* [PATCH BlueZ 0/1] btdev: Fix set PA data array overflow @ 2024-02-13 15:58 Iulia Tanasescu 2024-02-13 15:58 ` [PATCH BlueZ 1/1] " Iulia Tanasescu 2024-02-13 20:50 ` [PATCH BlueZ 0/1] " patchwork-bot+bluetooth 0 siblings, 2 replies; 4+ messages in thread From: Iulia Tanasescu @ 2024-02-13 15:58 UTC (permalink / raw) To: linux-bluetooth Cc: claudia.rosu, mihai-octavian.urzica, silviu.barbulescu, vlad.pruteanu, andrei.istodorescu, luiz.dentz, Iulia Tanasescu This fixes an array overflow that can happen if the user issues the LE Set Periodic Advertising Data command with data length exceeding 31 bytes. This can be noticed when running the Broadcast Source/Sink scenarios in bluetoothctl, using emulated controllers: If the source BASE exceeds 31 bytes, the PA reports received by the Sink looks something like the following: > HCI Event: LE Meta Event (0x3e) plen 39 LE Periodic Advertising Report (0x0f) Sync handle: 1 TX power: 127 dbm (0x7f) RSSI: not available (0x7f) CTE Type: No Constant Tone Extension (0xff) Data status: Incomplete, more data to come Data length: 0x1f 25 16 51 18 e0 99 89 01 01 06 00 00 00 00 10 02 01 03 02 02 01 03 04 28 00 05 03 03 00 00 00 > HCI Event: LE Meta Event (0x3e) plen 15 LE Periodic Advertising Report (0x0f) Sync handle: 1 TX power: 127 dbm (0x7f) RSSI: not available (0x7f) CTE Type: No Constant Tone Extension (0xff) Data status: Complete Data length: 0x07 00 00 00 00 00 00 00 The second PA report contains invalid bytes that were read outside the PA data array. Iulia Tanasescu (1): btdev: Fix set PA data array overflow emulator/btdev.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) base-commit: 41c7f3af0352d3e45f4f10b7584e955a7f5cc696 -- 2.39.2 ^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH BlueZ 1/1] btdev: Fix set PA data array overflow 2024-02-13 15:58 [PATCH BlueZ 0/1] btdev: Fix set PA data array overflow Iulia Tanasescu @ 2024-02-13 15:58 ` Iulia Tanasescu 2024-02-13 17:10 ` bluez.test.bot 2024-02-13 20:50 ` [PATCH BlueZ 0/1] " patchwork-bot+bluetooth 1 sibling, 1 reply; 4+ messages in thread From: Iulia Tanasescu @ 2024-02-13 15:58 UTC (permalink / raw) To: linux-bluetooth Cc: claudia.rosu, mihai-octavian.urzica, silviu.barbulescu, vlad.pruteanu, andrei.istodorescu, luiz.dentz, Iulia Tanasescu This fixes an array overflow that can happen if the user issues the LE Set Periodic Advertising Data command with data length exceeding 31 bytes. The PA data set by the user is copied in an array of fixed length (31 bytes). However, the data length might exceed 31 bytes. This will cause an array overflow when the PA data is later processed (for instance, when sending PA reports). According to specification, the data length provided at LE Set Periodic Advertising Data command can be maximum 252 bytes. The stored data len should also be true to the length copied in the array. --- emulator/btdev.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/emulator/btdev.c b/emulator/btdev.c index 4ddbae403..4c9f5d181 100644 --- a/emulator/btdev.c +++ b/emulator/btdev.c @@ -5,7 +5,7 @@ * * Copyright (C) 2011-2012 Intel Corporation * Copyright (C) 2004-2010 Marcel Holtmann <marcel@holtmann.org> - * Copyright 2023 NXP + * Copyright 2023-2024 NXP * * */ @@ -44,6 +44,8 @@ #define BIS_SIZE 3 #define CIG_SIZE 3 +#define MAX_PA_DATA_LEN 252 + #define has_bredr(btdev) (!((btdev)->features[4] & 0x20)) #define has_le(btdev) (!!