All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] attrib-server: Allow zero length attribute update
@ 2012-05-28 18:33 Ido Yariv
  2012-05-28 19:51 ` Vinicius Costa Gomes
  2012-05-28 20:09 ` Johan Hedberg
  0 siblings, 2 replies; 3+ messages in thread
From: Ido Yariv @ 2012-05-28 18:33 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: Ido Yariv

attrib_db_update always fails when g_try_realloc returns NULL, not
taking into account that the length passed to g_try_realloc could be
zero. In this case, g_try_realloc frees the currently allocated memory
and returns NULL.
As a result, not only will attrib_db_update fail needlessly, a
use-after-free could occur as the attribute's length will still hold the
length of the freed buffer.

Fix this by only returning an error if the length is non-zero.
---
 src/attrib-server.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/attrib-server.c b/src/attrib-server.c
index 3291e2d..dd1bba4 100644
--- a/src/attrib-server.c
+++ b/src/attrib-server.c
@@ -1456,7 +1456,7 @@ int attrib_db_update(struct btd_adapter *adapter, uint16_t handle,
 	a = dl->data;
 
 	a->data = g_try_realloc(a->data, len);
-	if (a->data == NULL)
+	if (len && a->data == NULL)
 		return -ENOMEM;
 
 	a->len = len;
-- 
1.7.7.6


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] attrib-server: Allow zero length attribute update
  2012-05-28 18:33 [PATCH] attrib-server: Allow zero length attribute update Ido Yariv
@ 2012-05-28 19:51 ` Vinicius Costa Gomes
  2012-05-28 20:09 ` Johan Hedberg
  1 sibling, 0 replies; 3+ messages in thread
From: Vinicius Costa Gomes @ 2012-05-28 19:51 UTC (permalink / raw)
  To: Ido Yariv; +Cc: linux-bluetooth

Hi Ido,

On 21:33 Mon 28 May, Ido Yariv wrote:
> attrib_db_update always fails when g_try_realloc returns NULL, not
> taking into account that the length passed to g_try_realloc could be
> zero. In this case, g_try_realloc frees the currently allocated memory
> and returns NULL.
> As a result, not only will attrib_db_update fail needlessly, a
> use-after-free could occur as the attribute's length will still hold the
> length of the freed buffer.
> 
> Fix this by only returning an error if the length is non-zero.
> ---

Patch looks good.

>  src/attrib-server.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/src/attrib-server.c b/src/attrib-server.c
> index 3291e2d..dd1bba4 100644
> --- a/src/attrib-server.c
> +++ b/src/attrib-server.c
> @@ -1456,7 +1456,7 @@ int attrib_db_update(struct btd_adapter *adapter, uint16_t handle,
>  	a = dl->data;
>  
>  	a->data = g_try_realloc(a->data, len);
> -	if (a->data == NULL)
> +	if (len && a->data == NULL)
>  		return -ENOMEM;
>  
>  	a->len = len;
> -- 
> 1.7.7.6
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


Cheers,
-- 
Vinicius

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] attrib-server: Allow zero length attribute update
  2012-05-28 18:33 [PATCH] attrib-server: Allow zero length attribute update Ido Yariv
  2012-05-28 19:51 ` Vinicius Costa Gomes
@ 2012-05-28 20:09 ` Johan Hedberg
  1 sibling, 0 replies; 3+ messages in thread
From: Johan Hedberg @ 2012-05-28 20:09 UTC (permalink / raw)
  To: Ido Yariv; +Cc: linux-bluetooth

Hi Ido,

On Mon, May 28, 2012, Ido Yariv wrote:
> attrib_db_update always fails when g_try_realloc returns NULL, not
> taking into account that the length passed to g_try_realloc could be
> zero. In this case, g_try_realloc frees the currently allocated memory
> and returns NULL.
> As a result, not only will attrib_db_update fail needlessly, a
> use-after-free could occur as the attribute's length will still hold the
> length of the freed buffer.
> 
> Fix this by only returning an error if the length is non-zero.
> ---
>  src/attrib-server.c |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)

Applied. Thanks.

Johan

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-05-28 20:09 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-05-28 18:33 [PATCH] attrib-server: Allow zero length attribute update Ido Yariv
2012-05-28 19:51 ` Vinicius Costa Gomes
2012-05-28 20:09 ` Johan Hedberg

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.