Re: [Bluez-users] hcid dying

[Marcel Holtmann <marcel@holtmann.org>]

[-- Attachment #1: Type: text/plain, Size: 1590 bytes --]

Hi Edd,

> Debian (so I'm not excluding that this might be an error I introduced
> somehow :).
> 
> For me, 2.6.6-mh3 when it last happened, iirc.
> 
> For the bug reporter I spoke to, 2.4.26-1-686 (from Debian.)
> 
> I asked for diagnostics from the reporter, and he sent me the output of
> hciconfig -a, just after he restarted hcid:
> 
> hci0:   Type: USB
>         BD Address: 00:0A:9A:xx:xx:xx ACL MTU: 339:4  SCO MTU: 64:0
>         UP RUNNING PSCAN ISCAN
>         RX bytes:1978 acl:60 sco:0 events:53 errors:0
>         TX bytes:1111 acl:32 sco:0 commands:17 errors:0
>         Features: 0xff 0xff 0x3d 0x00 0x00 0x00 0x00 0x00
>         Packet type: DM1 DM3 DM5 DH1 DH3 DH5 HV1 HV2 HV3
>         Link policy: RSWITCH HOLD SNIFF PARK
>         Link mode: SLAVE ACCEPT
>         Name: 'hactar-0202CC89E0E83C4EC7A99FE7ED3D12E970B...2.c'
>         Class: 0x100100
>         Service Classes: Object Transfer
>         Device Class: Computer, Uncategorized
>         HCI Ver: 1.1 (0x1) HCI Rev: 0x93 LMP Ver: 1.1 (0x1) LMP Subver:
> 0x93
>         Manufacturer: Transilica, Inc. (24)
> 
> notice the weird name.  This is with hcid.conf saying:
> 
> 	name "%h-%d";
> 
> which is the default for Debian.
> 
> Looks like there might be some bug in computing the device number.  It
> should be reading "hactar-0".

the device number is fine, but the expand_name() function is maybe
wrong. I don't know if this related somehow, but if it overwrites the
stack everything can happen. Here is a patch that restricts the device
name. It is untested so I don't know if it works.

Regards

Marcel


[-- Attachment #2: patch --]
[-- Type: text/x-patch, Size: 1939 bytes --]

Index: hcid/lib.c
===================================================================
RCS file: /cvsroot/bluez/utils/hcid/lib.c,v
retrieving revision 1.4
diff -u -b -w -B -r1.4 lib.c
--- hcid/lib.c	28 Apr 2004 12:09:32 -0000	1.4
+++ hcid/lib.c	21 Jun 2004 12:28:22 -0000
@@ -53,7 +53,7 @@
  * Device name expansion 
  * 	%d - device id
  */
-char *expand_name(char *dst, char *str, int dev_id)
+char *expand_name(char *dst, int size, char *str, int dev_id)
 {
 	register int sp, np, olen;
 	char *opt, buf[10];
@@ -62,7 +62,7 @@
 		return NULL;
 
 	sp = np = 0;
-	while (str[sp]) {
+	while (np < size - 1 && str[sp]) {
 		switch (str[sp]) {
 		case '%':
 			opt = NULL;
@@ -88,6 +88,7 @@
 			if (opt) {
 				/* substitute */
 				olen = strlen(opt);
+				if (np + olen < size - 1)
 				memcpy(dst + np, opt, olen);
 				np += olen;
 			}
Index: hcid/lib.h
===================================================================
RCS file: /cvsroot/bluez/utils/hcid/lib.h,v
retrieving revision 1.3
diff -u -b -w -B -r1.3 lib.h
--- hcid/lib.h	28 Apr 2004 12:09:32 -0000	1.3
+++ hcid/lib.h	21 Jun 2004 12:28:22 -0000
@@ -30,7 +30,7 @@
 
 #include <errno.h>
 
-char *expand_name(char *dst, char *str, int dev_id);
+char *expand_name(char *dst, int size, char *str, int dev_id);
 
 char *get_host_name(void);
 
Index: hcid/main.c
===================================================================
RCS file: /cvsroot/bluez/utils/hcid/main.c,v
retrieving revision 1.15
diff -u -b -w -B -r1.15 main.c
--- hcid/main.c	7 May 2004 23:08:03 -0000	1.15
+++ hcid/main.c	21 Jun 2004 12:28:22 -0000
@@ -227,7 +227,8 @@
 	/* Set device name */
 	if (device_opts->name) {
 		change_local_name_cp cp;
-		expand_name(cp.name, device_opts->name, hdev);
+		memset(cp.name, 0, sizeof(cp.name));
+		expand_name(cp.name, sizeof(cp.name), device_opts->name, hdev);
 
 		hci_send_cmd(s, OGF_HOST_CTL, OCF_CHANGE_LOCAL_NAME,
 			CHANGE_LOCAL_NAME_CP_SIZE, (void *) &cp);