((btdev)->features[4] & 0x40)) @@ -207,7 +209,7 @@ struct btdev { uint16_t le_pa_min_interval; uint16_t le_pa_max_interval; uint8_t le_pa_data_len; - uint8_t le_pa_data[31]; + uint8_t le_pa_data[MAX_PA_DATA_LEN]; struct bt_hci_cmd_le_pa_create_sync pa_sync_cmd; uint16_t le_pa_sync_handle; uint8_t big_handle; @@ -5210,9 +5212,13 @@ static int cmd_set_pa_data(struct btdev *dev, const void *data, { const struct bt_hci_cmd_le_set_pa_data *cmd = data; uint8_t status = BT_HCI_ERR_SUCCESS; + uint8_t data_len = cmd->data_len; + + if (data_len > MAX_PA_DATA_LEN) + data_len = MAX_PA_DATA_LEN; - dev->le_pa_data_len = cmd->data_len; - memcpy(dev->le_pa_data, cmd->data, 31); + dev->le_pa_data_len = data_len; + memcpy(dev->le_pa_data, cmd->data, data_len); cmd_complete(dev, BT_HCI_CMD_LE_SET_PA_DATA, &status, sizeof(status)); -- 2.39.2 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* RE: btdev: Fix set PA data array overflow 2024-02-13 15:58 ` [PATCH BlueZ 1/1] " Iulia Tanasescu @ 2024-02-13 17:10 ` bluez.test.bot 0 siblings, 0 replies; 4+ messages in thread From: bluez.test.bot @ 2024-02-13 17:10 UTC (permalink / raw) To: linux-bluetooth, iulia.tanasescu [-- Attachment #1: Type: text/plain, Size: 1955 bytes --] This is automated email and please do not reply to this email! Dear submitter, Thank you for submitting the patches to the linux bluetooth mailing list. This is a CI test results with your patch series: PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=825705 ---Test result--- Test Summary: CheckPatch PASS 0.31 seconds GitLint PASS 0.22 seconds BuildEll PASS 23.97 seconds BluezMake PASS 716.04 seconds MakeCheck PASS 11.60 seconds MakeDistcheck PASS 162.51 seconds CheckValgrind PASS 228.35 seconds CheckSmatch WARNING 328.25 seconds bluezmakeextell PASS 106.95 seconds IncrementalBuild PASS 658.05 seconds ScanBuild WARNING 947.23 seconds Details ############################## Test: CheckSmatch - WARNING Desc: Run smatch tool with source Output: emulator/btdev.c:422:29: warning: Variable length array is used. ############################## Test: ScanBuild - WARNING Desc: Run Scan Build Output: emulator/btdev.c:1086:10: warning: Although the value stored to 'conn' is used in the enclosing expression, the value is never actually read from 'conn' while ((conn = queue_find(dev->conns, match_handle, ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ emulator/btdev.c:1369:24: warning: Access to field 'link' results in a dereference of a null pointer (loaded from variable 'conn') pending_conn_del(dev, conn->link->dev); ^~~~~~~~~~ emulator/btdev.c:1491:13: warning: Access to field 'dev' results in a dereference of a null pointer (loaded from variable 'conn') send_event(conn->dev, BT_HCI_EVT_AUTH_COMPLETE, &ev, sizeof(ev)); ^~~~~~~~~ 3 warnings generated. --- Regards, Linux Bluetooth ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH BlueZ 0/1] btdev: Fix set PA data array overflow 2024-02-13 15:58 [PATCH BlueZ 0/1] btdev: Fix set PA data array overflow Iulia Tanasescu 2024-02-13 15:58 ` [PATCH BlueZ 1/1] " Iulia Tanasescu @ 2024-02-13 20:50 ` patchwork-bot+bluetooth 1 sibling, 0 replies; 4+ messages in thread From: patchwork-bot+bluetooth @ 2024-02-13 20:50 UTC (permalink / raw) To: Iulia Tanasescu Cc: linux-bluetooth, claudia.rosu, mihai-octavian.urzica, silviu.barbulescu, vlad.pruteanu, andrei.istodorescu, luiz.dentz Hello: This patch was applied to bluetooth/bluez.git (master) by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>: On Tue, 13 Feb 2024 17:58:02 +0200 you wrote: > This fixes an array overflow that can happen if the user issues the > LE Set Periodic Advertising Data command with data length exceeding > 31 bytes. > > This can be noticed when running the Broadcast Source/Sink scenarios > in bluetoothctl, using emulated controllers: If the source BASE > exceeds 31 bytes, the PA reports received by the Sink looks something > like the following: > > [...] Here is the summary with links: - [BlueZ,1/1] btdev: Fix set PA data array overflow https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=7c49568a2758 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-02-13 20:50 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-02-13 15:58 [PATCH BlueZ 0/1] btdev: Fix set PA data array overflow Iulia Tanasescu 2024-02-13 15:58 ` [PATCH BlueZ 1/1] " Iulia Tanasescu 2024-02-13 17:10 ` bluez.test.bot 2024-02-13 20:50 ` [PATCH BlueZ 0/1] " patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).