linux-bluetooth.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH BlueZ] client: Fix possible stack corruption
@ 2020-05-07 21:45 Łukasz Rymanowski
  2020-05-11 13:29 ` Szymon Janc
  0 siblings, 1 reply; 2+ messages in thread
From: Łukasz Rymanowski @ 2020-05-07 21:45 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: Łukasz Rymanowski

DBUS_TYPE_BOOLEAN is 'int', which does not have to be the same size as
'bool'.
On architecture where bool is smaller than in, getting prepare-authorize
will corrupt the stack
---
 client/gatt.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/client/gatt.c b/client/gatt.c
index 416eda953..9d35b54fa 100644
--- a/client/gatt.c
+++ b/client/gatt.c
@@ -1860,9 +1860,12 @@ static int parse_options(DBusMessageIter *iter, uint16_t *offset, uint16_t *mtu,
 		} else if (strcasecmp(key, "prepare-authorize") == 0) {
 			if (var != DBUS_TYPE_BOOLEAN)
 				return -EINVAL;
-			if (prep_authorize)
-				dbus_message_iter_get_basic(&value,
-								prep_authorize);
+			if (prep_authorize) {
+				int tmp;
+
+				dbus_message_iter_get_basic(&value, &tmp);
+				*prep_authorize = !!tmp;
+			}
 		}
 
 		dbus_message_iter_next(&dict);
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH BlueZ] client: Fix possible stack corruption
  2020-05-07 21:45 [PATCH BlueZ] client: Fix possible stack corruption Łukasz Rymanowski
@ 2020-05-11 13:29 ` Szymon Janc
  0 siblings, 0 replies; 2+ messages in thread
From: Szymon Janc @ 2020-05-11 13:29 UTC (permalink / raw)
  To: linux-bluetooth, Łukasz Rymanowski; +Cc: Łukasz Rymanowski

Hi Łukasz,

On Thursday, 7 May 2020 23:45:37 CEST Łukasz Rymanowski wrote:
> DBUS_TYPE_BOOLEAN is 'int', which does not have to be the same size as
> 'bool'.
> On architecture where bool is smaller than in, getting prepare-authorize
> will corrupt the stack
> ---
>  client/gatt.c | 9 ++++++---
>  1 file changed, 6 insertions(+), 3 deletions(-)
> 
> diff --git a/client/gatt.c b/client/gatt.c
> index 416eda953..9d35b54fa 100644
> --- a/client/gatt.c
> +++ b/client/gatt.c
> @@ -1860,9 +1860,12 @@ static int parse_options(DBusMessageIter *iter,
> uint16_t *offset, uint16_t *mtu, } else if (strcasecmp(key,
> "prepare-authorize") == 0) {
>  			if (var != DBUS_TYPE_BOOLEAN)
>  				return -EINVAL;
> -			if (prep_authorize)
> -				dbus_message_iter_get_basic(&value,
> -								
prep_authorize);
> +			if (prep_authorize) {
> +				int tmp;
> +
> +				dbus_message_iter_get_basic(&value, 
&tmp);
> +				*prep_authorize = !!tmp;
> +			}
>  		}
> 
>  		dbus_message_iter_next(&dict);

Applied, thanks.

-- 
pozdrawiam
Szymon Janc



^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-05-11 13:29 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-07 21:45 [PATCH BlueZ] client: Fix possible stack corruption Łukasz Rymanowski
2020-05-11 13:29 ` Szymon Janc

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).