| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
bt_string_to_uuid shall chack if the string is valid before attempting
to access its contents.
|
|
|
|
|
|
| |
Use strtoul to prevent 32 bit overflow
Reviewed-by: Yun-Hao Chung <howardchung@chromium.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds SPDX License Identifier and removes the license text.
-------------------------------------
License COUNT
-------------------------------------
GPL-2.0-or-later : 18
GPL-2.0-only : 1
License: GPL-2.0-or-later
lib/sco.h
lib/sdp.c
lib/a2mp.h
lib/uuid.h
lib/bluetooth.h
lib/hidp.h
lib/rfcomm.h
lib/hci.c
lib/sdp.h
lib/sdp_lib.h
lib/bluetooth.c
lib/mgmt.h
lib/hci.h
lib/uuid.c
lib/l2cap.h
lib/bnep.h
lib/hci_lib.h
lib/cmtp.h
License: GPL-2.0-only
lib/amp.h
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The strings passed to bt_uuid_strcmp may not be valid UUIDs so the return
of bt_string_to_uuid needs to be checked otherwise bt_uuid_cmp may attempt
to access unitialized values:
Conditional jump or move depends on uninitialised value(s)
at 0x4C1D4D: bt_uuid_to_uuid128 (uuid.c:78)
by 0x4C1F22: bt_uuid_cmp (uuid.c:131)
by 0x4C24A8: bt_uuid_strcmp (uuid.c:286)
by 0x40F8A8: reconnect_match (policy.c:514)
by 0x40F8A8: service_cb (policy.c:655)
by 0x499331: change_state (service.c:109)
by 0x499BBB: btd_service_connecting_complete (service.c:361)
by 0x4178C1: stream_state_changed (source.c:163)
by 0x422C78: avdtp_sep_set_state (avdtp.c:1013)
by 0x42372A: handle_transport_connect (avdtp.c:844)
by 0x423D8B: avdtp_connect_cb (avdtp.c:2326)
by 0x465BBB: connect_cb (btio.c:232)
by 0x50CA702: g_main_context_dispatch (in /usr/lib64/libglib-2.0.so.0.4800.1)
Uninitialised value was created by a stack allocation
at 0x4C2460: bt_uuid_strcmp (uuid.c:280)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
scanf requires that '[' convertion specifiers have enough room for all
characters in the string, _plus a terminating null byte_. We were
previously not providing room for the terminating null byte.
This was detected by AddressSanitizer:
==15036==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe4e774401 at pc 0x7fd33f572c98 bp 0x7ffe4e774270 sp 0x7ffe4e7739f8
WRITE of size 2 at 0x7ffe4e774401 thread T0
#0 0x7fd33f572c97 in scanf_common /build/gcc-multilib/src/gcc-5-20160209/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:340
#1 0x7fd33f5739ea in __interceptor_vsscanf /build/gcc-multilib/src/gcc-5-20160209/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:769
#2 0x7fd33f573b49 in __interceptor_sscanf /build/gcc-multilib/src/gcc-5-20160209/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:793
#3 0x650db5 in is_base_uuid128 lib/uuid.c:191
#4 0x65196e in bt_string_to_uuid lib/uuid.c:267
#5 0x56f28e in parse_uuid src/gatt-database.c:1473
#6 0x5729e0 in database_add_service src/gatt-database.c:2053
#7 0x57329f in database_add_app src/gatt-database.c:2106
#8 0x573adc in client_ready_cb src/gatt-database.c:2211
#9 0x6695fd in get_managed_objects_reply gdbus/client.c:1097
#10 0x7fd33efd5391 (/usr/lib/libdbus-1.so.3+0x13391)
#11 0x7fd33efd8db0 in dbus_connection_dispatch (/usr/lib/libdbus-1.so.3+0x16db0)
#12 0x651ecd in message_dispatch gdbus/mainloop.c:72
#13 0x7fd33f25cc39 in g_main_context_dispatch (/usr/lib/libglib-2.0.so.0+0x49c39)
#14 0x7fd33f25cfdf (/usr/lib/libglib-2.0.so.0+0x49fdf)
#15 0x7fd33f25d301 in g_main_loop_run (/usr/lib/libglib-2.0.so.0+0x4a301)
#16 0x54b7d1 in main src/main.c:687
#17 0x7fd33d90870f in __libc_start_main (/usr/lib/libc.so.6+0x2070f)
#18 0x40bba8 in _start (/home/cody/g/bluez/src/bluetoothd+0x40bba8)
Address 0x7ffe4e774401 is located in stack of thread T0 at offset 33 in frame
#0 0x650ccd in is_base_uuid128 lib/uuid.c:184
This frame has 2 object(s):
[32, 33) 'dummy' <== Memory access at offset 33 overflows this variable
