From: "Michał Narajowski" <michal.narajowski@codecoup.pl>
To: linux-bluetooth@vger.kernel.org
Cc: "Michał Narajowski" <michal.narajowski@codecoup.pl>
Subject: [PATCH BlueZ v2] monitor/l2cap: Fix buffer overflow when printing UUIDs
Date: Fri, 29 Jul 2016 14:34:07 +0200 [thread overview]
Message-ID: <1469795647-9372-1-git-send-email-michal.narajowski@codecoup.pl> (raw)
> ACL Data RX: Handle 76 flags 0x02 dlen 18 [hci0] 22.985107
ATT: Read By Group Type Response (0x11) len 13
Attribute data length: 6
Attribute group list: 2 entries
Handle range: 0x0001-0x0007
UUID: Generic Access Profile (0x1800)
Handle range: 0x0008-0x000b
UUID: Generic Attribute Profile (0x1801)
< ACL Data TX: Handle 76 flags 0x00 dlen 11 [hci0] 22.985304
ATT: Read By Group Type Request (0x10) len 6
Handle range: 0x000c-0xffff
Attribute group type: Primary Service (0x2800)
> HCI Event: Number of Completed Packets (0x13) plen 5 [hci0] 23.051113
Num handles: 1
Handle: 76
Count: 1
> ACL Data RX: Handle 76 flags 0x02 dlen 26 [hci0] 23.115103
ATT: Read By Group Type Response (0x11) len 21
Attribute data length: 20
Attribute group list: 1 entry
Handle range: 0x000c-0x0010
*** buffer overflow detected ***: monitor/btmon terminated
==14384== Process terminating with default action of signal 6 (SIGABRT)
==14384== at 0x4E6F418: raise (raise.c:54)
==14384== by 0x4E71019: abort (abort.c:89)
==14384== by 0x4EB1729: __libc_message (libc_fatal.c:175)
==14384== by 0x4F5289B: __fortify_fail (fortify_fail.c:37)
==14384== by 0x4F5089F: __chk_fail (chk_fail.c:28)
==14384== by 0x4F4FE08: _IO_str_chk_overflow (vsprintf_chk.c:31)
==14384== by 0x4EB55DF: _IO_default_xsputn (genops.c:455)
==14384== by 0x4E87DBF: vfprintf (vfprintf.c:1631)
==14384== by 0x4F4FE93: __vsprintf_chk (vsprintf_chk.c:82)
==14384== by 0x4F4FDEC: __sprintf_chk (sprintf_chk.c:31)
==14384== by 0x422826: sprintf (stdio2.h:33)
==14384== by 0x422826: print_uuid (l2cap.c:2014)
==14384== by 0x423373: print_group_list (l2cap.c:2334)
==14384== by 0x423373: att_read_group_type_rsp (l2cap.c:2348)
---
monitor/l2cap.c | 2 +-
monitor/uuid.h | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/monitor/l2cap.c b/monitor/l2cap.c
index 59a3206..f4b54af 100644
--- a/monitor/l2cap.c
+++ b/monitor/l2cap.c
@@ -1999,7 +1999,7 @@ static void print_hex_field(const char *label, const uint8_t *data,
static void print_uuid(const char *label, const void *data, uint16_t size)
{
const char *str;
- char uuidstr[36];
+ char uuidstr[MAX_LEN_UUID_STR];
switch (size) {
case 2:
diff --git a/monitor/uuid.h b/monitor/uuid.h
index 6ffc0ee..22d2363 100644
--- a/monitor/uuid.h
+++ b/monitor/uuid.h
@@ -24,6 +24,8 @@
#include <stdint.h>
+#define MAX_LEN_UUID_STR 37
+
const char *uuid16_to_str(uint16_t uuid);
const char *uuid32_to_str(uint32_t uuid);
const char *uuidstr_to_str(const char *uuid);
--
2.7.4
next reply other threads:[~2016-07-29 12:34 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-29 12:34 Michał Narajowski [this message]
2016-08-12 19:51 ` [PATCH BlueZ v2] monitor/l2cap: Fix buffer overflow when printing UUIDs Luiz Augusto von Dentz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1469795647-9372-1-git-send-email-michal.narajowski@codecoup.pl \
--to=michal.narajowski@codecoup.pl \
--cc=linux-bluetooth@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).