From: "Cho, Yu-Chen" <acho@suse.com>
To: luiz.dentz@gmail.com
Cc: linux-bluetooth@vger.kernel.org, acho@suse.com, jlee@suse.com
Subject: [PATCH BlueZ] hcidump: fixed AMP Assoc dump heap-over-flow
Date: Mon, 19 Nov 2018 16:12:27 +0800 [thread overview]
Message-ID: <20181119081227.7457-1-acho@suse.com> (raw)
amp_assoc_dump() didn't check the length of amp assoc struct of
Type-Length-Value (TLV) triplets, and the Connected Chan List
(number of triplets) is also need to check, or there are wrong
length for the number of triplets.
---
tools/parser/amp.c | 69 +++++++++++++++++++++++++---------------------
1 file changed, 38 insertions(+), 31 deletions(-)
diff --git a/tools/parser/amp.c b/tools/parser/amp.c
index 158ca4a75..420099c90 100644
--- a/tools/parser/amp.c
+++ b/tools/parser/amp.c
@@ -33,7 +33,7 @@ static void amp_dump_chanlist(int level, struct amp_tlv *tlv, char *prefix)
struct amp_country_triplet *triplet;
int i, num;
- num = (tlv->len - sizeof(*chan_list)) / sizeof(*triplet);
+ num = sizeof(*chan_list->triplets) / sizeof(*chan_list->triplets[0]);
printf("%s (number of triplets %d)\n", prefix, num);
@@ -80,47 +80,54 @@ void amp_assoc_dump(int level, uint8_t *assoc, uint16_t len)
p_indent(level+1, 0);
- switch (tlv->type) {
- case A2MP_MAC_ADDR_TYPE:
- if (tlvlen != 6)
- break;
- printf("MAC: %2.2X:%2.2X:%2.2X:%2.2X:%2.2X:%2.2X\n",
+ if (tlvlen != 0) {
+ switch (tlv->type) {
+ case A2MP_MAC_ADDR_TYPE:
+ if (tlvlen != 6)
+ break;
+ printf("MAC: ");
+ printf("%2.2X:%2.2X:%2.2X:%2.2X:%2.2X:%2.2X\n",
tlv->val[0], tlv->val[1], tlv->val[2],
tlv->val[3], tlv->val[4], tlv->val[5]);
- break;
-
- case A2MP_PREF_CHANLIST_TYPE:
- amp_dump_chanlist(level, tlv, "Preferred Chan List");
- break;
+ break;
- case A2MP_CONNECTED_CHAN:
- amp_dump_chanlist(level, tlv, "Connected Chan List");
- break;
+ case A2MP_PREF_CHANLIST_TYPE:
+ amp_dump_chanlist(level, tlv,
+ "Preferred Chan List");
+ break;
- case A2MP_PAL_CAP_TYPE:
- if (tlvlen != 4)
+ case A2MP_CONNECTED_CHAN:
+ amp_dump_chanlist(level, tlv,
+ "Connected Chan List");
break;
- printf("PAL CAP: %2.2x %2.2x %2.2x %2.2x\n",
+
+ case A2MP_PAL_CAP_TYPE:
+ if (tlvlen != 4)
+ break;
+ printf("PAL CAP: %2.2x %2.2x %2.2x %2.2x\n",
tlv->val[0], tlv->val[1], tlv->val[2],
tlv->val[3]);
- break;
-
- case A2MP_PAL_VER_INFO:
- if (tlvlen != 5)
break;
- ver = (struct amp_pal_ver *) tlv->val;
- printf("PAL VER: %2.2x Comp ID: %4.4x SubVer: %4.4x\n",
+
+ case A2MP_PAL_VER_INFO:
+ if (tlvlen != 5)
+ break;
+ ver = (struct amp_pal_ver *) tlv->val;
+ printf("PAL VER: ");
+ printf("%2.2x Comp ID: %4.4x SubVer: %4.4x\n",
ver->ver, btohs(ver->company_id),
btohs(ver->sub_ver));
- break;
+ break;
- default:
- printf("Unrecognized type %d\n", tlv->type);
- break;
- }
+ default:
+ printf("Unrecognized type %d\n", tlv->type);
+ break;
+ }
- len -= tlvlen + sizeof(*tlv);
- assoc += tlvlen + sizeof(*tlv);
- tlv = (struct amp_tlv *) assoc;
+ len -= tlvlen + sizeof(*tlv);
+ assoc += tlvlen + sizeof(*tlv);
+ tlv = (struct amp_tlv *) assoc;
+ } else
+ break;
}
}
--
2.19.1
reply other threads:[~2018-11-19 8:12 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181119081227.7457-1-acho@suse.com \
--to=acho@suse.com \
--cc=jlee@suse.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).