* Does sdp_seq_alloc_with_length() invoke undefined behavior?
@ 2013-05-20 17:36 Michael Bradshaw
2013-05-20 20:18 ` Luiz Augusto von Dentz
0 siblings, 1 reply; 2+ messages in thread
From: Michael Bradshaw @ 2013-05-20 17:36 UTC (permalink / raw)
To: linux-bluetooth
After reading some sample HID client code[1] that brought up the
suspicious code in sdp_seq_alloc_with_length(), I'm wondering if it
possibly invokes undefined behavior.
I'll annotate the function:
sdp_data_t *sdp_seq_alloc_with_length(void **dtds, void **values, int *length,
int len)
{
sdp_data_t *curr = NULL, *seq = NULL;
int i;
for (i = 0; i < len; i++) {
// ... removed to be concise ...
}
return sdp_data_alloc_with_length(SDP_SEQ8, seq, length[i]);
}
That last line looks like it is accessing one-past-the-end of the
length array when it says length[i]. Should the code execute that
line, i == len, and if len represents the number of elements in the
length array (which I think it does, but correct me if it does not),
then it does indeed invoke undefined behavior.
I'm hoping I could get some input from bluez developers who can say
with confidence whether or not this is a bug (so I know whether or not
I should open a bug report).
Thanks,
Michael
[1]: http://anselm.hoffmeister.be/computer/hidclient/index.html.en
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: Does sdp_seq_alloc_with_length() invoke undefined behavior?
2013-05-20 17:36 Does sdp_seq_alloc_with_length() invoke undefined behavior? Michael Bradshaw
@ 2013-05-20 20:18 ` Luiz Augusto von Dentz
0 siblings, 0 replies; 2+ messages in thread
From: Luiz Augusto von Dentz @ 2013-05-20 20:18 UTC (permalink / raw)
To: Michael Bradshaw; +Cc: linux-bluetooth@vger.kernel.org
Hi Michael,
On Mon, May 20, 2013 at 10:36 AM, Michael Bradshaw <mjbshaw@gmail.com> wrote:
> After reading some sample HID client code[1] that brought up the
> suspicious code in sdp_seq_alloc_with_length(), I'm wondering if it
> possibly invokes undefined behavior.
>
> I'll annotate the function:
> sdp_data_t *sdp_seq_alloc_with_length(void **dtds, void **values, int *length,
> int len)
> {
> sdp_data_t *curr = NULL, *seq = NULL;
> int i;
>
> for (i = 0; i < len; i++) {
> // ... removed to be concise ...
> }
>
> return sdp_data_alloc_with_length(SDP_SEQ8, seq, length[i]);
> }
>
> That last line looks like it is accessing one-past-the-end of the
> length array when it says length[i]. Should the code execute that
> line, i == len, and if len represents the number of elements in the
> length array (which I think it does, but correct me if it does not),
> then it does indeed invoke undefined behavior.
This might actually be bug, the function is not that much that is
probably why we haven't notice this problem before. Anyway it is
leaking whenever it fails because we don't free the data allocated
previously.
> I'm hoping I could get some input from bluez developers who can say
> with confidence whether or not this is a bug (so I know whether or not
> I should open a bug report).
If you have the backtrace it is usually easier for us to tell but just
by looking at the code it seems very problematic.
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-05-20 20:18 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-05-20 17:36 Does sdp_seq_alloc_with_length() invoke undefined behavior? Michael Bradshaw
2013-05-20 20:18 ` Luiz Augusto von Dentz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).