[PATCH BlueZ v2 0/1] Bug Fix for Memory overwrite

[PATCH BlueZ v2 0/1] Bug Fix for Memory overwrite

[Abhay Maheta]

Fix to avoid memory overwrite during ASE stream enable operation.

Abhay Maheta (1):
  shared/bap: Fixing memory overwrite during ASE Enable Operation

 src/shared/bap.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

-- 
2.25.1

[PATCH BlueZ 1/1] shared/bap: Fix handling memory overwrite during ASE Enable Operation

[Abhay Maheta]

This fixes memory overwrite during ASE Enable operation handling.
It avoids crashing of bluetoothd if metadata of more than sizeo of
size_t is received.

This also fixes storing metadata to stream structure.
---
 src/shared/bap.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/shared/bap.c b/src/shared/bap.c
index 178407387..c3c0d596f 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -958,10 +958,14 @@ static void stream_notify_metadata(struct bt_bap_stream *stream)
 	struct bt_ascs_ase_status *status;
 	struct bt_ascs_ase_status_metadata *meta;
 	size_t len;
+	size_t meta_len = 0;
 
 	DBG(stream->bap, "stream %p", stream);
 
-	len = sizeof(*status) + sizeof(*meta) + sizeof(stream->meta->iov_len);
+	if (stream->meta)
+		meta_len = stream->meta->iov_len;
+
+	len = sizeof(*status) + sizeof(*meta) + meta_len;
 	status = malloc(len);
 
 	memset(status, 0, len);
@@ -1743,7 +1747,7 @@ static uint8_t ep_enable(struct bt_bap_endpoint *ep, struct bt_bap *bap,
 		return 0;
 	}
 
-	return stream_enable(ep->stream, iov, rsp);
+	return stream_enable(ep->stream, &meta, rsp);
 }
 
 static uint8_t ascs_enable(struct bt_ascs *ascs, struct bt_bap *bap,
-- 
2.25.1

[PATCH BlueZ v2 1/1] shared/bap: Fixing memory overwrite during ASE Enable Operation

[Abhay Maheta]

This fixes memory overwrite during ASE Enable operation handling.
It avoids crashing of bluetoothd if metadata of more than sizeo of
size_t is received.

This also fixes storing metadata to stream structure.
---
 src/shared/bap.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/shared/bap.c b/src/shared/bap.c
index 178407387..c3c0d596f 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -958,10 +958,14 @@ static void stream_notify_metadata(struct bt_bap_stream *stream)
 	struct bt_ascs_ase_status *status;
 	struct bt_ascs_ase_status_metadata *meta;
 	size_t len;
+	size_t meta_len = 0;
 
 	DBG(stream->bap, "stream %p", stream);
 
-	len = sizeof(*status) + sizeof(*meta) + sizeof(stream->meta->iov_len);
+	if (stream->meta)
+		meta_len = stream->meta->iov_len;
+
+	len = sizeof(*status) + sizeof(*meta) + meta_len;
 	status = malloc(len);
 
 	memset(status, 0, len);
@@ -1743,7 +1747,7 @@ static uint8_t ep_enable(struct bt_bap_endpoint *ep, struct bt_bap *bap,
 		return 0;
 	}
 
-	return stream_enable(ep->stream, iov, rsp);
+	return stream_enable(ep->stream, &meta, rsp);
 }
 
 static uint8_t ascs_enable(struct bt_ascs *ascs, struct bt_bap *bap,
-- 
2.25.1

RE: Bug Fix for Memory overwrite

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 1363 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=683768

---Test result---

Test Summary:
CheckPatch                    PASS      1.10 seconds
GitLint                       FAIL      0.79 seconds
Prep - Setup ELL              PASS      26.37 seconds
Build - Prep                  PASS      0.70 seconds
Build - Configure             PASS      8.23 seconds
Build - Make                  PASS      738.27 seconds
Make Check                    PASS      11.82 seconds
Make Check w/Valgrind         PASS      288.32 seconds
Make Distcheck                PASS      235.30 seconds
Build w/ext ELL - Configure   PASS      8.28 seconds
Build w/ext ELL - Make        PASS      83.71 seconds
Incremental Build w/ patches  PASS      0.00 seconds
Scan Build                    PASS      511.94 seconds

