[PATCH] Fix problem with invalid read from array

[PATCH] Fix problem with invalid read from array

[Lukasz Pawlik]

This patch fix problem with reading data from out of the array range in
function used to create EIR response.
---
 src/adapter.c      |    2 +-
 src/sdpd-service.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/adapter.c b/src/adapter.c
index 73ea6e4..bf32e19 100644
--- a/src/adapter.c
+++ b/src/adapter.c
@@ -205,7 +205,7 @@ static void dev_info_free(struct remote_dev_info *dev)
 
 static void update_ext_inquiry_response(struct btd_adapter *adapter)
 {
-	uint8_t data[240];
+	uint8_t data[242];
 	struct hci_dev *dev = &adapter->dev;
 	int ret;
 
diff --git a/src/sdpd-service.c b/src/sdpd-service.c
index 26ab9a5..67dd9af 100644
--- a/src/sdpd-service.c
+++ b/src/sdpd-service.c
@@ -204,7 +204,7 @@ static void eir_generate_uuid128(sdp_list_t *list,
 		for (i = 0; i < index; i++) {
 			for (k = 0; k < SIZEOF_UUID128; k++) {
 				if (uuid128[i * SIZEOF_UUID128 + k] !=
-					uuid128_data[SIZEOF_UUID128 - k])
+					uuid128_data[SIZEOF_UUID128 - 1 - k])
 					break;
 			}
 			if (k == SIZEOF_UUID128)
-- 
1.7.0.4

Re: [PATCH] Fix problem with invalid read from array

[Johan Hedberg]

Hi Lukasz,

On Wed, Oct 06, 2010, Lukasz Pawlik wrote:
> This patch fix problem with reading data from out of the array range in
> function used to create EIR response.

You'll need to explain in more detail exactly what was wrong with the
old code and how your patch fixes it (and why it is the correct fix).

> -	uint8_t data[240];
> +	uint8_t data[242];

Why 242? The core spec defines the EIR data as a 240 byte field.

> -					uuid128_data[SIZEOF_UUID128 - k])
> +					uuid128_data[SIZEOF_UUID128 - 1 - k])

This change looks fine (the index of the last byte is sizeof(uuid128) - 1).

Johan

Re: [PATCH] Fix problem with invalid read from array

[Lukasz Pawlik]

Hi,

Sorry. My bad. It was never my intention to change src/adapter.c. I've
prepared two patches with the same name and of course send the wrong
one. Problem with invalid read fix change made in src/sdpd-service.c
file.

Lukasz

2010/10/6 Johan Hedberg <johan.hedberg@gmail.com>:
> Hi Lukasz,
>
> On Wed, Oct 06, 2010, Lukasz Pawlik wrote:
>> This patch fix problem with reading data from out of the array range in
>> function used to create EIR response.
>
> You'll need to explain in more detail exactly what was wrong with the
> old code and how your patch fixes it (and why it is the correct fix).
>
>> -     uint8_t data[240];
>> +     uint8_t data[242];
>
> Why 242? The core spec defines the EIR data as a 240 byte field.
>
>> -                                     uuid128_data[SIZEOF_UUID128 - k])
>> +                                     uuid128_data[SIZEOF_UUID128 - 1 - k])
>
> This change looks fine (the index of the last byte is sizeof(uuid128) - 1).
>
> Johan
>

Re: [PATCH] Fix problem with invalid read from array

[Lukasz Pawlik]

[-- Attachment #1: Type: text/plain, Size: 1174 bytes --]

Attaching patch without change in src/adapter.c file.

Lukasz Pawlik

2010/10/6 Lukasz Pawlik <lucas.pawlik@gmail.com>:
> Hi,
>
> Sorry. My bad. It was never my intention to change src/adapter.c. I've
> prepared two patches with the same name and of course send the wrong
> one. Problem with invalid read fix change made in src/sdpd-service.c
> file.
>
> Lukasz
>
> 2010/10/6 Johan Hedberg <johan.hedberg@gmail.com>:
>> Hi Lukasz,
>>
>> On Wed, Oct 06, 2010, Lukasz Pawlik wrote:
>>> This patch fix problem with reading data from out of the array range in
>>> function used to create EIR response.
>>
>> You'll need to explain in more detail exactly what was wrong with the
>> old code and how your patch fixes it (and why it is the correct fix).
>>
>>> -     uint8_t data[240];
>>> +     uint8_t data[242];
>>
>> Why 242? The core spec defines the EIR data as a 240 byte field.
>>
>>> -                                     uuid128_data[SIZEOF_UUID128 - k])
>>> +                                     uuid128_data[SIZEOF_UUID128 - 1 - k])
>>
>> This change looks fine (the index of the last byte is sizeof(uuid128) - 1).
>>
>> Johan
>>
>

[-- Attachment #2: 0001-Fix-problem-with-invalid-read-from-array.patch --]
[-- Type: text/x-patch, Size: 876 bytes --]

From 5e6ca8e9dff0ced5aacc1cbfa12318680ade957a Mon Sep 17 00:00:00 2001
From: Lukasz Pawlik <lucas.pawlik@gmail.com>
Date: Fri, 8 Oct 2010 09:23:26 +0200
Subject: [PATCH] Fix problem with invalid read from array

This patch fix problem with reading data from out of the array range in
function used to create EIR response.
---
 src/sdpd-service.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/sdpd-service.c b/src/sdpd-service.c
index 26ab9a5..67dd9af 100644
--- a/src/sdpd-service.c
+++ b/src/sdpd-service.c
@@ -204,7 +204,7 @@ static void eir_generate_uuid128(sdp_list_t *list,
 		for (i = 0; i < index; i++) {
 			for (k = 0; k < SIZEOF_UUID128; k++) {
 				if (uuid128[i * SIZEOF_UUID128 + k] !=
-					uuid128_data[SIZEOF_UUID128 - k])
+					uuid128_data[SIZEOF_UUID128 - 1 - k])
 					break;
 			}
 			if (k == SIZEOF_UUID128)
-- 
1.7.0.4

Re: [PATCH] Fix problem with invalid read from array

[Johan Hedberg]

Hi Lukasz,

On Fri, Oct 08, 2010, Lukasz Pawlik wrote:
> Attaching patch without change in src/adapter.c file.

Thanks. The patch is now upstream.

Johan