[BlueZ PATCH] monitor/sdp: Fixes out-of-bounds array access

[BlueZ PATCH] monitor/sdp: Fixes out-of-bounds array access

[Tedd Ho-Jeong An]

From: Tedd Ho-Jeong An <tedd.an@intel.com>

This patch fixes the out-of-bounds array access caught by the ASAN.

monitor/sdp.c:497:19: runtime error: index 8 out of bounds for type 'cont_data [8]'
=================================================================
==4180==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fe2d271a542 at pc 0x7fe2d174a57d bp 0x7ffc6dcac1d0 sp 0x7ffc6dcab978
WRITE of size 9 at 0x7fe2d271a542 thread T0
    #0 0x7fe2d174a57c  (/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c)
    #1 0x7fe2d23bae85 in search_attr_rsp monitor/sdp.c:692
    #2 0x7fe2d23be3f1 in sdp_packet monitor/sdp.c:771
    #3 0x7fe2d23b004c in l2cap_frame monitor/l2cap.c:3247
    #4 0x7fe2d23b3d9c in l2cap_packet monitor/l2cap.c:3312
    #5 0x7fe2d237d5c3 in packet_hci_acldata monitor/packet.c:11638
    #6 0x7fe2d2381876 in packet_monitor monitor/packet.c:3967
    #7 0x7fe2d230b285 in data_callback monitor/control.c:973
    #8 0x7fe2d2447029 in mainloop_run src/shared/mainloop.c:106
    #9 0x7fe2d2449306 in mainloop_run_with_signal src/shared/mainloop-notify.c:188
    #10 0x7fe2d230324a in main monitor/main.c:290
    #11 0x7fe2d0b440b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #12 0x7fe2d2303b7d in _start (/home/han1/work/dev/bluez/monitor/btmon+0x1dbb7d)

0x7fe2d271a542 is located 30 bytes to the left of global variable 'tid_list' defined in 'monitor/sdp.c:43:24' (0x7fe2d271a560) of size 384
0x7fe2d271a542 is located 2 bytes to the right of global variable 'cont_list' defined in 'monitor/sdp.c:424:25' (0x7fe2d271a400) of size 320
SUMMARY: AddressSanitizer: global-buffer-overflow (/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c)
...
==4180==ABORTING
---
 monitor/sdp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/monitor/sdp.c b/monitor/sdp.c
index 10bc0a121..daf9a9da8 100644
--- a/monitor/sdp.c
+++ b/monitor/sdp.c
@@ -494,7 +494,7 @@ static void handle_continuation(struct tid_data *tid, bool nested,
 		cont_list[n].data = NULL;
 		cont_list[n].size = 0;
 	} else
-		memcpy(cont_list[i].cont, data + bytes, data[bytes] + 1);
+		memcpy(cont_list[n].cont, data + bytes, data[bytes] + 1);
 }
 
 static uint16_t common_rsp(const struct l2cap_frame *frame,
-- 
2.25.1

RE: [BlueZ] monitor/sdp: Fixes out-of-bounds array access

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 3372 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=612901

---Test result---

Test Summary:
CheckPatch                    FAIL      1.41 seconds
GitLint                       FAIL      1.05 seconds
Prep - Setup ELL              PASS      51.63 seconds
Build - Prep                  PASS      0.86 seconds
Build - Configure             PASS      10.23 seconds
Build - Make                  PASS      1681.24 seconds
Make Check                    PASS      12.47 seconds
Make Check w/Valgrind         PASS      530.25 seconds
Make Distcheck                PASS      281.65 seconds
Build w/ext ELL - Configure   PASS      10.50 seconds
Build w/ext ELL - Make        PASS      1733.06 seconds
Incremental Build with patchesPASS      0.00 seconds

Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script with rule in .checkpatch.conf
Output:
[BlueZ] monitor/sdp: Fixes out-of-bounds array access
WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#83: 
==4180==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fe2d271a542 at pc 0x7fe2d174a57d bp 0x7ffc6dcac1d0 sp 0x7ffc6dcab978

/github/workspace/src/12741392.patch total: 0 errors, 1 warnings, 8 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/12741392.patch has style problems, please review.

NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.


##############################
Test: GitLint - FAIL
Desc: Run gitlint with rule in .gitlint
Output:
[BlueZ] monitor/sdp: Fixes out-of-bounds array access
7: B1 Line exceeds max length (83>80): "monitor/sdp.c:497:19: runtime error: index 8 out of bounds for type 'cont_data [8]'"
9: B1 Line exceeds max length (138>80): "==4180==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fe2d271a542 at pc 0x7fe2d174a57d bp 0x7ffc6dcac1d0 sp 0x7ffc6dcab978"
20: B1 Line exceeds max length (82>80): "    #9 0x7fe2d2449306 in mainloop_run_with_signal src/shared/mainloop-notify.c:188"
22: B1 Line exceeds max length (85>80): "    #11 0x7fe2d0b440b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)"
23: B1 Line exceeds max length (83>80): "    #12 0x7fe2d2303b7d in _start (/home/han1/work/dev/bluez/monitor/btmon+0x1dbb7d)"
25: B1 Line exceeds max length (138>80): "0x7fe2d271a542 is located 30 bytes to the left of global variable 'tid_list' defined in 'monitor/sdp.c:43:24' (0x7fe2d271a560) of size 384"
26: B1 Line exceeds max length (140>80): "0x7fe2d271a542 is located 2 bytes to the right of global variable 'cont_list' defined in 'monitor/sdp.c:424:25' (0x7fe2d271a400) of size 320"
27: B1 Line exceeds max length (94>80): "SUMMARY: AddressSanitizer: global-buffer-overflow (/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c)"




---
Regards,
Linux Bluetooth