* [PATCH BlueZ 0/1] Fix crash in iov_append_ltv function
@ 2024-03-20 21:03 Silviu Florian Barbulescu
2024-03-20 21:03 ` [PATCH BlueZ 1/1] " Silviu Florian Barbulescu
2024-03-22 10:10 ` [PATCH BlueZ 0/1] " patchwork-bot+bluetooth
0 siblings, 2 replies; 4+ messages in thread
From: Silviu Florian Barbulescu @ 2024-03-20 21:03 UTC (permalink / raw
To: linux-bluetooth
Cc: mihai-octavian.urzica, silviu.barbulescu, vlad.pruteanu,
andrei.istodorescu, luiz.dentz, iulia.tanasescu
Fix function iov_append_ltv crashes because is not reallocating memory
Use util_ltv_push from util.c
[bluetooth]# [NEW] Endpoint /org/bluez/hci0/pac_bcast0
[bluetooth]# Endpoint /local/endpoint/ep0 registered
endpoint.config /org/bluez/hci0/pac_bcast0 /local/endpoint/ep0 48_4_1
[/local/endpoint/ep0] BIG (auto/value): 0
[/local/endpoint/ep0] Enter channel location (value/no): 3
==80806==ERROR: AddressSanitizer: heap-buffer-overflow on
address 0x60200000a8ba at pc 0x561971611e0e bp 0x7ffd45ab1f00
sp 0x7ffd45ab1ef0 WRITE of size 1 at 0x60200000a8ba thread T0
0x561971611e0d in put_u8 src/shared/util.h:254
0x561971611e0d in util_iov_push_u8 src/shared/util.c:534
0x5619715c28f0 in iov_append_ltv client/player.c:3565
0x5619715c28f0 in config_endpoint_channel_location client/player.c:3593
0x5619716226ce in bt_shell_release_prompt src/shared/shell.c:744
0x561971623087 in rl_handler src/shared/shell.c:769
Silviu Florian Barbulescu (1):
Fix crash in iov_append_ltv function
client/player.c | 18 +-----------------
1 file changed, 1 insertion(+), 17 deletions(-)
base-commit: b8ad3490a3507476844d6c6a87b2cb336f7d4eb9
--
2.39.2
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH BlueZ 1/1] Fix crash in iov_append_ltv function
2024-03-20 21:03 [PATCH BlueZ 0/1] Fix crash in iov_append_ltv function Silviu Florian Barbulescu
@ 2024-03-20 21:03 ` Silviu Florian Barbulescu
2024-03-20 22:38 ` bluez.test.bot
2024-03-22 10:10 ` [PATCH BlueZ 0/1] " patchwork-bot+bluetooth
1 sibling, 1 reply; 4+ messages in thread
From: Silviu Florian Barbulescu @ 2024-03-20 21:03 UTC (permalink / raw
To: linux-bluetooth
Cc: mihai-octavian.urzica, silviu.barbulescu, vlad.pruteanu,
andrei.istodorescu, luiz.dentz, iulia.tanasescu
Fix function iov_append_ltv crashes because is not reallocating memory
Use util_ltv_push from util.c
[bluetooth]# [NEW] Endpoint /org/bluez/hci0/pac_bcast0
[bluetooth]# Endpoint /local/endpoint/ep0 registered
endpoint.config /org/bluez/hci0/pac_bcast0 /local/endpoint/ep0 48_4_1
[/local/endpoint/ep0] BIG (auto/value): 0
[/local/endpoint/ep0] Enter channel location (value/no): 3
=================================================================
==80806==ERROR: AddressSanitizer: heap-buffer-overflow on
address 0x60200000a8ba at pc 0x561971611e0e bp 0x7ffd45ab1f00
sp 0x7ffd45ab1ef0 WRITE of size 1 at 0x60200000a8ba thread T0
0x561971611e0d in put_u8 src/shared/util.h:254
0x561971611e0d in util_iov_push_u8 src/shared/util.c:534
0x5619715c28f0 in iov_append_ltv client/player.c:3565
0x5619715c28f0 in config_endpoint_channel_location client/player.c:3593
0x5619716226ce in bt_shell_release_prompt src/shared/shell.c:744
0x561971623087 in rl_handler src/shared/shell.c:769
---
client/player.c | 18 +-----------------
1 file changed, 1 insertion(+), 17 deletions(-)
diff --git a/client/player.c b/client/player.c
index ab33bfc46..d3ff15adb 100644
--- a/client/player.c
+++ b/client/player.c
@@ -3553,22 +3553,6 @@ done:
endpoint_set_config(cfg);
}
-static struct iovec *iov_append_ltv(struct iovec **iov, uint8_t l,
- uint8_t t, void *v)
-{
- if (!*iov)
- *iov = new0(struct iovec, 1);
-
- if (!((*iov)->iov_base))
- (*iov)->iov_base = new0(uint8_t, l + 1);
-
- util_iov_push_u8(*iov, l);
- util_iov_push_u8(*iov, t);
- util_iov_push_mem(*iov, l - 1, v);
-
- return *iov;
-}
-
static void config_endpoint_channel_location(const char *input, void *user_data)
{
struct endpoint_config *cfg = user_data;
@@ -3587,7 +3571,7 @@ static void config_endpoint_channel_location(const char *input, void *user_data)
/* Add Channel Allocation LTV in capabilities */
location = cpu_to_le32(location);
- iov_append_ltv(&cfg->caps, LC3_CONFIG_CHAN_ALLOC_LEN,
+ util_ltv_push(cfg->caps, LC3_CONFIG_CHAN_ALLOC_LEN - 1,
LC3_CONFIG_CHAN_ALLOC, &location);
add_meta:
--
2.39.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* RE: Fix crash in iov_append_ltv function
2024-03-20 21:03 ` [PATCH BlueZ 1/1] " Silviu Florian Barbulescu
@ 2024-03-20 22:38 ` bluez.test.bot
0 siblings, 0 replies; 4+ messages in thread
From: bluez.test.bot @ 2024-03-20 22:38 UTC (permalink / raw
To: linux-bluetooth, silviu.barbulescu
[-- Attachment #1: Type: text/plain, Size: 949 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=836840
---Test result---
Test Summary:
CheckPatch PASS 0.56 seconds
GitLint PASS 0.40 seconds
BuildEll PASS 24.46 seconds
BluezMake PASS 1649.90 seconds
MakeCheck PASS 13.13 seconds
MakeDistcheck PASS 176.79 seconds
CheckValgrind PASS 246.92 seconds
CheckSmatch PASS 349.41 seconds
bluezmakeextell PASS 119.45 seconds
IncrementalBuild PASS 1431.16 seconds
ScanBuild PASS 1008.29 seconds
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH BlueZ 0/1] Fix crash in iov_append_ltv function
2024-03-20 21:03 [PATCH BlueZ 0/1] Fix crash in iov_append_ltv function Silviu Florian Barbulescu
2024-03-20 21:03 ` [PATCH BlueZ 1/1] " Silviu Florian Barbulescu
@ 2024-03-22 10:10 ` patchwork-bot+bluetooth
1 sibling, 0 replies; 4+ messages in thread
From: patchwork-bot+bluetooth @ 2024-03-22 10:10 UTC (permalink / raw
To: Silviu Florian Barbulescu
Cc: linux-bluetooth, mihai-octavian.urzica, vlad.pruteanu,
andrei.istodorescu, luiz.dentz, iulia.tanasescu
Hello:
This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Wed, 20 Mar 2024 23:03:49 +0200 you wrote:
> Fix function iov_append_ltv crashes because is not reallocating memory
> Use util_ltv_push from util.c
>
> [bluetooth]# [NEW] Endpoint /org/bluez/hci0/pac_bcast0
> [bluetooth]# Endpoint /local/endpoint/ep0 registered
> endpoint.config /org/bluez/hci0/pac_bcast0 /local/endpoint/ep0 48_4_1
> [/local/endpoint/ep0] BIG (auto/value): 0
> [/local/endpoint/ep0] Enter channel location (value/no): 3
> ==80806==ERROR: AddressSanitizer: heap-buffer-overflow on
> address 0x60200000a8ba at pc 0x561971611e0e bp 0x7ffd45ab1f00
> sp 0x7ffd45ab1ef0 WRITE of size 1 at 0x60200000a8ba thread T0
> 0x561971611e0d in put_u8 src/shared/util.h:254
> 0x561971611e0d in util_iov_push_u8 src/shared/util.c:534
> 0x5619715c28f0 in iov_append_ltv client/player.c:3565
> 0x5619715c28f0 in config_endpoint_channel_location client/player.c:3593
> 0x5619716226ce in bt_shell_release_prompt src/shared/shell.c:744
> 0x561971623087 in rl_handler src/shared/shell.c:769
>
> [...]
Here is the summary with links:
- [BlueZ,1/1] Fix crash in iov_append_ltv function
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=bbf198280e70
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-03-22 10:10 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-03-20 21:03 [PATCH BlueZ 0/1] Fix crash in iov_append_ltv function Silviu Florian Barbulescu
2024-03-20 21:03 ` [PATCH BlueZ 1/1] " Silviu Florian Barbulescu
2024-03-20 22:38 ` bluez.test.bot
2024-03-22 10:10 ` [PATCH BlueZ 0/1] " patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).