From: Luiz Augusto von Dentz <noreply@github.com>
To: linux-bluetooth@vger.kernel.org
Subject: [bluez/bluez] 6b9dff: shared/vcp: use iov_pull in input parsing
Date: Mon, 05 May 2025 13:20:57 -0700 [thread overview]
Message-ID: <bluez/bluez/push/refs/heads/master/0831bd-4bbfd9@github.com> (raw)
Branch: refs/heads/master
Home: https://github.com/bluez/bluez
Commit: 6b9dff8fe39671037cafcc8b7f76ee3383355115
https://github.com/bluez/bluez/commit/6b9dff8fe39671037cafcc8b7f76ee3383355115
Author: Pauli Virtanen <pav@iki.fi>
Date: 2025-05-05 (Mon, 05 May 2025)
Changed paths:
M src/shared/vcp.c
Log Message:
-----------
shared/vcp: use iov_pull in input parsing
Check input is right size by using iov_pull* when parsing.
Also replace custom iov_pull_mem by equivalent util_iov_pull_mem, and
add iov_pull_string.
Fixes handling of zero-length string-valued descriptors, !value is not
error.
Fixes crashes like:
ERROR: AddressSanitizer: stack-buffer-overflow
WRITE of size 3 at 0x7b878bb77161 thread T0
#0 0x7f878eee4821 in memcpy
#1 0x0000009544d4 in read_aics_aud_ip_type src/shared/vcp.c:2713
#2 0x000000950cec in vcp_pending_complete src/shared/vcp.c:2394
#3 0x00000088b2ce in read_cb src/shared/gatt-client.c:2717
Commit: 4bbfd9712857d4983593df23b82eb599907e6a69
https://github.com/bluez/bluez/commit/4bbfd9712857d4983593df23b82eb599907e6a69
Author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: 2025-05-05 (Mon, 05 May 2025)
Changed paths:
M src/shared/bap.c
Log Message:
-----------
shared/bap: Fix handling of ASCS_Codec_Config
The codec under bt_ascs_config is in little endian which may differ
from the native endianness when it comes to vendor specific field that
are multibyte causing the following error:
BAP/USR/SCC/BV-033-C [USR SNK Config Codec, VS] - setup complete
BAP/USR/SCC/BV-033-C [USR SNK Config Codec, VS] - run
...
bt_gatt_server:src/shared/gatt-server.c:write_cb() Write Cmd - handle: 0x0022
bt_bap:src/shared/bap.c:ascs_ase_cp_write() Codec Config
bt_bap:src/shared/bap.c:ascs_config() codec 0xff phy 0x02 latency 2
bt_bap:src/shared/bap.c:ep_config() ep 0x21d6600 id 0x01 dir 0x01
handle 0x0022 len 5
test-bap: > 1b 22 00 01 01 01 09 01 ."......
test-bap: ! 1b 22 00 01 01 01 00 00 ."......
Compare: https://github.com/bluez/bluez/compare/0831bd39a0bd...4bbfd9712857
To unsubscribe from these emails, change your notification settings at https://github.com/bluez/bluez/settings/notifications
reply other threads:[~2025-05-05 20:20 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bluez/bluez/push/refs/heads/master/0831bd-4bbfd9@github.com \
--to=noreply@github.com \
--cc=linux-bluetooth@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.