diff options
| author | Tedd Ho-Jeong An <tedd.an@intel.com> | 2022-02-09 22:09:17 -0800 |
|---|---|---|
| committer | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2022-02-10 14:23:55 -0800 |
| commit | 053a1d4bdb6a30f87d284e90020c20ef1ac8f8de (patch) | |
| tree | 2a22e6f3fe20e53fefba25f8ac03dccbcdefa097 /monitor/sdp.c | |
| parent | f3ddc7444285a0144b8265771ea26198191948ec (diff) | |
| download | bluez-053a1d4bdb6a30f87d284e90020c20ef1ac8f8de.tar.gz | |
monitor/sdp: Fixes out-of-bounds array access
This patch fixes the out-of-bounds array access caught by the ASAN.
monitor/sdp.c:497:19: runtime error: index 8 out of bounds for type
'cont_data [8]'
=================================================================
==4180==ERROR: AddressSanitizer: global-buffer-overflow on address
0x7fe2d271a542 at pc 0x7fe2d174a57d bp 0x7ffc6dcac1d0 sp 0x7ffc6dcab978
WRITE of size 9 at 0x7fe2d271a542 thread T0
#0 0x7fe2d174a57c (/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c)
#1 0x7fe2d23bae85 in search_attr_rsp monitor/sdp.c:692
#2 0x7fe2d23be3f1 in sdp_packet monitor/sdp.c:771
#3 0x7fe2d23b004c in l2cap_frame monitor/l2cap.c:3247
#4 0x7fe2d23b3d9c in l2cap_packet monitor/l2cap.c:3312
#5 0x7fe2d237d5c3 in packet_hci_acldata monitor/packet.c:11638
#6 0x7fe2d2381876 in packet_monitor monitor/packet.c:3967
#7 0x7fe2d230b285 in data_callback monitor/control.c:973
#8 0x7fe2d2447029 in mainloop_run src/shared/mainloop.c:106
#9 0x7fe2d2449306 in mainloop_run_with_signal src/shared/mainloop-notify.c:188
#10 0x7fe2d230324a in main monitor/main.c:290
#11 0x7fe2d0b440b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#12 0x7fe2d2303b7d in _start (/home/han1/work/dev/bluez/monitor/btmon+0x1dbb7d)
0x7fe2d271a542 is located 30 bytes to the left of global variable 'tid_list'
defined in 'monitor/sdp.c:43:24' (0x7fe2d271a560) of size 384
0x7fe2d271a542 is located 2 bytes to the right of global variable 'cont_list'
defined in 'monitor/sdp.c:424:25' (0x7fe2d271a400) of size 320
SUMMARY: AddressSanitizer: global-buffer-overflow
(/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c)
...
==4180==ABORTING
Diffstat (limited to 'monitor/sdp.c')
| -rw-r--r-- | monitor/sdp.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/monitor/sdp.c b/monitor/sdp.c index 10bc0a121..daf9a9da8 100644 --- a/monitor/sdp.c +++ b/monitor/sdp.c @@ -494,7 +494,7 @@ static void handle_continuation(struct tid_data *tid, bool nested, cont_list[n].data = NULL; cont_list[n].size = 0; } else - memcpy(cont_list[i].cont, data + bytes, data[bytes] + 1); + memcpy(cont_list[n].cont, data + bytes, data[bytes] + 1); } static uint16_t common_rsp(const struct l2cap_frame *frame, |