Details
##############################
Test: GitLint - FAIL
Desc: Run gitlint with rule in .gitlint
Output:
[BlueZ,1/1] shared/bap: Fix handling memory overwrite during ASE Enable Operation
1: T1 Title exceeds max length (81>80): "[BlueZ,1/1] shared/bap: Fix handling memory overwrite during ASE Enable Operation"




---
Regards,
Linux Bluetooth

RE: [BlueZ,v2,1/1] shared/bap: Fixing memory overwrite during ASE Enable Operation

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 2064 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=683769

---Test result---

Test Summary:
CheckPatch                    PASS      1.44 seconds
GitLint                       PASS      0.99 seconds
Prep - Setup ELL              FAIL      22.29 seconds
Build - Prep                  PASS      0.85 seconds
Build - Configure             PASS      8.60 seconds
Build - Make                  PASS      829.16 seconds
Make Check                    PASS      11.32 seconds
Make Check w/Valgrind         PASS      290.40 seconds
Make Distcheck                PASS      235.65 seconds
Build w/ext ELL - Configure   FAIL      5.82 seconds
Build w/ext ELL - Make        SKIPPED   0.38 seconds
Incremental Build w/ patches  PASS      0.00 seconds
Scan Build                    PASS      534.74 seconds

Details
##############################
Test: Prep - Setup ELL - FAIL
Desc: Clone, build, and install ELL
Output:
writing RSA key
writing RSA key
writing RSA key
writing RSA key
writing RSA key
make[1]: *** [Makefile:3276: unit/cert-intca.pem] Error 1
make[1]: *** Waiting for unfinished jobs....
make: *** [Makefile:1264: all] Error 2


##############################
Test: Build w/ext ELL - Configure - FAIL
Desc: Configure BlueZ source with '--enable-external-ell' configuration
Output:
configure.ac:21: installing './compile'
configure.ac:36: installing './config.guess'
configure.ac:36: installing './config.sub'
configure.ac:5: installing './install-sh'
configure.ac:5: installing './missing'
Makefile.am: installing './depcomp'
parallel-tests: installing './test-driver'
configure: error: Embedded Linux library >= 0.39 is required


##############################
Test: Build w/ext ELL - Make - SKIPPED
Desc: Build BlueZ source with '--enable-external-ell' configuration
Output:
build_extell test did not pass



---
Regards,
Linux Bluetooth

RE: [BlueZ,v2,1/1] shared/bap: Fixing memory overwrite during ASE Enable Operation

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 1050 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=683769

---Test result---

Test Summary:
CheckPatch                    PASS      0.65 seconds
GitLint                       PASS      0.48 seconds
Prep - Setup ELL              PASS      31.74 seconds
Build - Prep                  PASS      0.80 seconds
Build - Configure             PASS      9.83 seconds
Build - Make                  PASS      1073.29 seconds
Make Check                    PASS      12.13 seconds
Make Check w/Valgrind         PASS      339.06 seconds
Make Distcheck                PASS      278.58 seconds
Build w/ext ELL - Configure   PASS      10.05 seconds
Build w/ext ELL - Make        PASS      102.59 seconds
Incremental Build w/ patches  PASS      0.00 seconds
Scan Build                    PASS      681.59 seconds



---
Regards,
Linux Bluetooth

Re: [PATCH BlueZ v2 1/1] shared/bap: Fixing memory overwrite during ASE Enable Operation

[patchwork-bot+bluetooth]

Hello:

This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Fri,  7 Oct 2022 23:15:17 +0530 you wrote:
> This fixes memory overwrite during ASE Enable operation handling.
> It avoids crashing of bluetoothd if metadata of more than sizeo of
> size_t is received.
> 
> This also fixes storing metadata to stream structure.
> ---
>  src/shared/bap.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)

Here is the summary with links:
  - [BlueZ,v2,1/1] shared/bap: Fixing memory overwrite during ASE Enable Operation
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=3da439ae3c76

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

Re: [PATCH BlueZ v2 0/1] Bug Fix for Memory overwrite

[patchwork-bot+bluetooth]

Hello:

This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Fri,  7 Oct 2022 23:15:15 +0530 you wrote:
> Fix to avoid memory overwrite during ASE stream enable operation.
> 
> Abhay Maheta (1):
>   shared/bap: Fixing memory overwrite during ASE Enable Operation
> 
>  src/shared/bap.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)

Here is the summary with links:
  - [BlueZ,1/1] shared/bap: Fix handling memory overwrite during ASE Enable Operation
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=3da439ae3c76

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html