diff options
| author | DoHyun Pyun <dh79.pyun@samsung.com> | 2020-08-28 11:16:06 +0900 |
|---|---|---|
| committer | DoHyun Pyun <dh79.pyun@samsung.com> | 2020-08-28 11:16:06 +0900 |
| commit | d049fd009159a204309d2c51319e13a25b08aa6b (patch) | |
| tree | 4fe7db7a642e26eeff344a06ad83c148603a0d72 | |
| parent | 9f189aa789ea2c35f6016a767bd209bcf4029c6d (diff) | |
| download | bluetooth-d049fd009159a204309d2c51319e13a25b08aa6b.tar.gz bluetooth-d049fd009159a204309d2c51319e13a25b08aa6b.tar.bz2 bluetooth-d049fd009159a204309d2c51319e13a25b08aa6b.zip | |
Prevent the heap buffer overflow
It is possible to occur the heap buffer overflow without
checking the length. So limit the maximum length for it.
==bluetooth-native-itc==12977==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xaf4531e0 at pc 0xb6a037eb bp 0xbedf4994 sp 0xbedf4560
READ of size 18 at 0xaf4531e0 thread T0
0xb6a037e8 in printf_common(void*, char const*, std::__va_list) /usr/src/debug/gcc-9.2.0/obj/armv7l-tizen-linux-gnueabi/libsanitizer/asan/../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:546
0xb6a0452e in __interceptor_vfprintf /usr/src/debug/gcc-9.2.0/obj/armv7l-tizen-linux-gnueabi/libsanitizer/asan/../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1720 (discriminator 10)
0xaf4531e0 is located 0 bytes to the right of 16-byte region [0xaf4531d0,0xaf4531e0)
0xb67ed18e in bt_adapter_get_local_oob_data /usr/src/debug/capi-network-bluetooth-0.5.3/src/bluetooth-adapter.c:1107
0xb6f68994 in ITc_bluetooth_adapter_bt_adapter_get_local_oob_data_p src/ITs-bluetooth-adapter.c:750
Change-Id: I719c97fd97f919a5376cd9fd7e633612b855655e
Signed-off-by: DoHyun Pyun <dh79.pyun@samsung.com>
| -rw-r--r-- | src/bluetooth-adapter.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/bluetooth-adapter.c b/src/bluetooth-adapter.c index f3b6c0d..668041e 100644 --- a/src/bluetooth-adapter.c +++ b/src/bluetooth-adapter.c @@ -1104,6 +1104,12 @@ int bt_adapter_get_local_oob_data(unsigned char **hash, ret = _bt_get_error_code(bluetooth_oob_read_local_data(&oob_data)); if (BT_ERROR_NONE == ret) { + if (oob_data.hash_len > BLUETOOTH_OOB_DATA_LENGTH) + oob_data.hash_len = BLUETOOTH_OOB_DATA_LENGTH; + + if (oob_data.randomizer_len > BLUETOOTH_OOB_DATA_LENGTH) + oob_data.randomizer_len = BLUETOOTH_OOB_DATA_LENGTH; + *hash = g_memdup(oob_data.hash, oob_data.hash_len); *randomizer = g_memdup(oob_data.randomizer, oob_data.randomizer_len); |