Linux bluetooth development
 help / color / mirror / Atom feed
From: "Inga Stotland" <ingas@codeaurora.org>
To: "'Johan Hedberg'" <johan.hedberg@gmail.com>,
	"'Vinicius Costa Gomes'" <vinicius.gomes@openbossa.org>
Cc: <linux-bluetooth@vger.kernel.org>,
	"'Bruna Moreira'" <bruna.moreira@openbossa.org>
Subject: RE: [PATCH v2 1/7] Fix invalid memory access when EIR field length is zero
Date: Thu, 11 Nov 2010 16:24:45 -0800	[thread overview]
Message-ID: <000b01cb8200$02c24c90$0846e5b0$@org> (raw)
In-Reply-To: <20101111210705.GB24514@jh-x301>

Hi Johan,

-----Original Message-----
From: linux-bluetooth-owner@vger.kernel.org
[mailto:linux-bluetooth-owner@vger.kernel.org] On Behalf Of Johan Hedberg
Sent: Thursday, November 11, 2010 1:07 PM
To: Vinicius Costa Gomes
Cc: linux-bluetooth@vger.kernel.org; Bruna Moreira
Subject: Re: [PATCH v2 1/7] Fix invalid memory access when EIR field length
is zero

Hi,

On Thu, Nov 11, 2010, Vinicius Costa Gomes wrote:
> diff --git a/src/adapter.c b/src/adapter.c
> index b1aabbd..8b742b7 100644
> --- a/src/adapter.c
> +++ b/src/adapter.c
> @@ -2977,14 +2977,13 @@ static char **get_eir_uuids(uint8_t *eir_data,
size_t *uuid_count)
>  	unsigned int i;
>  
>  	while (len < EIR_DATA_LENGTH - 1) {
> -		uint8_t type = eir_data[1];
>  		uint8_t field_len = eir_data[0];
>  
>  		/* Check for the end of EIR */
>  		if (field_len == 0)
>  			break;
>  
> -		switch (type) {
> +		switch (eir_data[1]) {
>  		case EIR_UUID16_SOME:
>  		case EIR_UUID16_ALL:
>  			uuid16_count = field_len / 2;

Pushed upstream. Thanks.

Johan
--

Was there a bug to begin with? :)
The access to eir_data[1] was always valid due to the check (len <
EIR_DATA_LENGTH - 1)
and the fact that eir_data is a buffer of fixed length of EIR_DATA_LENGTH
(240 bytes).
Oh well, it's upstream already.

Inga


  reply	other threads:[~2010-11-12  0:24 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-11-11 18:51 [PATCH v2 1/7] Fix invalid memory access when EIR field length is zero Vinicius Costa Gomes
2010-11-11 18:51 ` [PATCH v2 2/7] Refactor get_eir_uuids() to get EIR data length parameter Vinicius Costa Gomes
2010-11-11 21:09   ` Johan Hedberg
2010-11-11 18:51 ` [PATCH v2 3/7] Refactoring adapter_update_found_devices() function Vinicius Costa Gomes
2010-11-11 20:49   ` Luiz Augusto von Dentz
2010-11-11 21:10   ` Johan Hedberg
2010-11-11 18:51 ` [PATCH v2 4/7] Initial advertising data parsing implementation Vinicius Costa Gomes
2010-11-11 21:10   ` Luiz Augusto von Dentz
2010-11-11 21:16   ` Johan Hedberg
2010-11-11 18:51 ` [PATCH v2 5/7] Advertising data: extract local name Vinicius Costa Gomes
2010-11-11 18:52 ` [PATCH v2 6/7] Extract service UUIDs from advertising data Vinicius Costa Gomes
2010-11-11 18:52 ` [PATCH v2 7/7] Emit "DeviceFound" signal for LE devices Vinicius Costa Gomes
2010-11-11 20:54 ` [PATCH v2 1/7] Fix invalid memory access when EIR field length is zero Luiz Augusto von Dentz
2010-11-11 21:00   ` Johan Hedberg
2010-11-11 21:07 ` Johan Hedberg
2010-11-12  0:24   ` Inga Stotland [this message]
2010-11-12 16:54     ` Johan Hedberg
2010-11-12 17:38       ` Gustavo F. Padovan
2010-11-13  1:00       ` Anderson Lizardo
2010-11-16  0:41         ` Inga Stotland

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='000b01cb8200$02c24c90$0846e5b0$@org' \
    --to=ingas@codeaurora.org \
    --cc=bruna.moreira@openbossa.org \
    --cc=johan.hedberg@gmail.com \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=vinicius.gomes@openbossa.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox