[PATCH BlueZ v1] shared/ad: Fix not checking length on ad_replace

public inbox for linux-bluetooth@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH BlueZ v1] shared/ad: Fix not checking length on ad_replace_name
@ 2026-03-16 20:43 Luiz Augusto von Dentz
  2026-03-16 21:49 ` [BlueZ,v1] " bluez.test.bot
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Luiz Augusto von Dentz @ 2026-03-16 20:43 UTC (permalink / raw)
  To: linux-bluetooth

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

iov may carry move then HCI_MAX_NAME_LENGTH in which case it is
truncated so it doesn't overflow utf8_name.
---
 src/shared/ad.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/shared/ad.c b/src/shared/ad.c
index ac238014bcea..b1d1b84611aa 100644
--- a/src/shared/ad.c
+++ b/src/shared/ad.c
@@ -278,7 +278,8 @@ static bool ad_replace_name(struct bt_ad *ad, struct iovec *iov)
 	char utf8_name[HCI_MAX_NAME_LENGTH + 2];
 
 	memset(utf8_name, 0, sizeof(utf8_name));
-	strncpy(utf8_name, (const char *)iov->iov_base, iov->iov_len);
+	strncpy(utf8_name, (const char *)iov->iov_base,
+			MIN(iov->iov_len, HCI_MAX_NAME_LENGTH));
 
 	if (strisutf8(utf8_name, iov->iov_len))
 		goto done;
-- 
2.53.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* RE: [BlueZ,v1] shared/ad: Fix not checking length on ad_replace_name
  2026-03-16 20:43 [PATCH BlueZ v1] shared/ad: Fix not checking length on ad_replace_name Luiz Augusto von Dentz
@ 2026-03-16 21:49 ` bluez.test.bot
  2026-03-17 16:00 ` [PATCH BlueZ v1] " patchwork-bot+bluetooth
  2026-03-17 16:07 ` Bastien Nocera
  2 siblings, 0 replies; 6+ messages in thread
From: bluez.test.bot @ 2026-03-16 21:49 UTC (permalink / raw)
  To: linux-bluetooth, luiz.dentz

[-- Attachment #1: Type: text/plain, Size: 1311 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1067554

---Test result---

Test Summary:
CheckPatch                    PENDING   0.31 seconds
GitLint                       PENDING   0.40 seconds
BuildEll                      PASS      21.13 seconds
BluezMake                     PASS      649.12 seconds
MakeCheck                     PASS      19.28 seconds
MakeDistcheck                 PASS      246.81 seconds
CheckValgrind                 PASS      292.70 seconds
CheckSmatch                   PASS      355.11 seconds
bluezmakeextell               PASS      182.65 seconds
IncrementalBuild              PENDING   0.38 seconds
ScanBuild                     PASS      1018.38 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



https://github.com/bluez/bluez/pull/1966/checks

---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH BlueZ v1] shared/ad: Fix not checking length on ad_replace_name
  2026-03-16 20:43 [PATCH BlueZ v1] shared/ad: Fix not checking length on ad_replace_name Luiz Augusto von Dentz
  2026-03-16 21:49 ` [BlueZ,v1] " bluez.test.bot
@ 2026-03-17 16:00 ` patchwork-bot+bluetooth
  2026-03-17 16:07 ` Bastien Nocera
  2 siblings, 0 replies; 6+ messages in thread
From: patchwork-bot+bluetooth @ 2026-03-17 16:00 UTC (permalink / raw)
  To: Luiz Augusto von Dentz; +Cc: linux-bluetooth

Hello:

This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Mon, 16 Mar 2026 16:43:20 -0400 you wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> 
> iov may carry move then HCI_MAX_NAME_LENGTH in which case it is
> truncated so it doesn't overflow utf8_name.
> ---
>  src/shared/ad.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)

Here is the summary with links:
  - [BlueZ,v1] shared/ad: Fix not checking length on ad_replace_name
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=11d05ece674f

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH BlueZ v1] shared/ad: Fix not checking length on ad_replace_name
  2026-03-16 20:43 [PATCH BlueZ v1] shared/ad: Fix not checking length on ad_replace_name Luiz Augusto von Dentz
  2026-03-16 21:49 ` [BlueZ,v1] " bluez.test.bot
  2026-03-17 16:00 ` [PATCH BlueZ v1] " patchwork-bot+bluetooth
@ 2026-03-17 16:07 ` Bastien Nocera
  2026-03-17 16:43   ` Luiz Augusto von Dentz
  2 siblings, 1 reply; 6+ messages in thread
From: Bastien Nocera @ 2026-03-17 16:07 UTC (permalink / raw)
  To: Luiz Augusto von Dentz, linux-bluetooth

On Mon, 2026-03-16 at 16:43 -0400, Luiz Augusto von Dentz wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> 
> iov may carry move then HCI_MAX_NAME_LENGTH in which case it is
> truncated so it doesn't overflow utf8_name.
> ---
>  src/shared/ad.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/src/shared/ad.c b/src/shared/ad.c
> index ac238014bcea..b1d1b84611aa 100644
> --- a/src/shared/ad.c
> +++ b/src/shared/ad.c
> @@ -278,7 +278,8 @@ static bool ad_replace_name(struct bt_ad *ad,
> struct iovec *iov)
>  	char utf8_name[HCI_MAX_NAME_LENGTH + 2];
>  
>  	memset(utf8_name, 0, sizeof(utf8_name));
> -	strncpy(utf8_name, (const char *)iov->iov_base, iov-
> >iov_len);
> +	strncpy(utf8_name, (const char *)iov->iov_base,
> +			MIN(iov->iov_len, HCI_MAX_NAME_LENGTH));

As I mentioned in my review, utf8_name could also have been shrunk by
one byte.

