file changed, 39 insertions(+), 4 deletions(-)
> >
> > diff --git a/profiles/input/hog.c b/profiles/input/hog.c
> > index e006add..bea8637 100644
> > --- a/profiles/input/hog.c
> > +++ b/profiles/input/hog.c
> > @@ -219,7 +219,6 @@ static void discover_descriptor_cb(uint8_t status, GSList *descs,
> > void *user_data)
> > {
> > struct report *report;
> > - struct hog_device *hogdev;
> > GAttrib *attrib = NULL;
> >
> > if (status != 0) {
> > @@ -244,6 +243,41 @@ static void discover_descriptor_cb(uint8_t status, GSList *descs,
> > report_reference_cb, report);
> > break;
> > case GATT_EXTERNAL_REPORT_REFERENCE:
> > + break;
> > + }
> > + }
> > +}
> > +
> > +static void discover_descriptor(GAttrib *attrib, uint16_t start, uint16_t end,
> > + gpointer user_data)
> > +{
> > + if (start > end)
> > + return;
> > +
> > + gatt_discover_desc(attrib, start, end, NULL,
> > + discover_descriptor_cb, user_data);
> > +}
> > +
> > +static void discover_descriptor_no_report_cb(uint8_t status, GSList *descs,
> > + void *user_data)
> > +{
> > + struct hog_device *hogdev;
> > + GAttrib *attrib = NULL;
> > +
> > + if (status != 0) {
> > + error("Discover all descriptors failed: %s",
> > + att_ecode2str(status));
> > + return;
> > + }
> > +
> > + for ( ; descs; descs = descs->next) {
> > + struct gatt_desc *desc = descs->data;
> > +
> > + switch (desc->uuid16) {
> > + case GATT_CLIENT_CHARAC_CFG_UUID:
> > + case GATT_REPORT_REFERENCE:
> > + break;
> > + case GATT_EXTERNAL_REPORT_REFERENCE:
> > hogdev = user_data;
> > attrib = hogdev->attrib;
> > gatt_read_char(attrib, desc->handle,
> > @@ -253,16 +287,17 @@ static void discover_descriptor_cb(uint8_t status, GSList *descs,
> > }
> > }
> >
> > -static void discover_descriptor(GAttrib *attrib, uint16_t start, uint16_t end,
> > +static void discover_descriptor_no_report(GAttrib *attrib, uint16_t start, uint16_t end,
> > gpointer user_data)
> > {
> > if (start > end)
> > return;
> >
> > gatt_discover_desc(attrib, start, end, NULL,
> > - discover_descriptor_cb, user_data);
> > + discover_descriptor_no_report_cb, user_data);
> > }
> >
> > +
> > static void external_service_char_cb(uint8_t status, GSList *chars,
> > void *user_data)
> > {
> > @@ -824,7 +859,7 @@ static void char_discovered_cb(uint8_t status, GSList *chars, void *user_data)
> > DBG("HoG discovering report map");
> > gatt_read_char(hogdev->attrib, chr->value_handle,
> > report_map_read_cb, hogdev);
> > - discover_descriptor(hogdev->attrib, start, end, hogdev);
> > + discover_descriptor_no_report(hogdev->attrib, start, end, hogdev);
> > } else if (bt_uuid_cmp(&uuid, &info_uuid) == 0)
> > info_handle = chr->value_handle;
> > else if (bt_uuid_cmp(&uuid, &proto_mode_uuid) == 0)
> > --
> > 1.9.1
>
> Ive made a similar fix to android in
> 47a337152d342a37e3021dab0b18487b185e8b76, we should probably port that
> one to profile/input since in future we are planning to use to share
> the same implementation.
>
>
> --
> Luiz Augusto von Dentz
any plan to merge android/hog.c and profile/input/hog.c? i notice
recently there are important patches apply to profile/input/hog.c but not in android/hog.c,
eg. 8e73a002848a6a2abcbd436ea8aac089320c13f2
Founder Fang
prev parent reply other threads:[~2015-09-17 1:21 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-16 7:23 [PATCH] hog: fix invalid type cast in discover_descriptor_cb Founder Fang
2015-09-16 9:54 ` Luiz Augusto von Dentz
2015-09-17 1:21 ` Founder Fang [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150917012151.GA9174@gmail.com \
--to=founder.fang@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.