[PATCH BlueZ] adapter: fix heap corruption during discovery filter parsing

[PATCH BlueZ] adapter: fix heap corruption during discovery filter parsing

[lukas.funke-oss]

From: Philipp Meyer <Philipp.Meyer@weidmueller.com>

Must parse as dbus_bool_t, as booleans MUST be 4 bytes for dbus.
stdbool from the filter only has 1 byte in many cases. This will crash
dbus if parsing filter->duplicate directly in
dbus_message_iter_get_basic.
---
 src/adapter.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/adapter.c b/src/adapter.c
index 6c539a81e..3655076c4 100644
--- a/src/adapter.c
+++ b/src/adapter.c
@@ -2646,10 +2646,14 @@ static bool parse_transport(DBusMessageIter *value,
 static bool parse_duplicate_data(DBusMessageIter *value,
 					struct discovery_filter *filter)
 {
+	dbus_bool_t duplicate = false;
+
 	if (dbus_message_iter_get_arg_type(value) != DBUS_TYPE_BOOLEAN)
 		return false;
 
-	dbus_message_iter_get_basic(value, &filter->duplicate);
+	DBG("Reading 'duplicate' flag from discovery filter...\n");
+	dbus_message_iter_get_basic(value, &duplicate);
+	filter->duplicate = duplicate;
 
 	return true;
 }
@@ -2657,10 +2661,14 @@ static bool parse_duplicate_data(DBusMessageIter *value,
 static bool parse_discoverable(DBusMessageIter *value,
 					struct discovery_filter *filter)
 {
+	dbus_bool_t discoverable = false;
+
 	if (dbus_message_iter_get_arg_type(value) != DBUS_TYPE_BOOLEAN)
 		return false;
 
-	dbus_message_iter_get_basic(value, &filter->discoverable);
+	DBG("Reading 'discoverable' flag from discovery filter...\n");
+	dbus_message_iter_get_basic(value, &discoverable);
+	filter->discoverable = discoverable;
 
 	return true;
 }
-- 
2.30.2

RE: [BlueZ] adapter: fix heap corruption during discovery filter parsing

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 949 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=799389

---Test result---

Test Summary:
CheckPatch                    PASS      0.47 seconds
GitLint                       PASS      0.31 seconds
BuildEll                      PASS      35.00 seconds
BluezMake                     PASS      1168.98 seconds
MakeCheck                     PASS      13.18 seconds
MakeDistcheck                 PASS      216.18 seconds
CheckValgrind                 PASS      326.28 seconds
CheckSmatch                   PASS      451.89 seconds
bluezmakeextell               PASS      146.58 seconds
IncrementalBuild              PASS      1034.35 seconds
ScanBuild                     PASS      1419.95 seconds



---
Regards,
Linux Bluetooth