Re: [PATCH] monitor: Fix minimum size for variable length events

Linux bluetooth development
 help / color / mirror / Atom feed

From: Szymon Janc <szymon.janc@tieto.com>
To: Marcel Holtmann <marcel@holtmann.org>
Cc: linux-bluetooth@vger.kernel.org
Subject: Re: [PATCH] monitor: Fix minimum size for variable length events
Date: Wed, 04 Feb 2015 23:11:28 +0100	[thread overview]
Message-ID: <1858164.g9f32Se7Qq@leonov> (raw)
In-Reply-To: <AEA5CFDB-68FD-41C0-9960-6EA1433DD4A5@holtmann.org>

Hi Marcel,

On Wednesday 04 of February 2015 14:03:25 Marcel Holtmann wrote:
> Hi Szymon,
> 
> > Those could lead to reading invalid memory if frames were corrupted.
> > ---
> > monitor/packet.c | 10 +++++-----
> > 1 file changed, 5 insertions(+), 5 deletions(-)
> > 
> > diff --git a/monitor/packet.c b/monitor/packet.c
> > index ba58d84..56a315b 100644
> > --- a/monitor/packet.c
> > +++ b/monitor/packet.c
> > @@ -8204,7 +8204,7 @@ static const struct event_data event_table[] = {
> > 
> > 	{ 0x01, "Inquiry Complete",
> > 	
> > 				inquiry_complete_evt, 1, true },
> > 	
> > 	{ 0x02, "Inquiry Result",
> > 
> > -				inquiry_result_evt, 1, false },
> > +				inquiry_result_evt, 8, false },
> 
> these are wrong. That is why fixed size is set to false here. It means that
> the callback function needs to ensure we do the right checks. If we don't,
> please with the callback functions.

If fixed==false then passed size is minimum required size and all callbacks 
are expecting those.

>From packet_hci_event()

	if (event_data->fixed) {
		if (hdr->plen != event_data->size) {
			print_text(COLOR_ERROR, "invalid packet size");
			packet_hexdump(data, size);
			return;
		}
	} else {
		if (hdr->plen < event_data->size) {
			print_text(COLOR_ERROR, "too short packet");
			packet_hexdump(data, size);
			return;
		}
	}

	event_data->func(data, hdr->plen);


-- 
BR
Szymon Janc

next prev parent reply	other threads:[~2015-02-04 22:11 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-02-04 20:14 [PATCH] monitor: Fix minimum size for variable length events Szymon Janc
2015-02-04 22:03 ` Marcel Holtmann
2015-02-04 22:11   ` Szymon Janc [this message]
2015-02-04 22:19     ` Marcel Holtmann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1858164.g9f32Se7Qq@leonov \
    --to=szymon.janc@tieto.com \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=marcel@holtmann.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox