diff options
author | Abhay Maheta <abhay.maheshbhai.maheta@intel.com> | 2022-10-07 23:15:17 +0530 |
---|---|---|
committer | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2022-10-10 12:52:42 -0700 |
commit | 3da439ae3c76e5008d007c2c41f6e7e1828b7321 (patch) | |
tree | f26ca90727f837b3c6180768463a21b4a416adc4 /src | |
parent | dabf32b313c1dbfcbb434778541e4ab03bb2121e (diff) | |
download | bluez-3da439ae3c76e5008d007c2c41f6e7e1828b7321.tar.gz |
shared/bap: Fixing memory overwrite during ASE Enable Operation
This fixes memory overwrite during ASE Enable operation handling.
It avoids crashing of bluetoothd if metadata of more than sizeo of
size_t is received.
This also fixes storing metadata to stream structure.
Diffstat (limited to 'src')
-rw-r--r-- | src/shared/bap.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/src/shared/bap.c b/src/shared/bap.c index 178407387..c3c0d596f 100644 --- a/src/shared/bap.c +++ b/src/shared/bap.c @@ -958,10 +958,14 @@ static void stream_notify_metadata(struct bt_bap_stream *stream) struct bt_ascs_ase_status *status; struct bt_ascs_ase_status_metadata *meta; size_t len; + size_t meta_len = 0; DBG(stream->bap, "stream %p", stream); - len = sizeof(*status) + sizeof(*meta) + sizeof(stream->meta->iov_len); + if (stream->meta) + meta_len = stream->meta->iov_len; + + len = sizeof(*status) + sizeof(*meta) + meta_len; status = malloc(len); memset(status, 0, len); @@ -1743,7 +1747,7 @@ static uint8_t ep_enable(struct bt_bap_endpoint *ep, struct bt_bap *bap, return 0; } - return stream_enable(ep->stream, iov, rsp); + return stream_enable(ep->stream, &meta, rsp); } static uint8_t ascs_enable(struct bt_ascs *ascs, struct bt_bap *bap, |