Browsing services using sdptool can lead to writing to invalid heap
locations.
valgrind's output of exemplary call: sdptool browse local
==2203== HEAP SUMMARY:
==2203== in use at exit: 0 bytes in 0 blocks
==2203== total heap usage: 251 allocs, 251 frees, 140,156 bytes allocated
==2203==
==2203== All heap blocks were freed -- no leaks are possible
==2203==
==2203== ERROR SUMMARY: 6 errors from 2 contexts (suppressed: 0 from 0)
==2203==
==2203== 1 errors in context 1 of 2:
==2203== Invalid write of size 2
==2203== at 0x805B882: bt_put_be16 (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8062BD0: sdp_service_search_attr_req (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8052457: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x80525AE: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x805277F: cmd_browse (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8053199: main (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== Address 0x4391359 is 7 bytes before a block of size 2,048 alloc'd
==2203== at 0x402B6A8: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2203== by 0x8062B4B: sdp_service_search_attr_req (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8052457: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x80525AE: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x805277F: cmd_browse (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8053199: main (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==
==2203==
==2203== 5 errors in context 2 of 2:
==2203== Invalid write of size 1
==2203== at 0x402D363: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2203== by 0x80613E7: gen_dataseq_pdu (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8061472: gen_attridseq_pdu (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8062C00: sdp_service_search_attr_req (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8052457: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x80525AE: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x805277F: cmd_browse (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8053199: main (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== Address 0x439135b is 5 bytes before a block of size 2,048 alloc'd
==2203== at 0x402B6A8: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2203== by 0x8062B4B: sdp_service_search_attr_req (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8052457: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x80525AE: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x805277F: cmd_browse (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8053199: main (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==
==2203== ERROR SUMMARY: 6 errors from 2 contexts (suppressed: 0 from 0)
The "seq->val.dataseq != NULL" check is also removed from the for()
statement because it should be done after verifying that the data
element is a sequence (inside the "if (SDP_IS_SEQ(...))" block.)
It is necessary to validate the sdp_data_t "dtd" field before accessing
the "val" union members, specially when handling SDP_SEQ*, SDP_ALT* and
SDP_STR* elements, otherwise remote devices can trigger memory
corruption by passing invalid data elements where others are expected.
rsp_count is either read or calculated from untrusted input, and
therefore needs to be checked before being used as offset. The "plen"
variable is appropriate because it is calculated as the sum of fixed and
variable length fields, excluding the continuation state field, which
has at least 1 byte for its own length field.
sdp_extract_attr() uses the "size" parameter to return the number of
bytes consumed when parsing SDP Data Elements. This size is used to
advance a buffer pointer to parse next element.
This size was being incorrectly calculated for SDP_{TEXT,URL}_STR16 in
extract_str(), where the string length was added twice. The string
length is already added later in the function for {TEXT,URL}_STR{8,16}
by this statement:
*len += n;
This fix following compilation errors on ARM.
CC lib/sdp.lo
lib/sdp.c: In function 'sdp_device_record_unregister_binary':
lib/sdp.c:2984:11: error: cast increases required alignment of
target type [-Werror=cast-align]
lib/sdp.c:2984:11: error: cast increases required alignment of
target type [-Werror=cast-align]
lib/sdp.c: In function 'sdp_device_record_update':
lib/sdp.c:3089:11: error: cast increases required alignment of
target type [-Werror=cast-align]
lib/sdp.c:3089:11: error: cast increases required alignment of
target type [-Werror=cast-align]
lib/sdp.c: In function 'sdp_process':
lib/sdp.c:4139:22: error: cast increases required alignment of
target type [-Werror=cast-align]
lib/sdp.c:4146:14: error: cast increases required alignment of
target type [-Werror=cast-align]
lib/sdp.c:4146:14: error: cast increases required alignment of
target type [-Werror=cast-align]
cc1: all warnings being treated as errors
make[1]: *** [lib/sdp.lo] Error 1
This reverts commit 8a03376544.
The patch needs to be split up and the gdbus/ changes were bogus
compared to the original commit message.
Conflicts:
Makefile.am
Makefile.obexd
profiles/cyclingspeed/cyclingspeed.c
profiles/heartrate/heartrate.c
src/error.c
Instead of trying to include config.h in each file over the tree and
possibly forgetting to include it, give a "-include config.h" argument
to the compiler so it's guaranteed that a) it will be included for all
source files and b) it will be the first header included.
gdbus/ directory is left out, since it would break other projects using
it.
Remove modification of buf->buf_size in 'get' functions. Data is
still indirectly modified due to recursive nature of code.
Renamed sdp_get_data_type to sdp_get_data_type_size.
