From: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
To: linux-bluetooth@vger.kernel.org
Subject: [PATCH BlueZ 1/6] lib/uuid: Fix using unitialized values
Date: Thu, 28 Jul 2016 17:27:45 +0300 [thread overview]
Message-ID: <1469716070-16506-2-git-send-email-luiz.dentz@gmail.com> (raw)
In-Reply-To: <1469716070-16506-1-git-send-email-luiz.dentz@gmail.com>
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
The strings passed to bt_uuid_strcmp may not be valid UUIDs so the return
of bt_string_to_uuid needs to be checked otherwise bt_uuid_cmp may attempt
to access unitialized values:
Conditional jump or move depends on uninitialised value(s)
at 0x4C1D4D: bt_uuid_to_uuid128 (uuid.c:78)
by 0x4C1F22: bt_uuid_cmp (uuid.c:131)
by 0x4C24A8: bt_uuid_strcmp (uuid.c:286)
by 0x40F8A8: reconnect_match (policy.c:514)
by 0x40F8A8: service_cb (policy.c:655)
by 0x499331: change_state (service.c:109)
by 0x499BBB: btd_service_connecting_complete (service.c:361)
by 0x4178C1: stream_state_changed (source.c:163)
by 0x422C78: avdtp_sep_set_state (avdtp.c:1013)
by 0x42372A: handle_transport_connect (avdtp.c:844)
by 0x423D8B: avdtp_connect_cb (avdtp.c:2326)
by 0x465BBB: connect_cb (btio.c:232)
by 0x50CA702: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4800.1)
Uninitialised value was created by a stack allocation
at 0x4C2460: bt_uuid_strcmp (uuid.c:280)
---
lib/uuid.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/lib/uuid.c b/lib/uuid.c
index ac071fa..d4c7002 100644
--- a/lib/uuid.c
+++ b/lib/uuid.c
@@ -280,8 +280,11 @@ int bt_uuid_strcmp(const void *a, const void *b)
{
bt_uuid_t u1, u2;
- bt_string_to_uuid(&u1, a);
- bt_string_to_uuid(&u2, b);
+ if (bt_string_to_uuid(&u1, a) < 0)
+ return -EINVAL;
+
+ if (bt_string_to_uuid(&u2, b) < 0)
+ return -EINVAL;
return bt_uuid_cmp(&u1, &u2);
}
--
2.7.4
next prev parent reply other threads:[~2016-07-28 14:27 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-28 14:27 [PATCH BlueZ 0/6] plugins/policy: Fixes Luiz Augusto von Dentz
2016-07-28 14:27 ` Luiz Augusto von Dentz [this message]
2016-07-28 14:27 ` [PATCH BlueZ 2/6] plugins/policy: Revert patch 96db78604252eeb17614b9982ced95fd66c6c6fc Luiz Augusto von Dentz
2016-07-28 14:27 ` [PATCH BlueZ 3/6] plugins/policy: Set list separator Luiz Augusto von Dentz
2016-07-28 14:27 ` [PATCH BlueZ 4/6] main.conf: Remove spaces in reconnect list parameters Luiz Augusto von Dentz
2016-07-28 14:27 ` [PATCH BlueZ 5/6] plugins/policy: Disable other connect policies while reconnect is active Luiz Augusto von Dentz
2016-07-28 14:27 ` [PATCH BlueZ 6/6] audio/a2dp: Fix always setting -EAGAIN for all errors Luiz Augusto von Dentz
2016-08-01 11:57 ` [PATCH BlueZ 0/6] plugins/policy: Fixes Luiz Augusto von Dentz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1469716070-16506-2-git-send-email-luiz.dentz@gmail.com \
--to=luiz.dentz@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).