From: Johan Hedberg <johan.hedberg@gmail.com>
To: ingas@codeaurora.org
Cc: linux-bluetooth@vger.kernel.org, rshaffer@codeaurora.org
Subject: Re: [PATCH 7/7] Add service UUIDs from EIR to device properties in "Device Found" signal.
Date: Fri, 6 Aug 2010 18:30:42 +0100 [thread overview]
Message-ID: <20100806173042.GA28198@jh-x301> (raw)
In-Reply-To: <1844054b1cfff4c91e67223013eb09ac.squirrel@www.codeaurora.org>
Hi Inga,
On Fri, Aug 06, 2010, ingas@codeaurora.org wrote:
> > On Thu, Aug 05, 2010, Inga Stotland wrote:
> >> + while (len < EIR_DATA_LENGTH - 1) {
> >> + uint8_t type = eir_data[1];
> >> + uint8_t field_len = eir_data[0];
> >> +
> >> + /* Check for the end of EIR */
> >> + if (field_len == 0)
> >> + break;
> >
> > Shouldn't there also be another check here:
> >
> > /* Bail out if field_len claims to reach beyond the EIR
> > * data end */
> > if (len + field_len + 1 >= EIR_DATA_LENGTH)
> > break;
> >
>
> After reading in eir_data[0] & eir_data[1] (and those reads are valid due
> to passing the "while (len < EIR_DATA_LENGTH - 1)" check above) there are
> no more memory accesses in the loop. And if we do end up reading in field
> length that's bogus, we fail the "while" check on next iteration, exit the
> loop, fail the "(len > EIR_DATA_LENGTH)" and bail out of the routine with
> NULL return value.
Yep, you're right. What got me unnerved was that you still set pointers
to potentially out-of-bounds data in the switch statement, but as you
say the if check after the switch statement ensures that the pointers
don't get accessed if something went beyond the EIR data length.
There's still however one issue (I only now tried to compile the patch):
src/adapter.c: In function ‘get_eir_uuids’:
src/adapter.c:2810: error: comparison between signed and unsigned integer expressions
src/adapter.c:2820: error: comparison between signed and unsigned integer expressions
src/adapter.c:2833: error: comparison between signed and unsigned integer expressions
make[1]: *** [src/adapter.o] Error 1
Could you please fix it and always in the future ensure that the code
compiles cleanly when configured with ./bootstrap-configure. Also, could
you make the commit message more descriptive. The summary line should be
a very short summary of what the patch is about and the more detailed
description should be in the message body.
Johan
next prev parent reply other threads:[~2010-08-06 17:30 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-04 23:00 [PATCH v8 0/7] Enhanced support for extended inquiry response Inga Stotland
2010-08-04 23:00 ` [PATCH 1/7] Spec constants for Extended Inquiry Response field types Inga Stotland
2010-08-04 23:00 ` [PATCH 2/7] Minor fix when skipping duplicate UUID16 from EIR Inga Stotland
2010-08-04 23:00 ` [PATCH 3/7] Clean up code that generates extended inquiry response Inga Stotland
2010-08-04 23:00 ` [PATCH 4/7] Support for adding UUID128 to " Inga Stotland
2010-08-04 23:00 ` [PATCH 5/7] Fix in logic to write EIR when SDP records are changed Inga Stotland
2010-08-04 23:00 ` [PATCH 6/7] Handle arrays in device properties dictionary Inga Stotland
2010-08-04 23:00 ` [PATCH 7/7] Add service UUIDs from EIR to device properties in "Device Found" signal Inga Stotland
2010-08-05 10:25 ` Johan Hedberg
2010-08-05 21:26 ` ingas
2010-08-05 22:36 ` Inga Stotland
2010-08-06 7:55 ` Johan Hedberg
2010-08-06 7:58 ` Johan Hedberg
2010-08-06 16:16 ` ingas
2010-08-06 17:30 ` Johan Hedberg [this message]
2010-08-06 18:18 ` ingas
2010-08-06 18:35 ` Inga Stotland
2010-08-07 3:10 ` Johan Hedberg
-- strict thread matches above, loose matches on Subject: below --
2010-08-04 17:07 [PATCH v7 0/7] Enhanced support for extended inquiry response Inga Stotland
2010-08-04 17:07 ` [PATCH 7/7] Add service UUIDs from EIR to device properties in "Device Found" signal Inga Stotland
2010-08-04 19:11 ` Johan Hedberg
2010-08-04 0:03 [PATCH v6 0/7] Enhanced support for extended inquiry response Inga Stotland
2010-08-04 0:03 ` [PATCH 7/7] Add service UUIDs from EIR to device properties in "Device Found" signal Inga Stotland
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100806173042.GA28198@jh-x301 \
--to=johan.hedberg@gmail.com \
--cc=ingas@codeaurora.org \
--cc=linux-bluetooth@vger.kernel.org \
--cc=rshaffer@codeaurora.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).