>  
>  	if (strisutf8(utf8_name, iov->iov_len))
>  		goto done;

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH BlueZ v1] shared/ad: Fix not checking length on ad_replace_name
  2026-03-17 16:07 ` Bastien Nocera
@ 2026-03-17 16:43   ` Luiz Augusto von Dentz
  2026-03-17 17:05     ` Bastien Nocera
  0 siblings, 1 reply; 6+ messages in thread
From: Luiz Augusto von Dentz @ 2026-03-17 16:43 UTC (permalink / raw)
  To: Bastien Nocera; +Cc: linux-bluetooth

Hi Bastien,

On Tue, Mar 17, 2026 at 12:07 PM Bastien Nocera <hadess@hadess.net> wrote:
>
> On Mon, 2026-03-16 at 16:43 -0400, Luiz Augusto von Dentz wrote:
> > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> >
> > iov may carry move then HCI_MAX_NAME_LENGTH in which case it is
> > truncated so it doesn't overflow utf8_name.
> > ---
> >  src/shared/ad.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/src/shared/ad.c b/src/shared/ad.c
> > index ac238014bcea..b1d1b84611aa 100644
> > --- a/src/shared/ad.c
> > +++ b/src/shared/ad.c
> > @@ -278,7 +278,8 @@ static bool ad_replace_name(struct bt_ad *ad,
> > struct iovec *iov)
> >       char utf8_name[HCI_MAX_NAME_LENGTH + 2];
> >
> >       memset(utf8_name, 0, sizeof(utf8_name));
> > -     strncpy(utf8_name, (const char *)iov->iov_base, iov-
> > >iov_len);
> > +     strncpy(utf8_name, (const char *)iov->iov_base,
> > +                     MIN(iov->iov_len, HCI_MAX_NAME_LENGTH));
>
> As I mentioned in my review, utf8_name could also have been shrunk by
> one byte.

What review?

> >
> >       if (strisutf8(utf8_name, iov->iov_len))
> >               goto done;



-- 
Luiz Augusto von Dentz

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH BlueZ v1] shared/ad: Fix not checking length on ad_replace_name
  2026-03-17 16:43   ` Luiz Augusto von Dentz
@ 2026-03-17 17:05     ` Bastien Nocera
  0 siblings, 0 replies; 6+ messages in thread
From: Bastien Nocera @ 2026-03-17 17:05 UTC (permalink / raw)
  To: Luiz Augusto von Dentz; +Cc: linux-bluetooth

On Tue, 2026-03-17 at 12:43 -0400, Luiz Augusto von Dentz wrote:
> Hi Bastien,
> 
> On Tue, Mar 17, 2026 at 12:07 PM Bastien Nocera <hadess@hadess.net>
> wrote:
> > 
> > On Mon, 2026-03-16 at 16:43 -0400, Luiz Augusto von Dentz wrote:
> > > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> > > 
> > > iov may carry move then HCI_MAX_NAME_LENGTH in which case it is
> > > truncated so it doesn't overflow utf8_name.
> > > ---
> > >  src/shared/ad.c | 3 ++-
> > >  1 file changed, 2 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/src/shared/ad.c b/src/shared/ad.c
> > > index ac238014bcea..b1d1b84611aa 100644
> > > --- a/src/shared/ad.c
> > > +++ b/src/shared/ad.c
> > > @@ -278,7 +278,8 @@ static bool ad_replace_name(struct bt_ad *ad,
> > > struct iovec *iov)
> > >       char utf8_name[HCI_MAX_NAME_LENGTH + 2];
> > > 
> > >       memset(utf8_name, 0, sizeof(utf8_name));
> > > -     strncpy(utf8_name, (const char *)iov->iov_base, iov-
> > > > iov_len);
> > > +     strncpy(utf8_name, (const char *)iov->iov_base,
> > > +                     MIN(iov->iov_len, HCI_MAX_NAME_LENGTH));
> > 
> > As I mentioned in my review, utf8_name could also have been shrunk
> > by
> > one byte.
> 
> What review?

https://lore.kernel.org/linux-bluetooth/d054c110dc64a6278e052259bc315d442828228c.camel@hadess.net/

> 
> > > 
> > >       if (strisutf8(utf8_name, iov->iov_len))
> > >               goto done;
> 
> 

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2026-03-17 17:06 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-16 20:43 [PATCH BlueZ v1] shared/ad: Fix not checking length on ad_replace_name Luiz Augusto von Dentz
2026-03-16 21:49 ` [BlueZ,v1] " bluez.test.bot
2026-03-17 16:00 ` [PATCH BlueZ v1] " patchwork-bot+bluetooth
2026-03-17 16:07 ` Bastien Nocera
2026-03-17 16:43   ` Luiz Augusto von Dentz
2026-03-17 17:05     ` Bastien Nocera

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox