* [PATCH BlueZ v2] sdp: fix overflow in sdp_extract_seqtype()
@ 2026-05-04 16:46 Martin Brodeur
2026-05-04 16:57 ` Luiz Augusto von Dentz
0 siblings, 1 reply; 3+ messages in thread
From: Martin Brodeur @ 2026-05-04 16:46 UTC (permalink / raw)
To: linux-bluetooth; +Cc: luiz.von.dentz, Martin Brodeur
bt_get_be32() returns uint32_t. Assigning the result directly
to the int *size parameter sign-extends values greater than
INT_MAX to negative, bypassing sequence-length sanity checks
in extract_seq() and sdp_extract_pdu() callers.
Store the result in a uint32_t first and reject values that
exceed INT_MAX before assigning to *size.
Reported-by: Martin Brodeur <admin@fluentlogic.org>
---
lib/bluetooth/sdp.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/lib/bluetooth/sdp.c b/lib/bluetooth/sdp.c
index 7210ce0..3295fc0 100644
--- a/lib/bluetooth/sdp.c
+++ b/lib/bluetooth/sdp.c
@@ -1249,7 +1249,15 @@ int sdp_extract_seqtype(const uint8_t *buf, int bufsize, uint8_t *dtdp, int *siz
SDPERR("Unexpected end of packet");
return 0;
}
- *size = bt_get_be32(buf);
+ {
+ uint32_t val32 = bt_get_be32(buf);
+
+ if (val32 > INT_MAX) {
+ SDPERR("Sequence length overflow");
+ return 0;
+ }
+ *size = (int) val32;
+ }
scanned += sizeof(uint32_t);
break;
default:
--
2.39.5 (Apple Git-154)
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH BlueZ v2] sdp: fix overflow in sdp_extract_seqtype()
2026-05-04 16:46 [PATCH BlueZ v2] sdp: fix overflow in sdp_extract_seqtype() Martin Brodeur
@ 2026-05-04 16:57 ` Luiz Augusto von Dentz
2026-05-04 17:12 ` admin
0 siblings, 1 reply; 3+ messages in thread
From: Luiz Augusto von Dentz @ 2026-05-04 16:57 UTC (permalink / raw)
To: Martin Brodeur; +Cc: linux-bluetooth, luiz.von.dentz
Hi Martin,
On Mon, May 4, 2026 at 12:47 PM Martin Brodeur <admin@fluentlogic.org> wrote:
>
> bt_get_be32() returns uint32_t. Assigning the result directly
> to the int *size parameter sign-extends values greater than
> INT_MAX to negative, bypassing sequence-length sanity checks
> in extract_seq() and sdp_extract_pdu() callers.
>
> Store the result in a uint32_t first and reject values that
> exceed INT_MAX before assigning to *size.
>
> Reported-by: Martin Brodeur <admin@fluentlogic.org>
> ---
> lib/bluetooth/sdp.c | 10 +++++++++-
> 1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/lib/bluetooth/sdp.c b/lib/bluetooth/sdp.c
> index 7210ce0..3295fc0 100644
> --- a/lib/bluetooth/sdp.c
> +++ b/lib/bluetooth/sdp.c
> @@ -1249,7 +1249,15 @@ int sdp_extract_seqtype(const uint8_t *buf, int bufsize, uint8_t *dtdp, int *siz
> SDPERR("Unexpected end of packet");
> return 0;
> }
> - *size = bt_get_be32(buf);
> + {
> + uint32_t val32 = bt_get_be32(buf);
> +
> + if (val32 > INT_MAX) {
> + SDPERR("Sequence length overflow");
> + return 0;
> + }
> + *size = (int) val32;
How about we simply pass a uint32_t *size?
> + }
> scanned += sizeof(uint32_t);
> break;
> default:
> --
> 2.39.5 (Apple Git-154)
>
>
>
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH BlueZ v2] sdp: fix overflow in sdp_extract_seqtype()
2026-05-04 16:57 ` Luiz Augusto von Dentz
@ 2026-05-04 17:12 ` admin
0 siblings, 0 replies; 3+ messages in thread
From: admin @ 2026-05-04 17:12 UTC (permalink / raw)
To: Luiz Augusto von Dentz; +Cc: linux-bluetooth, luiz.von.dentz
Luiz,
Sorry for the multiple submissions, couldn't figure out something on the emailing side of things.
Here's what my setup sees that you also must change since this is a more invasive fix:
v3 changes the parameter type to uint32_t * and updates all callers (sdp.c ×3, sdp-client.c, sdpd-request.c, sdpd-service.c, obexd/client/bluetooth.c).
Here are the details as needed:
bt_get_be32() returns uint32_t. Assigning the result directly
to the int *size parameter sign-extends values greater than
INT_MAX to negative, bypassing sequence-length sanity checks
in extract_seq() and sdp_extract_pdu() callers.
Change the type of the size parameter from int * to uint32_t *,
which correctly reflects the wire encoding and eliminates the
need for an intermediate overflow check. Update all callers.
Reported-by: Martin Brodeur <admin@fluentlogic.org>
---
lib/bluetooth/sdp.c | 11 +++++++----
lib/bluetooth/sdp_lib.h | 2 +-
obexd/client/bluetooth.c | 2 +-
src/sdp-client.c | 3 ++-
src/sdpd-request.c | 3 ++-
src/sdpd-service.c | 2 +-
6 files changed, 14 insertions(+), 9 deletions(-)
diff --git a/lib/bluetooth/sdp.c b/lib/bluetooth/sdp.c
index 7210ce0..fd443a7 100644
--- a/lib/bluetooth/sdp.c
+++ b/lib/bluetooth/sdp.c
@@ -1210,7 +1210,7 @@ static sdp_data_t *extract_str(const void *p, int bufsize, int *len)
* Extract the sequence type and its length, and return offset into buf
* or 0 on failure.
