All of lore.kernel.org
 help / color / mirror / Atom feed
* Does sdp_seq_alloc_with_length() invoke undefined behavior?
@ 2013-05-20 17:36 Michael Bradshaw
  2013-05-20 20:18 ` Luiz Augusto von Dentz
  0 siblings, 1 reply; 2+ messages in thread
From: Michael Bradshaw @ 2013-05-20 17:36 UTC (permalink / raw)
  To: linux-bluetooth

After reading some sample HID client code[1] that brought up the
suspicious code in sdp_seq_alloc_with_length(), I'm wondering if it
possibly invokes undefined behavior.

I'll annotate the function:
sdp_data_t *sdp_seq_alloc_with_length(void **dtds, void **values, int *length,
                                      int len)
{
    sdp_data_t *curr = NULL, *seq = NULL;
    int i;

    for (i = 0; i < len; i++) {
        // ... removed to be concise ...
    }

    return sdp_data_alloc_with_length(SDP_SEQ8, seq, length[i]);
}

That last line looks like it is accessing one-past-the-end of the
length array when it says length[i]. Should the code execute that
line, i == len, and if len represents the number of elements in the
length array (which I think it does, but correct me if it does not),
then it does indeed invoke undefined behavior.

I'm hoping I could get some input from bluez developers who can say
with confidence whether or not this is a bug (so I know whether or not
I should open a bug report).

Thanks,

Michael

[1]: http://anselm.hoffmeister.be/computer/hidclient/index.html.en

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: Does sdp_seq_alloc_with_length() invoke undefined behavior?
  2013-05-20 17:36 Does sdp_seq_alloc_with_length() invoke undefined behavior? Michael Bradshaw
@ 2013-05-20 20:18 ` Luiz Augusto von Dentz
  0 siblings, 0 replies; 2+ messages in thread
From: Luiz Augusto von Dentz @ 2013-05-20 20:18 UTC (permalink / raw)
  To: Michael Bradshaw; +Cc: linux-bluetooth

Hi Michael,

On Mon, May 20, 2013 at 10:36 AM, Michael Bradshaw <mjbshaw@gmail.com> wrote:
> After reading some sample HID client code[1] that brought up the
> suspicious code in sdp_seq_alloc_with_length(), I'm wondering if it
> possibly invokes undefined behavior.
>
> I'll annotate the function:
> sdp_data_t *sdp_seq_alloc_with_length(void **dtds, void **values, int *length,
>                                       int len)
> {
>     sdp_data_t *curr = NULL, *seq = NULL;
>     int i;
>
>     for (i = 0; i < len; i++) {
>         // ... removed to be concise ...
>     }
>
>     return sdp_data_alloc_with_length(SDP_SEQ8, seq, length[i]);
> }
>
> That last line looks like it is accessing one-past-the-end of the
> length array when it says length[i]. Should the code execute that
> line, i == len, and if len represents the number of elements in the
> length array (which I think it does, but correct me if it does not),
> then it does indeed invoke undefined behavior.

This might actually be bug, the function is not that much that is
probably why we haven't notice this problem before. Anyway it is
leaking whenever it fails because we don't free the data allocated
previously.

> I'm hoping I could get some input from bluez developers who can say
> with confidence whether or not this is a bug (so I know whether or not
> I should open a bug report).

If you have the backtrace it is usually easier for us to tell but just
by looking at the code it seems very problematic.

--
Luiz Augusto von Dentz

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2013-05-20 20:18 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-05-20 17:36 Does sdp_seq_alloc_with_length() invoke undefined behavior? Michael Bradshaw
2013-05-20 20:18 ` Luiz Augusto von Dentz

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.