sdp update record

sdp update record

[josem]

Hi everyone 

Working with BlueZ 4.46, bluetoothd process makes an segfault when an 
"update sdp record" request is processed. Running with valgrind memcheck 
I checked that when an "search attr" request arrives after the "update sdp 
record",
 this record handle not exists because this memory has been freed in the 
"update sdp record" stage. The code block when "update spd record" is made 

is below: 


int service_update_req(sdp_req_t *req, sdp_buf_t *rsp)
{
        sdp_record_t *orec;
        int status = 0, scanned = 0;
        uint8_t *p = req->buf + sizeof(sdp_pdu_hdr_t);
        int bufsize = req->len - sizeof(sdp_pdu_hdr_t);
        uint32_t handle = ntohl(bt_get_unaligned((uint32_t *) p));

        SDPDBG("Svc Rec Handle: 0x%x", handle);

        p += sizeof(uint32_t);
        bufsize -= sizeof(uint32_t);

        orec = sdp_record_find(handle);

        SDPDBG("SvcRecOld: %p", orec);

        if (orec) {
                sdp_record_t *nrec = extract_pdu_server(BDADDR_ANY, p, 
bufsize,
                                                        handle, &scanned);
                if (nrec && handle == nrec->handle) {
                        update_db_timestamp();
                        update_svclass_list(BDADDR_ANY);
                } else {
                        SDPDBG("SvcRecHandle : 0x%x", handle);
                        SDPDBG("SvcRecHandleNew : 0x%x", nrec->handle);
                        SDPDBG("SvcRecNew : %p", nrec);
                        SDPDBG("SvcRecOld : %p", orec);
                        SDPDBG("Failure to update, restore old value");

                        status = SDP_INVALID_SYNTAX;
                }

                if (nrec)
                        sdp_record_free(nrec);
        } else
                status = SDP_INVALID_RECORD_HANDLE;

        p = rsp->data;
        bt_put_unaligned(htons(status), (uint16_t *) p);
        rsp->data_size = sizeof(uint16_t);
        return status;
}

If I comment the "sdp_record_free(nrec)" line, no segfault occurs.
If "extract_pdu_server" works like I think, first find the record, later 
delete all attrs and add the new attrs.
So that, sdp_record_free(nrec) is freeing the updated record, no?

I'm not in list, pleases cc'me.

Thanks and regards

Re: sdp update record

[Luiz Augusto von Dentz]

Hi,

On Mon, Jul 20, 2009 at 5:46 AM,
josem@robleshermoso.com<josem@robleshermoso.com> wrote:
> Hi everyone
>
> Working with BlueZ 4.46, bluetoothd process makes an segfault when an
> "update sdp record" request is processed. Running with valgrind memcheck
> I checked that when an "search attr" request arrives after the "update sdp
> record",
>  this record handle not exists because this memory has been freed in the
> "update sdp record" stage. The code block when "update spd record" is made
>

Thanks for reporting this, a patch has been pushed upstream to solve this:

http://git.kernel.org/?p=bluetooth/bluez.git;a=commitdiff;h=8c677a559dbaa7c9b53fea05f91081c05244ec1f

Note that nrec should reuse the memory from orec thus the assert.

-- 
Luiz Augusto von Dentz
Engenheiro de Computação