From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Thu, 11 Nov 2010 23:00:32 +0200 From: Johan Hedberg To: Luiz Augusto von Dentz Cc: Vinicius Costa Gomes , linux-bluetooth@vger.kernel.org, Bruna Moreira Subject: Re: [PATCH v2 1/7] Fix invalid memory access when EIR field length is zero Message-ID: <20101111210032.GA24514@jh-x301> References: <1289501521-21825-1-git-send-email-vinicius.gomes@openbossa.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 In-Reply-To: Sender: linux-bluetooth-owner@vger.kernel.org List-ID: Hi Luiz, On Thu, Nov 11, 2010, Luiz Augusto von Dentz wrote: > >        while (len < EIR_DATA_LENGTH - 1) { > > -               uint8_t type = eir_data[1]; > >                uint8_t field_len = eir_data[0]; > > > >                /* Check for the end of EIR */ > >                if (field_len == 0) > >                        break; > > > > -               switch (type) { > > +               switch (eir_data[1]) { > >                case EIR_UUID16_SOME: > >                case EIR_UUID16_ALL: > >                        uuid16_count = field_len / 2; > > IMO type is easier to understand here, we just need to initialize it > latter after the length check. True, however I wasn't bothered enough about this and went ahead and pushed the patch anyway upstream. If someone feels like it, feel free to reintroduce the variable ;) Johan