[PATCH BlueZ 0/1] Fix crash in iov_append_ltv function

[PATCH BlueZ 0/1] Fix crash in iov_append_ltv function

[Silviu Florian Barbulescu]

Fix function iov_append_ltv crashes because is not reallocating memory
Use util_ltv_push from util.c

[bluetooth]# [NEW] Endpoint /org/bluez/hci0/pac_bcast0
[bluetooth]# Endpoint /local/endpoint/ep0 registered
endpoint.config /org/bluez/hci0/pac_bcast0 /local/endpoint/ep0 48_4_1
[/local/endpoint/ep0] BIG (auto/value): 0
[/local/endpoint/ep0] Enter channel location (value/no): 3
==80806==ERROR: AddressSanitizer: heap-buffer-overflow on
address 0x60200000a8ba at pc 0x561971611e0e bp 0x7ffd45ab1f00
sp 0x7ffd45ab1ef0 WRITE of size 1 at 0x60200000a8ba thread T0
0x561971611e0d in put_u8 src/shared/util.h:254
0x561971611e0d in util_iov_push_u8 src/shared/util.c:534
0x5619715c28f0 in iov_append_ltv client/player.c:3565
0x5619715c28f0 in config_endpoint_channel_location client/player.c:3593
0x5619716226ce in bt_shell_release_prompt src/shared/shell.c:744
0x561971623087 in rl_handler src/shared/shell.c:769

Silviu Florian Barbulescu (1):
  Fix crash in iov_append_ltv function

 client/player.c | 18 +-----------------
 1 file changed, 1 insertion(+), 17 deletions(-)


base-commit: b8ad3490a3507476844d6c6a87b2cb336f7d4eb9
-- 
2.39.2

[PATCH BlueZ 1/1] Fix crash in iov_append_ltv function

[Silviu Florian Barbulescu]

Fix function iov_append_ltv crashes because is not reallocating memory
Use util_ltv_push from util.c

[bluetooth]# [NEW] Endpoint /org/bluez/hci0/pac_bcast0
[bluetooth]# Endpoint /local/endpoint/ep0 registered
endpoint.config /org/bluez/hci0/pac_bcast0 /local/endpoint/ep0 48_4_1
[/local/endpoint/ep0] BIG (auto/value): 0
[/local/endpoint/ep0] Enter channel location (value/no): 3
=================================================================
==80806==ERROR: AddressSanitizer: heap-buffer-overflow on
 address 0x60200000a8ba at pc 0x561971611e0e bp 0x7ffd45ab1f00
 sp 0x7ffd45ab1ef0 WRITE of size 1 at 0x60200000a8ba thread T0
  0x561971611e0d in put_u8 src/shared/util.h:254
  0x561971611e0d in util_iov_push_u8 src/shared/util.c:534
  0x5619715c28f0 in iov_append_ltv client/player.c:3565
  0x5619715c28f0 in config_endpoint_channel_location client/player.c:3593
  0x5619716226ce in bt_shell_release_prompt src/shared/shell.c:744
  0x561971623087 in rl_handler src/shared/shell.c:769
---
 client/player.c | 18 +-----------------
 1 file changed, 1 insertion(+), 17 deletions(-)

diff --git a/client/player.c b/client/player.c
index ab33bfc46..d3ff15adb 100644
--- a/client/player.c
+++ b/client/player.c
@@ -3553,22 +3553,6 @@ done:
 	endpoint_set_config(cfg);
 }
 
-static struct iovec *iov_append_ltv(struct iovec **iov, uint8_t l,
-					uint8_t t, void *v)
-{
-	if (!*iov)
-		*iov = new0(struct iovec, 1);
-
-	if (!((*iov)->iov_base))
-		(*iov)->iov_base = new0(uint8_t, l + 1);
-
-	util_iov_push_u8(*iov, l);
-	util_iov_push_u8(*iov, t);
-	util_iov_push_mem(*iov, l - 1, v);
-
-	return *iov;
-}
-
 static void config_endpoint_channel_location(const char *input, void *user_data)
 {
 	struct endpoint_config *cfg = user_data;
@@ -3587,7 +3571,7 @@ static void config_endpoint_channel_location(const char *input, void *user_data)
 
 	/* Add Channel Allocation LTV in capabilities */
 	location = cpu_to_le32(location);
-	iov_append_ltv(&cfg->caps, LC3_CONFIG_CHAN_ALLOC_LEN,
+	util_ltv_push(cfg->caps, LC3_CONFIG_CHAN_ALLOC_LEN - 1,
 			LC3_CONFIG_CHAN_ALLOC, &location);
 
 add_meta:
-- 
2.39.2

RE: Fix crash in iov_append_ltv function

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 949 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=836840

---Test result---

Test Summary:
CheckPatch                    PASS      0.56 seconds
GitLint                       PASS      0.40 seconds
BuildEll                      PASS      24.46 seconds
BluezMake                     PASS      1649.90 seconds
MakeCheck                     PASS      13.13 seconds
MakeDistcheck                 PASS      176.79 seconds
CheckValgrind                 PASS      246.92 seconds
CheckSmatch                   PASS      349.41 seconds
bluezmakeextell               PASS      119.45 seconds
IncrementalBuild              PASS      1431.16 seconds
ScanBuild                     PASS      1008.29 seconds



---
Regards,
Linux Bluetooth

Re: [PATCH BlueZ 0/1] Fix crash in iov_append_ltv function

[patchwork-bot+bluetooth]

Hello:

This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Wed, 20 Mar 2024 23:03:49 +0200 you wrote:
> Fix function iov_append_ltv crashes because is not reallocating memory
> Use util_ltv_push from util.c
> 
> [bluetooth]# [NEW] Endpoint /org/bluez/hci0/pac_bcast0
> [bluetooth]# Endpoint /local/endpoint/ep0 registered
> endpoint.config /org/bluez/hci0/pac_bcast0 /local/endpoint/ep0 48_4_1
> [/local/endpoint/ep0] BIG (auto/value): 0
> [/local/endpoint/ep0] Enter channel location (value/no): 3
> ==80806==ERROR: AddressSanitizer: heap-buffer-overflow on
> address 0x60200000a8ba at pc 0x561971611e0e bp 0x7ffd45ab1f00
> sp 0x7ffd45ab1ef0 WRITE of size 1 at 0x60200000a8ba thread T0
> 0x561971611e0d in put_u8 src/shared/util.h:254
> 0x561971611e0d in util_iov_push_u8 src/shared/util.c:534
> 0x5619715c28f0 in iov_append_ltv client/player.c:3565
> 0x5619715c28f0 in config_endpoint_channel_location client/player.c:3593
> 0x5619716226ce in bt_shell_release_prompt src/shared/shell.c:744
> 0x561971623087 in rl_handler src/shared/shell.c:769
> 
> [...]

Here is the summary with links:
  - [BlueZ,1/1] Fix crash in iov_append_ltv function
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=bbf198280e70

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html