Somehow, the invalid multibyte sequence "\xC2\xA0" (which is displayed
as a whitespace) was inserted on a company identifier string. Fix this
to avoid a bogus diff when running tools/update_compids.sh.
Error path on default case was not breaking loop. To keep error
handling similar all error path were converted to use goto.
This fix following:
target C: libbluetooth <= external/bluetooth/bluez/android/../lib/sdp.c
lib/sdp.c: In function 'sdp_set_profile_descs':
lib/sdp.c:487:10: warning: 'values[0]' may be used uninitialized in
this function [-Wmaybe-uninitialized]
lib/sdp.c:2562:19: note: 'values[0]' was declared here
lib/sdp.c:545:11: warning: 'dtds[0]' may be used uninitialized in this
function [-Wmaybe-uninitialized]
lib/sdp.c:2562:9: note: 'dtds[0]' was declared here
This is an improved version of recently reverted commit 1796f00e84.
Response size is verified against minimal allowed value only if it is
complete response. If response is partial it is allowed by spec that
it will be split in arbitrary manner.
Verified against Nokia BH217 on which original commit caused
regression.
This reverts commit 1796f00e84.
This patch causes a regression with the Nokia BH217 headset. A correct
patch must take into account fragmented responses.
The sequence itself is not an index of dtds, values, lengths, thats why
SDP_SEQ8 is used directly as dtd, so accessing length[i] is always off
by one.
Furthermore the length is not really used by sdp_data_alloc_with_length
when the dtd is SDP_SEQ8 which is probably why it doesn't crash.
Browsing services using sdptool can lead to writing to invalid heap
locations.
valgrind's output of exemplary call: sdptool browse local
==2203== HEAP SUMMARY:
==2203== in use at exit: 0 bytes in 0 blocks
==2203== total heap usage: 251 allocs, 251 frees, 140,156 bytes allocated
==2203==
==2203== All heap blocks were freed -- no leaks are possible
==2203==
==2203== ERROR SUMMARY: 6 errors from 2 contexts (suppressed: 0 from 0)
==2203==
==2203== 1 errors in context 1 of 2:
==2203== Invalid write of size 2
==2203== at 0x805B882: bt_put_be16 (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8062BD0: sdp_service_search_attr_req (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8052457: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x80525AE: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x805277F: cmd_browse (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8053199: main (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== Address 0x4391359 is 7 bytes before a block of size 2,048 alloc'd
==2203== at 0x402B6A8: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2203== by 0x8062B4B: sdp_service_search_attr_req (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8052457: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x80525AE: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x805277F: cmd_browse (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8053199: main (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==
==2203==
==2203== 5 errors in context 2 of 2:
==2203== Invalid write of size 1
==2203== at 0x402D363: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2203== by 0x80613E7: gen_dataseq_pdu (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8061472: gen_attridseq_pdu (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8062C00: sdp_service_search_attr_req (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8052457: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x80525AE: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x805277F: cmd_browse (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8053199: main (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== Address 0x439135b is 5 bytes before a block of size 2,048 alloc'd
==2203== at 0x402B6A8: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==2203== by 0x8062B4B: sdp_service_search_attr_req (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8052457: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x80525AE: do_search (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x805277F: cmd_browse (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203== by 0x8053199: main (in /home/xpu/gits/bluez.bin/bin/sdptool)
==2203==
==2203== ERROR SUMMARY: 6 errors from 2 contexts (suppressed: 0 from 0)
The "seq->val.dataseq != NULL" check is also removed from the for()
statement because it should be done after verifying that the data
element is a sequence (inside the "if (SDP_IS_SEQ(...))" block.)
It is necessary to validate the sdp_data_t "dtd" field before accessing
the "val" union members, specially when handling SDP_SEQ*, SDP_ALT* and
SDP_STR* elements, otherwise remote devices can trigger memory
corruption by passing invalid data elements where others are expected.
rsp_count is either read or calculated from untrusted input, and
therefore needs to be checked before being used as offset. The "plen"
variable is appropriate because it is calculated as the sum of fixed and
variable length fields, excluding the continuation state field, which
has at least 1 byte for its own length field.
sdp_extract_attr() uses the "size" parameter to return the number of
bytes consumed when parsing SDP Data Elements. This size is used to
advance a buffer pointer to parse next element.
This size was being incorrectly calculated for SDP_{TEXT,URL}_STR16 in
extract_str(), where the string length was added twice. The string
length is already added later in the function for {TEXT,URL}_STR{8,16}
by this statement:
*len += n;
