korg/bluez
0
0
Fork 0
mirror of https://git.kernel.org/pub/scm/bluetooth/bluez.git synced 2024-11-29 15:14:31 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix memory corruption when decoding Read Response PDU

Browse Source 
A bogus (or hostile) Proximity Reporter device may send a TX Power value
bigger than the buffer used. Therefore, create a temporary buffer with
the maximum size, and check for the length before using the value.

Note that all other current users of the dec_read_resp() already do
this. Another option would be to change dec_read_resp() to accept a
buffer length, but this would break external code, so it is avoided for
now.
This commit is contained in:
Anderson Lizardo 2011-09-28 15:01:32 -04:00 committed by Johan Hedberg
parent 3d6f41b498
commit 547f9e37b8
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
proximity/monitor.c
View File

@ -186,7 +186,7 @@ static int write_alert_level(struct monitor *monitor)
static void tx_power_read_cb(guint8 status, const guint8 *pdu, guint16 plen,
gpointer user_data)
{
uint8_t value;
uint8_t value[ATT_MAX_MTU];
int vlen;
if (status != 0) {
@ -194,12 +194,17 @@ static void tx_power_read_cb(guint8 status, const guint8 *pdu, guint16 plen,
return;
}
if (!dec_read_resp(pdu, plen, &value, &vlen)) {
if (!dec_read_resp(pdu, plen, value, &vlen)) {
DBG("Protocol error");
return;
}
DBG("Tx Power Level: %02x", (int8_t) value);
if (vlen != 1) {
DBG("Invalid length for TX Power value: %d", vlen);
return;
}
DBG("Tx Power Level: %02x", (int8_t) value[0]);
}
static void tx_power_handle_cb(GSList *characteristics, guint8 status,