From patchwork Fri Nov 3 18:21:47 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Jonas_Dre=C3=9Fler?= X-Patchwork-Id: 740800 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D44FEC4167B for ; Fri, 3 Nov 2023 18:22:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233651AbjKCSWF (ORCPT ); Fri, 3 Nov 2023 14:22:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57168 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230197AbjKCSWE (ORCPT ); Fri, 3 Nov 2023 14:22:04 -0400 Received: from mout-p-102.mailbox.org (mout-p-102.mailbox.org [80.241.56.152]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 29845DB for ; Fri, 3 Nov 2023 11:22:01 -0700 (PDT) Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:b231:465::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4SMTbm6dgbz9sdP; Fri, 3 Nov 2023 19:21:56 +0100 (CET) From: =?utf-8?q?Jonas_Dre=C3=9Fler?= To: linux-bluetooth@vger.kernel.org Cc: zbrown@gnome.org, =?utf-8?q?Jonas_Dre=C3=9Fler?= Subject: [PATCH BlueZ 1/4] lib/sdp: Allocate strings in sdp_data_t with NULL termination Date: Fri, 3 Nov 2023 19:21:47 +0100 Message-ID: <20231103182150.60088-2-verdre@v0yd.nl> In-Reply-To: <20231103182150.60088-1-verdre@v0yd.nl> References: <20231103182150.60088-1-verdre@v0yd.nl> MIME-Version: 1.0 X-Rspamd-Queue-Id: 4SMTbm6dgbz9sdP Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org In extract_str() we create sdp_data_t with strings and allocate sdp_data_t->val.str an extra 0-byte as NULL termination. In sdp_data_alloc_with_length() we're missing this, and strlen() in sdp_get_string_attr() ends up overrunning the sdpdata->val.str buffer looking for the NULL termination. Allocate the extra 0-byte for sdp_data_t->val.str to ensure this overrun can't happen. Co-developed-by: Zander Brown --- lib/sdp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/sdp.c b/lib/sdp.c index 844ae0d25..1565259a3 100644 --- a/lib/sdp.c +++ b/lib/sdp.c @@ -420,7 +420,7 @@ sdp_data_t *sdp_data_alloc_with_length(uint8_t dtd, const void *value, d->unitSize += length; if (length <= USHRT_MAX) { - d->val.str = malloc(length); + d->val.str = bt_malloc0(length + 1); if (!d->val.str) { free(d); return NULL;