From: Bart Westgeest <bart@elbrys.com>
To: Anderson Lizardo <anderson.lizardo@openbossa.org>
Cc: linux-bluetooth@vger.kernel.org
Subject: Re: [PATCH 2/3] sdp: Limit side effects of sdp_get_data_type and sdp_get_data_size
Date: Mon, 19 Nov 2012 16:06:29 -0500 [thread overview]
Message-ID: <50AA9F55.8030709@elbrys.com> (raw)
In-Reply-To: <CAJdJm_MSAw2EWV=Tp-ycdfhUi1wJdcdXdH+4YAdfGx1LRpWs-g@mail.gmail.com>
Hi Anderson,
>> - sdp_get_data_type(buf, d->dtd);
>> - sdp_get_data_size(buf, d);
>> + buf->buf_size += sdp_get_data_type_size(d->dtd);
>> + buf->buf_size += sdp_get_data_size(buf, d);
>
> No need to check for "if (!buf->data)" like in the original code?
I do not think there's a need for it, this modification is in
sdp_gen_buffer. sdp_gen_buffer is called three times from the following
functions: (1) sdp_attr_size, (2) sdp_append_to_pdu, and (3)
gen_dataseq_pdu.
For (2) & (3), buf is memset to 0 prior to calling sdp_gen_buffer, thus
buf->data is always NULL.
For (1), buf is also memset to 0 for the first call to sdp_attr_size,
which is called repetitively in a foreach statement. Repetitive calls to
sdp_gen_buffer on the same buffer will not (ever) result in an
allocation of buf->data as far as I can tell.
>> - pdu_size = sdp_get_data_type(buf, dtd);
>> + pdu_size = sdp_get_data_type_size(dtd);
>
> Same here. Additionally, buf->buf_size is not being updated.
This modification is in sdp_gen_pdu. sdp_gen_pdu is never called with
buf->data == NULL. If it would, then the initialization of seqp in
sdp_gen_pdu is erroneous, since it uses buf->data without verifying it.
In addition, in the current code, sdp_gen_pdu is only called from three
locations: (1) get_data_size, (2) sdp_append_to_pdu, (3)
gen_dataseq_pdu. In all cases the buf->data is either allocated prior to
calling (2 & 3), or (1) there's an if statement preventing sdp_gen_pdu
from being called when buf->data == NULL.
Bart
next prev parent reply other threads:[~2012-11-19 21:06 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-19 19:04 [PATCH 0/3] Fix corrupted SDP response for sequence size > 256 Bart Westgeest
2012-11-19 19:04 ` [PATCH 1/3] sdp: Inlined single use of function sdp_set_data_type Bart Westgeest
2012-11-19 19:04 ` [PATCH 2/3] sdp: Limit side effects of sdp_get_data_type and sdp_get_data_size Bart Westgeest
2012-11-19 20:24 ` Anderson Lizardo
2012-11-19 21:06 ` Bart Westgeest [this message]
2012-11-19 19:04 ` [PATCH 3/3] sdp: Upgrade datatype SEQ8 to SEQ16 when data size is greater than 256 Bart Westgeest
2012-11-19 20:38 ` Anderson Lizardo
2012-11-19 21:33 ` Bart Westgeest
2012-11-20 12:57 ` [PATCH 0/3] Fix corrupted SDP response for sequence size > 256 Johan Hedberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50AA9F55.8030709@elbrys.com \
--to=bart@elbrys.com \
--cc=anderson.lizardo@openbossa.org \
--cc=linux-bluetooth@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.