From: "Frédéric Dalleau" <frederic.dalleau@linux.intel.com>
To: linux-bluetooth@vger.kernel.org
Cc: "Frédéric Dalleau" <frederic.dalleau@linux.intel.com>
Subject: [PATCH 0/2] Fix crash in profile descriptor list parsing
Date: Mon, 20 Feb 2012 21:57:56 +0100 [thread overview]
Message-ID: <1329771478-3935-1-git-send-email-frederic.dalleau@linux.intel.com> (raw)
Hi,
I've tried to connect the HFP audio gateway on a Mac running Lion.
bluetoothd crashed. So did sdptool browse.
I guess the whole device has passed qualification, and is widely available, so:
* First patch fixes the crash.
* Second one makes sure profile version can be read.
Hope this helps!
Regards,
Frédéric
Output after running in GDB:
Service Name: Hands Free Audio Gateway
Service RecHandle: 0x10003
Service Class ID List:
"Handsfree Audio Gateway" (0x111f)
"Generic Audio" (0x1203)
Protocol Descriptor List:
"L2CAP" (0x0100)
"RFCOMM" (0x0003)
Channel: 2
Language Base Attr List:
code_ISO639: 0x656e
encoding: 0x6a
base_offset: 0x100
Program received signal SIGSEGV, Segmentation fault.
sdp_get_profile_descs (rec=0x80039520, profDescSeq=0xbfffef38) at lib/sdp.c:2070
2070 sdp_data_t *pVnum = seq->val.dataseq->next;
(gdb) bt
#0 sdp_get_profile_descs (rec=0x80039520, profDescSeq=0xbfffef38) at lib/sdp.c:2070
#1 0x80003f2e in print_service_attr (rec=0x80039520) at tools/sdptool.c:1129
#2 0x80005210 in do_search (bdaddr=0xbffff186, context=0xbffff164) at tools/sdptool.c:3803
#3 0x80005627 in cmd_browse (argc=1, argv=<optimized out>) at tools/sdptool.c:3898
#4 0x800028f4 in main (argc=2, argv=<optimized out>) at tools/sdptool.c:4277
(gdb) l
2065
2066 if (SDP_IS_UUID(seq->dtd)) {
2067 uuid = &seq->val.uuid;
2068 } else {
2069 sdp_data_t *puuid = seq->val.dataseq;
2070 sdp_data_t *pVnum = seq->val.dataseq->next;
2071 if (puuid && pVnum) {
2072 uuid = &puuid->val.uuid;
2073 version = pVnum->val.uint16;
2074 }
(gdb) p *puuid
Cannot access memory at address 0x105
The following is an extract of hcidump of record wich caused crash:
aid 0x0009 (BTProfileDescList)
< uuid-16 0x111e (Handsfree) uint 0x105 >
by contrast, other profile version looks like this and are fine with BlueZ:
aid 0x0009 (BTProfileDescList)
< < uuid-16 0x110e (AVRemote) uint 0x103 > >
aid 0x0009 (BTProfileDescList)
< < uuid-16 0x1108 (Headset) uint 0x102 > >
Frédéric Dalleau (2):
sdp: Check type of sdp data before dereferencing
sdp: Fix sdp_get_profile_descs for Mac Os X Lion
lib/sdp.c | 7 ++++++-
lib/sdp.h | 1 +
2 files changed, 7 insertions(+), 1 deletions(-)
--
1.7.5.4
next reply other threads:[~2012-02-20 20:57 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-20 20:57 Frédéric Dalleau [this message]
2012-02-20 20:57 ` [PATCH 1/2] sdp: Check type of sdp data before dereferencing Frédéric Dalleau
2012-02-20 20:57 ` [PATCH 2/2] sdp: Fix sdp_get_profile_descs for Mac Os X Lion Frédéric Dalleau
2012-03-13 14:20 ` Johan Hedberg
2012-03-14 15:11 ` Dalleau, Frederic
2012-03-08 10:11 ` [PATCH 0/2] Fix crash in profile descriptor list parsing Dalleau, Frederic
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1329771478-3935-1-git-send-email-frederic.dalleau@linux.intel.com \
--to=frederic.dalleau@linux.intel.com \
--cc=linux-bluetooth@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).