*/
-int sdp_extract_seqtype(const uint8_t *buf, int bufsize, uint8_t *dtdp, int *size)
+int sdp_extract_seqtype(const uint8_t *buf, int bufsize, uint8_t *dtdp, uint32_t *size)
{
uint8_t dtd;
int scanned = sizeof(uint8_t);
@@ -1262,7 +1262,8 @@ int sdp_extract_seqtype(const uint8_t *buf, int bufsize, uint8_t *dtdp, int *siz
static sdp_data_t *extract_seq(const void *p, int bufsize, int *len,
sdp_record_t *rec)
{
- int seqlen, n = 0;
+ uint32_t seqlen;
+ int n = 0;
sdp_data_t *curr, *prev;
sdp_data_t *d = bt_malloc0(sizeof(sdp_data_t));
@@ -1391,7 +1392,8 @@ void sdp_print_service_attr(sdp_list_t *svcAttrList)
sdp_record_t *sdp_extract_pdu(const uint8_t *buf, int bufsize, int *scanned)
{
- int extracted = 0, seqlen = 0;
+ int extracted = 0;
+ uint32_t seqlen = 0;
uint8_t dtd;
uint16_t attr;
sdp_record_t *rec = sdp_record_alloc();
@@ -4422,7 +4424,8 @@ int sdp_service_search_attr_req(sdp_session_t *session, const sdp_list_t *search
int status = 0;
uint32_t reqsize = 0, _reqsize;
uint32_t rspsize = 0;
- int seqlen = 0, attr_list_len = 0;
+ uint32_t seqlen = 0;
+ int attr_list_len = 0;
int rsp_count = 0, cstate_len = 0;
unsigned int pdata_len;
uint8_t *pdata, *_pdata;
diff --git a/lib/bluetooth/sdp_lib.h b/lib/bluetooth/sdp_lib.h
index 7a48ad5..96048e6 100644
--- a/lib/bluetooth/sdp_lib.h
+++ b/lib/bluetooth/sdp_lib.h
@@ -610,7 +610,7 @@ void sdp_append_to_buf(sdp_buf_t *dst, uint8_t *data, uint32_t len);
int sdp_gen_pdu(sdp_buf_t *pdu, sdp_data_t *data);
int sdp_gen_record_pdu(const sdp_record_t *rec, sdp_buf_t *pdu);
-int sdp_extract_seqtype(const uint8_t *buf, int bufsize, uint8_t *dtdp, int *size);
+int sdp_extract_seqtype(const uint8_t *buf, int bufsize, uint8_t *dtdp, uint32_t *size);
sdp_data_t *sdp_extract_attr(const uint8_t *pdata, int bufsize, int *extractedLength, sdp_record_t *rec);
diff --git a/obexd/client/bluetooth.c b/obexd/client/bluetooth.c
index 96c69d8..4f1da37 100644
--- a/obexd/client/bluetooth.c
+++ b/obexd/client/bluetooth.c
@@ -135,7 +135,7 @@ static void search_callback(uint8_t type, uint16_t status,
{
struct bluetooth_session *session = user_data;
unsigned int scanned, bytesleft = size;
- int seqlen = 0;
+ uint32_t seqlen = 0;
uint8_t dataType;
uint16_t port = 0;
GError *gerr = NULL;
diff --git a/src/sdp-client.c b/src/sdp-client.c
index 4f35cf1..a3ac6de 100644
--- a/src/sdp-client.c
+++ b/src/sdp-client.c
@@ -151,7 +151,8 @@ static void search_completed_cb(uint8_t type, uint16_t status,
{
struct search_context *ctxt = user_data;
sdp_list_t *recs = NULL;
- int scanned, seqlen = 0, bytesleft = size;
+ int scanned, bytesleft = size;
+ uint32_t seqlen = 0;
uint8_t dataType;
int err = 0;
diff --git a/src/sdpd-request.c b/src/sdpd-request.c
index c78bfdf..6ce5a81 100644
--- a/src/sdpd-request.c
+++ b/src/sdpd-request.c
@@ -135,7 +135,8 @@ struct attrid {
static int extract_des(uint8_t *buf, int len, sdp_list_t **svcReqSeq, uint8_t *pDataType, uint8_t expectedType)
{
uint8_t seqType;
- int scanned, data_size = 0;
+ int scanned;
+ uint32_t data_size = 0;
short numberOfElements = 0;
int seqlen = 0;
sdp_list_t *pSeq = NULL;
diff --git a/src/sdpd-service.c b/src/sdpd-service.c
index 3f3b540..e0f5783 100644
--- a/src/sdpd-service.c
+++ b/src/sdpd-service.c
@@ -703,7 +703,7 @@ static sdp_record_t *extract_pdu_server(bdaddr_t *device, uint8_t *p,
{
int extractStatus = -1, localExtractedLength = 0;
uint8_t dtd;
- int seqlen = 0;
+ uint32_t seqlen = 0;
sdp_record_t *rec = NULL;
uint16_t attrId, lookAheadAttrId;
sdp_data_t *pAttr = NULL;
--
2.39.5 (Apple Git-154)
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-04 17:12 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-04 16:46 [PATCH BlueZ v2] sdp: fix overflow in sdp_extract_seqtype() Martin Brodeur
2026-05-04 16:57 ` Luiz Augusto von Dentz
2026-05-04 17:12 ` admin
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.