From: "Inga Stotland" <ingas@codeaurora.org>
To: "'Johan Hedberg'" <johan.hedberg@gmail.com>,
"'Vinicius Costa Gomes'" <vinicius.gomes@openbossa.org>
Cc: <linux-bluetooth@vger.kernel.org>,
"'Bruna Moreira'" <bruna.moreira@openbossa.org>
Subject: RE: [PATCH v2 1/7] Fix invalid memory access when EIR field length is zero
Date: Thu, 11 Nov 2010 16:24:45 -0800 [thread overview]
Message-ID: <000b01cb8200$02c24c90$0846e5b0$@org> (raw)
In-Reply-To: <20101111210705.GB24514@jh-x301>
Hi Johan,
-----Original Message-----
From: linux-bluetooth-owner@vger.kernel.org
[mailto:linux-bluetooth-owner@vger.kernel.org] On Behalf Of Johan Hedberg
Sent: Thursday, November 11, 2010 1:07 PM
To: Vinicius Costa Gomes
Cc: linux-bluetooth@vger.kernel.org; Bruna Moreira
Subject: Re: [PATCH v2 1/7] Fix invalid memory access when EIR field length
is zero
Hi,
On Thu, Nov 11, 2010, Vinicius Costa Gomes wrote:
> diff --git a/src/adapter.c b/src/adapter.c
> index b1aabbd..8b742b7 100644
> --- a/src/adapter.c
> +++ b/src/adapter.c
> @@ -2977,14 +2977,13 @@ static char **get_eir_uuids(uint8_t *eir_data,
size_t *uuid_count)
> unsigned int i;
>
> while (len < EIR_DATA_LENGTH - 1) {
> - uint8_t type = eir_data[1];
> uint8_t field_len = eir_data[0];
>
> /* Check for the end of EIR */
> if (field_len == 0)
> break;
>
> - switch (type) {
> + switch (eir_data[1]) {
> case EIR_UUID16_SOME:
> case EIR_UUID16_ALL:
> uuid16_count = field_len / 2;
Pushed upstream. Thanks.
Johan
--
Was there a bug to begin with? :)
The access to eir_data[1] was always valid due to the check (len <
EIR_DATA_LENGTH - 1)
and the fact that eir_data is a buffer of fixed length of EIR_DATA_LENGTH
(240 bytes).
Oh well, it's upstream already.
Inga
next prev parent reply other threads:[~2010-11-12 0:24 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-11 18:51 [PATCH v2 1/7] Fix invalid memory access when EIR field length is zero Vinicius Costa Gomes
2010-11-11 18:51 ` [PATCH v2 2/7] Refactor get_eir_uuids() to get EIR data length parameter Vinicius Costa Gomes
2010-11-11 21:09 ` Johan Hedberg
2010-11-11 18:51 ` [PATCH v2 3/7] Refactoring adapter_update_found_devices() function Vinicius Costa Gomes
2010-11-11 20:49 ` Luiz Augusto von Dentz
2010-11-11 21:10 ` Johan Hedberg
2010-11-11 18:51 ` [PATCH v2 4/7] Initial advertising data parsing implementation Vinicius Costa Gomes
2010-11-11 21:10 ` Luiz Augusto von Dentz
2010-11-11 21:16 ` Johan Hedberg
2010-11-11 18:51 ` [PATCH v2 5/7] Advertising data: extract local name Vinicius Costa Gomes
2010-11-11 18:52 ` [PATCH v2 6/7] Extract service UUIDs from advertising data Vinicius Costa Gomes
2010-11-11 18:52 ` [PATCH v2 7/7] Emit "DeviceFound" signal for LE devices Vinicius Costa Gomes
2010-11-11 20:54 ` [PATCH v2 1/7] Fix invalid memory access when EIR field length is zero Luiz Augusto von Dentz
2010-11-11 21:00 ` Johan Hedberg
2010-11-11 21:07 ` Johan Hedberg
2010-11-12 0:24 ` Inga Stotland [this message]
2010-11-12 16:54 ` Johan Hedberg
2010-11-12 17:38 ` Gustavo F. Padovan
2010-11-13 1:00 ` Anderson Lizardo
2010-11-16 0:41 ` Inga Stotland
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='000b01cb8200$02c24c90$0846e5b0$@org' \
--to=ingas@codeaurora.org \
--cc=bruna.moreira@openbossa.org \
--cc=johan.hedberg@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=vinicius.gomes@openbossa.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox