From patchwork Fri Nov 3 18:21:47 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Jonas_Dre=C3=9Fler?= X-Patchwork-Id: 740800 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D44FEC4167B for ; Fri, 3 Nov 2023 18:22:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233651AbjKCSWF (ORCPT ); Fri, 3 Nov 2023 14:22:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57168 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230197AbjKCSWE (ORCPT ); Fri, 3 Nov 2023 14:22:04 -0400 Received: from mout-p-102.mailbox.org (mout-p-102.mailbox.org [80.241.56.152]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 29845DB for ; Fri, 3 Nov 2023 11:22:01 -0700 (PDT) Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:b231:465::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4SMTbm6dgbz9sdP; Fri, 3 Nov 2023 19:21:56 +0100 (CET) From: =?utf-8?q?Jonas_Dre=C3=9Fler?= To: linux-bluetooth@vger.kernel.org Cc: zbrown@gnome.org, =?utf-8?q?Jonas_Dre=C3=9Fler?= Subject: [PATCH BlueZ 1/4] lib/sdp: Allocate strings in sdp_data_t with NULL termination Date: Fri, 3 Nov 2023 19:21:47 +0100 Message-ID: <20231103182150.60088-2-verdre@v0yd.nl> In-Reply-To: <20231103182150.60088-1-verdre@v0yd.nl> References: <20231103182150.60088-1-verdre@v0yd.nl> MIME-Version: 1.0 X-Rspamd-Queue-Id: 4SMTbm6dgbz9sdP Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org In extract_str() we create sdp_data_t with strings and allocate sdp_data_t->val.str an extra 0-byte as NULL termination. In sdp_data_alloc_with_length() we're missing this, and strlen() in sdp_get_string_attr() ends up overrunning the sdpdata->val.str buffer looking for the NULL termination. Allocate the extra 0-byte for sdp_data_t->val.str to ensure this overrun can't happen. Co-developed-by: Zander Brown --- lib/sdp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/sdp.c b/lib/sdp.c index 844ae0d25..1565259a3 100644 --- a/lib/sdp.c +++ b/lib/sdp.c @@ -420,7 +420,7 @@ sdp_data_t *sdp_data_alloc_with_length(uint8_t dtd, const void *value, d->unitSize += length; if (length <= USHRT_MAX) { - d->val.str = malloc(length); + d->val.str = bt_malloc0(length + 1); if (!d->val.str) { free(d); return NULL; From patchwork Fri Nov 3 18:21:48 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Jonas_Dre=C3=9Fler?= X-Patchwork-Id: 741119 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9548CC4332F for ; Fri, 3 Nov 2023 18:22:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233816AbjKCSWG (ORCPT ); Fri, 3 Nov 2023 14:22:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57188 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233756AbjKCSWF (ORCPT ); Fri, 3 Nov 2023 14:22:05 -0400 Received: from mout-p-202.mailbox.org (mout-p-202.mailbox.org [80.241.56.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7D180CF for ; Fri, 3 Nov 2023 11:22:02 -0700 (PDT) Received: from smtp1.mailbox.org (smtp1.mailbox.org [10.196.197.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4SMTbq2vsdz9t1c; Fri, 3 Nov 2023 19:21:59 +0100 (CET) From: =?utf-8?q?Jonas_Dre=C3=9Fler?= To: linux-bluetooth@vger.kernel.org Cc: zbrown@gnome.org, =?utf-8?q?Jonas_Dre=C3=9Fler?= Subject: [PATCH BlueZ 2/4] lib/sdp: Don't assume uint8_t has size 1 Date: Fri, 3 Nov 2023 19:21:48 +0100 Message-ID: <20231103182150.60088-3-verdre@v0yd.nl> In-Reply-To: <20231103182150.60088-1-verdre@v0yd.nl> References: <20231103182150.60088-1-verdre@v0yd.nl> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Assuming the size of of uint8_t is bad practice, we use sizeof(uint8_t) everywhere else and the use of sizeof makes it clear we're accounting for the descriptor here rather than just randomly subtracting 1, so change that. Co-developed-by: Zander Brown --- lib/sdp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/sdp.c b/lib/sdp.c index 1565259a3..006ab057a 100644 --- a/lib/sdp.c +++ b/lib/sdp.c @@ -1505,7 +1505,7 @@ static void *sdp_data_value(sdp_data_t *data, uint32_t *len) case SDP_TEXT_STR32: val = data->val.str; if (len) - *len = data->unitSize - 1; + *len = data->unitSize - sizeof(uint8_t); break; case SDP_ALT8: case SDP_ALT16: From patchwork Fri Nov 3 18:21:49 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Jonas_Dre=C3=9Fler?= X-Patchwork-Id: 740799 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 71A10C4167D for ; Fri, 3 Nov 2023 18:22:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233947AbjKCSWI (ORCPT ); Fri, 3 Nov 2023 14:22:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44866 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233756AbjKCSWH (ORCPT ); Fri, 3 Nov 2023 14:22:07 -0400 Received: from mout-p-202.mailbox.org (mout-p-202.mailbox.org [80.241.56.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 204C6CF for ; Fri, 3 Nov 2023 11:22:05 -0700 (PDT) Received: from smtp1.mailbox.org (smtp1.mailbox.org [10.196.197.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4SMTbt0xmXz9t0M; Fri, 3 Nov 2023 19:22:02 +0100 (CET) From: =?utf-8?q?Jonas_Dre=C3=9Fler?= To: linux-bluetooth@vger.kernel.org Cc: zbrown@gnome.org, =?utf-8?q?Jonas_Dre=C3=9Fler?= Subject: [PATCH BlueZ 3/4] lib/sdp: Use correct string length in sdp_copy_seq() Date: Fri, 3 Nov 2023 19:21:49 +0100 Message-ID: <20231103182150.60088-4-verdre@v0yd.nl> In-Reply-To: <20231103182150.60088-1-verdre@v0yd.nl> References: <20231103182150.60088-1-verdre@v0yd.nl> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org sdp_data_t->unitSize for strings in the SDP record is `sizeof(uint8_t) + strlen(str)`. The "length" argument of sdp_data_alloc_with_length() is expected to be only the length of the string (so `sdp_data_t->unitSize - sizeof(uint8_t)`). Since the last commit, in sdp_copy_seq() we're allocating one byte too much for strings now, because the `sizeof(uint8_t)` is not subtracted from unitSize there. Fix this by making use of the length returned by sdp_data_value() and pass that on to sdp_data_alloc_with_length(). Co-developed-by: Zander Brown --- lib/sdp.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/sdp.c b/lib/sdp.c index 006ab057a..4b10d8f67 100644 --- a/lib/sdp.c +++ b/lib/sdp.c @@ -1527,10 +1527,10 @@ static sdp_data_t *sdp_copy_seq(sdp_data_t *data) for (tmp = data; tmp; tmp = tmp->next) { sdp_data_t *datatmp; void *value; + uint32_t len = 0; - value = sdp_data_value(tmp, NULL); - datatmp = sdp_data_alloc_with_length(tmp->dtd, value, - tmp->unitSize); + value = sdp_data_value(tmp, &len); + datatmp = sdp_data_alloc_with_length(tmp->dtd, value, len); if (cur) cur->next = datatmp; From patchwork Fri Nov 3 18:21:50 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Jonas_Dre=C3=9Fler?= X-Patchwork-Id: 741118 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8C3A9C0018C for ; Fri, 3 Nov 2023 18:22:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233997AbjKCSWL (ORCPT ); Fri, 3 Nov 2023 14:22:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44878 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233756AbjKCSWK (ORCPT ); Fri, 3 Nov 2023 14:22:10 -0400 Received: from mout-p-101.mailbox.org (mout-p-101.mailbox.org [80.241.56.151]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 48583D42 for ; Fri, 3 Nov 2023 11:22:08 -0700 (PDT) Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:b231:465::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-101.mailbox.org (Postfix) with ESMTPS id 4SMTbv6w9Kz9sqJ; Fri, 3 Nov 2023 19:22:03 +0100 (CET) From: =?utf-8?q?Jonas_Dre=C3=9Fler?= To: linux-bluetooth@vger.kernel.org Cc: zbrown@gnome.org, =?utf-8?q?Jonas_Dre=C3=9Fler?= Subject: [PATCH BlueZ 4/4] lib/sdp: Pass size_t to sdp_get_string_attr() Date: Fri, 3 Nov 2023 19:21:50 +0100 Message-ID: <20231103182150.60088-5-verdre@v0yd.nl> In-Reply-To: <20231103182150.60088-1-verdre@v0yd.nl> References: <20231103182150.60088-1-verdre@v0yd.nl> MIME-Version: 1.0 X-Rspamd-Queue-Id: 4SMTbv6w9Kz9sqJ Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org We're currently type-casting the output of strlen(sdpdata->val.str) into an int, which is somewhat problematic given that strlen() can return values larger than sizeof(int). We can do better here and use size_t instead, so let's do that. While at it, also add a comment explaining why the check here is "smaller than" instead of "smaller than or equal". Co-developed-by: Zander Brown --- lib/sdp.c | 5 +++-- lib/sdp_lib.h | 14 +++++++------- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/lib/sdp.c b/lib/sdp.c index 4b10d8f67..cff7e09fb 100644 --- a/lib/sdp.c +++ b/lib/sdp.c @@ -2180,13 +2180,14 @@ int sdp_get_int_attr(const sdp_record_t *rec, uint16_t attrid, int *value) } int sdp_get_string_attr(const sdp_record_t *rec, uint16_t attrid, char *value, - int valuelen) + size_t valuelen) { sdp_data_t *sdpdata = sdp_data_get(rec, attrid); if (sdpdata) /* Verify that it is what the caller expects */ if (SDP_IS_TEXT_STR(sdpdata->dtd)) - if ((int) strlen(sdpdata->val.str) < valuelen) { + /* Have to copy the NULL terminator too, so check len < valuelen */ + if (strlen(sdpdata->val.str) < valuelen) { strcpy(value, sdpdata->val.str); return 0; } diff --git a/lib/sdp_lib.h b/lib/sdp_lib.h index 22776b678..91d46f59d 100644 --- a/lib/sdp_lib.h +++ b/lib/sdp_lib.h @@ -141,7 +141,7 @@ int sdp_general_inquiry(inquiry_info *ii, int dev_num, int duration, uint8_t *fo /* flexible extraction of basic attributes - Jean II */ int sdp_get_int_attr(const sdp_record_t *rec, uint16_t attr, int *value); -int sdp_get_string_attr(const sdp_record_t *rec, uint16_t attr, char *value, int valuelen); +int sdp_get_string_attr(const sdp_record_t *rec, uint16_t attr, char *value, size_t valuelen); /* * Basic sdp data functions @@ -543,32 +543,32 @@ int sdp_get_service_avail(const sdp_record_t *rec, uint8_t *svcAvail); int sdp_get_service_ttl(const sdp_record_t *rec, uint32_t *svcTTLInfo); int sdp_get_database_state(const sdp_record_t *rec, uint32_t *svcDBState); -static inline int sdp_get_service_name(const sdp_record_t *rec, char *str, int len) +static inline int sdp_get_service_name(const sdp_record_t *rec, char *str, size_t len) { return sdp_get_string_attr(rec, SDP_ATTR_SVCNAME_PRIMARY, str, len); } -static inline int sdp_get_service_desc(const sdp_record_t *rec, char *str, int len) +static inline int sdp_get_service_desc(const sdp_record_t *rec, char *str, size_t len) { return sdp_get_string_attr(rec, SDP_ATTR_SVCDESC_PRIMARY, str, len); } -static inline int sdp_get_provider_name(const sdp_record_t *rec, char *str, int len) +static inline int sdp_get_provider_name(const sdp_record_t *rec, char *str, size_t len) { return sdp_get_string_attr(rec, SDP_ATTR_PROVNAME_PRIMARY, str, len); } -static inline int sdp_get_doc_url(const sdp_record_t *rec, char *str, int len) +static inline int sdp_get_doc_url(const sdp_record_t *rec, char *str, size_t len) { return sdp_get_string_attr(rec, SDP_ATTR_DOC_URL, str, len); } -static inline int sdp_get_clnt_exec_url(const sdp_record_t *rec, char *str, int len) +static inline int sdp_get_clnt_exec_url(const sdp_record_t *rec, char *str, size_t len) { return sdp_get_string_attr(rec, SDP_ATTR_CLNT_EXEC_URL, str, len); } -static inline int sdp_get_icon_url(const sdp_record_t *rec, char *str, int len) +static inline int sdp_get_icon_url(const sdp_record_t *rec, char *str, size_t len) { return sdp_get_string_attr(rec, SDP_ATTR_ICON_URL, str, len); }