[96, 98) 'uuid'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /build/gcc-multilib/src/gcc-5-20160209/libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:340 scanf_common
Shadow bytes around the buggy address:
0x100049ce6830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100049ce6840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100049ce6850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100049ce6860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100049ce6870: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x100049ce6880:[01]f4 f4 f4 f2 f2 f2 f2 02 f4 f4 f4 f3 f3 f3 f3
0x100049ce6890: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x100049ce68a0: 00 f4 f4 f4 f2 f2 f2 f2 00 00 04 f4 f2 f2 f2 f2
0x100049ce68b0: 00 00 00 00 00 00 00 00 00 f4 f4 f4 f3 f3 f3 f3
0x100049ce68c0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x100049ce68d0: 01 f4 f4 f4 f2 f2 f2 f2 00 00 04 f4 f3 f3 f3 f3
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==15036==ABORTING
|
|
|
|
|
| |
The convention has been to use 128 Bits UUID strings so other types must
be converted first.
|
|
|
|
|
|
| |
bt_uuid_strcmp shall first convert the strings to bt_uuid_t using
bt_string_to_uuid since bt_uuid_to_string can produce different formats
depending on the type.
|
|
|
|
|
|
| |
bt_uuid_to_le is currently broken if the src uuid is type 32 bits since
it does the conversion to 128 bits but still uses the original value to
swap instead of the coverted one.
|
|
|
|
|
| |
The convention is that 128 Bits are always defined in big endian format
therefore the bytes always needs to be swapped.
|
| |
|
|
|
|
| |
This adds bt_uuid_to_le and replace the use of put_uuid_le.
|
|
|
|
|
|
| |
When converting a UUID from string to bt_uuid_t, prefer using
the 16-bit version when possible, which should generate shorter
sequences by increasing the number of 16-bit types.
|
|
|
|
| |
As described in coding style M10.
|
|
|
|
|
|
| |
16 and 32-bit UUIDs are always created using host order. However,
no matter the system type, 128-bit UUID must use big-endian byte
order format (similar to human-readble format).
|
|
|
|
|
|
|
| |
bt_uuid_to_string() helper should get the raw UUID value. Caller should
convert the 128-bit UUID before call this helper (if applicable).
bt_uuid_t stores 128-bit UUID using big-endian format (human-readable
format), swapping byte order is not necessary.
|
|
|
|
|
|
|
| |
No matter the system, 128-bit UUIDs should not be converted to any byte
order when creating the UUID. Conversion to big/little endian should be
performed when transfering the data over-the-air only. bt_uuid_t should
handle 128-bit UUID on big-endian format (human-readable format).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 8a03376544b046a84301847d1594f6c3674983ff.
The patch needs to be split up and the gdbus/ changes were bogus
compared to the original commit message.
Conflicts:
Makefile.am
Makefile.obexd
profiles/cyclingspeed/cyclingspeed.c
profiles/heartrate/heartrate.c
src/error.c
|
|
|
|
|
|
|
|
|
|
| |
Instead of trying to include config.h in each file over the tree and
possibly forgetting to include it, give a "-include config.h" argument
to the compiler so it's guaranteed that a) it will be included for all
source files and b) it will be the first header included.
gdbus/ directory is left out, since it would break other projects using
it.
|
| |
|
|
|
|
|
|
|
|
|
| |
Prior to this commit, the assignments were made with memcpy(). This can
be unsafe and less readable, therefore it was replaced with code like:
<dst> = *src;
This also allows more compiler safety checks.
|
|
|
|
|
|
| |
This patch adds more functions that are necessary to handle the new
bt_uuid_t type, and moves basic things like byte-swapping functions and
uint128_t type to bluetooth.h.
|
|
New UUID functions will store the UUIDs values on host order. Added
functions to create, compare and convert UUIDs.
|