diff options
author | Inga Stotland <inga.stotland@gmail.com> | 2023-03-31 17:16:02 -0700 |
---|---|---|
committer | Brian Gix <brian.gix@gmail.com> | 2023-04-03 13:29:00 -0700 |
commit | cffd5832a52cab71679e0bc6ee02a8f7816f1950 (patch) | |
tree | 1521bc779269d8bd7b97679952bddcc9ee710021 /mesh/mesh-io-unit.c | |
parent | de8e7cfce25b8d717f5ee60ee3b79d426fdcc681 (diff) | |
download | bluez-cffd5832a52cab71679e0bc6ee02a8f7816f1950.tar.gz |
mesh: Tighten IO and fix out-of-bounds array access
This fixes the out-of-bounds array access in mesh-io-mgmt.c caught
by address sanitizer. Similar fixes were applied earlier to
generic and unit IOs. With this patch, the common code is factored
into a centralized location.
Diffstat (limited to 'mesh/mesh-io-unit.c')
-rw-r--r-- | mesh/mesh-io-unit.c | 30 |
1 files changed, 0 insertions, 30 deletions
diff --git a/mesh/mesh-io-unit.c b/mesh/mesh-io-unit.c index f4f619803..a9fa53308 100644 --- a/mesh/mesh-io-unit.c +++ b/mesh/mesh-io-unit.c @@ -485,39 +485,9 @@ static bool tx_cancel(struct mesh_io *io, const uint8_t *data, uint8_t len) return true; } -static bool find_by_filter(const void *a, const void *b) -{ - const struct pvt_rx_reg *rx_reg_old = a; - const struct pvt_rx_reg *rx_reg = b; - - if (rx_reg_old->len != rx_reg->len) - return false; - - return !memcmp(rx_reg_old->filter, rx_reg->filter, rx_reg->len); -} - static bool recv_register(struct mesh_io *io, const uint8_t *filter, uint8_t len, mesh_io_recv_func_t cb, void *user_data) { - struct mesh_io_private *pvt = io->pvt; - struct pvt_rx_reg *rx_reg, *rx_reg_old; - - if (!cb || !filter || !len) - return false; - - rx_reg = l_malloc(sizeof(*rx_reg) + len); - - memcpy(rx_reg->filter, filter, len); - rx_reg->len = len; - rx_reg->cb = cb; - rx_reg->user_data = user_data; - - rx_reg_old = l_queue_remove_if(pvt->rx_regs, find_by_filter, rx_reg); - - l_free(rx_reg_old); - - l_queue_push_head(pvt->rx_regs, rx_reg); - return true; } |