From: "José Antonio Santos Cadenas" <santoscadenas@gmail.com>
To: linux-bluetooth@vger.kernel.org
Subject: Re: [PATCH] Bug in sdp_set_supp_features solved
Date: Wed, 28 Apr 2010 12:11:05 +0200 [thread overview]
Message-ID: <201004281211.05712.santoscadenas@gmail.com> (raw)
In-Reply-To: <201004281208.35923.jcaden@libresoft.es>
El Wednesday 28 April 2010 12:08:35 José Antonio Santos Cadenas escribió:
> From 567522ed4ac5912d967fef3017bf905591b5c24e Mon Sep 17 00:00:00 2001
> From: Jose Antonio Santos Cadenas <santoscadenas@gmail.com>
> Date: Wed, 28 Apr 2010 12:02:31 +0200
> Subject: [PATCH] Bug in sdp_set_supp_features solved
>
> When the data is a string or a sequence, it is not ok to dereference
> data->val because it is already a pointer.
Also sizes are added because the strings are not terminated in '\0' and otherwise
it is not possible to know its size.
> ---
> lib/sdp.c | 33 +++++++++++++++++++++++++++++++--
> 1 files changed, 31 insertions(+), 2 deletions(-)
>
> diff --git a/lib/sdp.c b/lib/sdp.c
> index 5f1f2fc..f9a6541 100644
> --- a/lib/sdp.c
> +++ b/lib/sdp.c
> @@ -4709,6 +4709,7 @@ int sdp_set_supp_feat(sdp_record_t *rec, const sdp_list_t *sf)
> for (p = sf, i = 0; p; p = p->next, i++) {
> int plen, j;
> void **dtds, **vals;
> + int *sizes;
>
> plen = sdp_list_len(p->data);
> dtds = malloc(plen * sizeof(void *));
> @@ -4719,14 +4720,42 @@ int sdp_set_supp_feat(sdp_record_t *rec, const sdp_list_t *sf)
> free(dtds);
> goto fail;
> }
> + sizes = malloc(plen * sizeof(int *));
> + if (!sizes) {
> + free(dtds);
> + free(vals);
> + goto fail;
> + }
> for (r = p->data, j = 0; r; r = r->next, j++) {
> sdp_data_t *data = (sdp_data_t*)r->data;
> dtds[j] = &data->dtd;
> - vals[j] = &data->val;
> + switch (data->dtd) {
> + case SDP_URL_STR8:
> + case SDP_URL_STR16:
> + case SDP_TEXT_STR8:
> + case SDP_TEXT_STR16:
> + vals[j] = data->val.str;
> + sizes[j] = data->unitSize - sizeof(uint8_t);
> + break;
> + case SDP_ALT8:
> + case SDP_ALT16:
> + case SDP_ALT32:
> + case SDP_SEQ8:
> + case SDP_SEQ16:
> + case SDP_SEQ32:
> + vals[j] = data->val.dataseq;
> + sizes[j] = 0;
> + break;
> + default:
> + vals[j] = &data->val;
> + sizes[j] = 0;
> + break;
> + }
> }
> - feat = sdp_seq_alloc(dtds, vals, plen);
> + feat = sdp_seq_alloc_with_length(dtds, vals, sizes, plen);
> free(dtds);
> free(vals);
> + free(sizes);
> if (!feat)
> goto fail;
> seqDTDs[i] = &feat->dtd;
> --
> 1.6.3.3
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
next prev parent reply other threads:[~2010-04-28 10:11 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-28 10:08 [PATCH] Bug in sdp_set_supp_features solved José Antonio Santos Cadenas
2010-04-28 10:11 ` José Antonio Santos Cadenas [this message]
2010-04-28 19:51 ` Johan Hedberg
2010-04-28 22:28 ` José Antonio Santos Cadenas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201004281211.05712.santoscadenas@gmail.com \
--to=santoscadenas@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).