diff options
| author | Seungyoun Ju <sy39.ju@samsung.com> | 2017-11-14 15:15:00 +0900 |
|---|---|---|
| committer | Seungyoun Ju <sy39.ju@samsung.com> | 2017-11-15 10:29:56 +0900 |
| commit | 0f6f1145ee699b173eeb5e971f693f19814e593c (patch) | |
| tree | 28c1f1760918ccafd5e15356dbc18ae6daae14c4 | |
| parent | 4bef0b140c510301396b9a66d525a0027a178ad3 (diff) | |
| download | bluez-0f6f1145ee699b173eeb5e971f693f19814e593c.tar.gz bluez-0f6f1145ee699b173eeb5e971f693f19814e593c.tar.bz2 bluez-0f6f1145ee699b173eeb5e971f693f19814e593c.zip | |
Fix btmon crash
[Problem] btmon crash happens
[Cause & Measure] When SDP continuation is handled, other variable's
value is overwritten because invalid array index is used for memcpy's
src.
[Checking Method] Run btmon -> Connect Android phone to KITT ->
Terminate btmon. In this procedure, btmon crash happens randomly.
When issue happens, irk_list's value is corrupted by invalid memcpy.
This causes crash when it accesses to irk_list.
1: irk_list = (struct queue *) 0xb7cda0a0
(gdb)
499 memcpy(cont_list[i].cont, data + bytes, data[bytes] + 1);
1: irk_list = (struct queue *) 0xb7cda0a0
(gdb)
0xb6f5f1a8 in memcpy@plt ()
1: irk_list = (struct queue *) 0xb7cda0a0
(gdb)
Single stepping until exit from function memcpy@plt,
which has no line number information.
memcpy () at ../sysdeps/arm/memcpy.S:63
...
1: irk_list = (struct queue *) 0xb7000002
(gdb)
search_attr_rsp (frame=0xbeadd3f8, tid=0xb6fcd760 <tid_list>) at monitor/sdp.c:669
669 clear_tid(tid);
1: irk_list = (struct queue *) 0xb7000002
(gdb) p cont_list
$5 = {{channel = 0, cont = '\000' <repeats 16 times>, data = 0xb7cda3a0, size = 656}, {channel = 0, cont = '\000' <repeats 16 times>, data = 0x0, size = 0}, {channel = 0,
cont = '\000' <repeats 16 times>, data = 0x0, size = 0}, {channel = 0, cont = '\000' <repeats 16 times>, data = 0x0, size = 0}, {channel = 0, cont = '\000' <repeats 16 times>,
data = 0x0, size = 0}, {channel = 0, cont = '\000' <repeats 16 times>, data = 0x0, size = 0}, {channel = 0, cont = '\000' <repeats 16 times>, data = 0x0, size = 0}, {channel = 0,
cont = '\000' <repeats 16 times>, data = 0x0, size = 0}}
Change-Id: Id9b35825b18403c89aa0bfd370a48f75c495f60d
Signed-off-by: Seungyoun Ju <sy39.ju@samsung.com>
| -rwxr-xr-x | monitor/sdp.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/monitor/sdp.c b/monitor/sdp.c index 417a21c7..e8523a2e 100755 --- a/monitor/sdp.c +++ b/monitor/sdp.c @@ -496,7 +496,11 @@ static void handle_continuation(struct tid_data *tid, bool nested, cont_list[n].data = NULL; cont_list[n].size = 0; } else +#ifdef TIZEN_FEATURE_BLUEZ_MODIFY + memcpy(cont_list[n].cont, data + bytes, data[bytes] + 1); +#else memcpy(cont_list[i].cont, data + bytes, data[bytes] + 1); +#endif } static uint16_t common_rsp(const struct l2cap_frame *frame, |