Message ID | 20210501003717.7553-1-luiz.dentz@gmail.com |
---|---|
State | New |
Headers | show |
Series | [BlueZ,1/3] avdtp: Fix accepting invalid/malformed capabilities | expand |
Hi, On Fri, Apr 30, 2021 at 6:33 PM <bluez.test.bot@gmail.com> wrote: > > This is automated email and please do not reply to this email! > > Dear submitter, > > Thank you for submitting the patches to the linux bluetooth mailing list. > This is a CI test results with your patch series: > PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=475947 > > ---Test result--- > > Test Summary: > CheckPatch FAIL 0.63 seconds > GitLint FAIL 0.31 seconds > Prep - Setup ELL PASS 40.36 seconds > Build - Prep PASS 0.09 seconds > Build - Configure PASS 6.95 seconds > Build - Make PASS 173.87 seconds > Make Check PASS 9.34 seconds > Make Dist PASS 10.67 seconds > Make Dist - Configure PASS 4.33 seconds > Make Dist - Make PASS 69.15 seconds > Build w/ext ELL - Configure PASS 7.06 seconds > Build w/ext ELL - Make PASS 160.06 seconds > > Details > ############################## > Test: CheckPatch - FAIL > Desc: Run checkpatch.pl script with rule in .checkpatch.conf > Output: > monitor/avdtp: Fix decoding of reject type > WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line) > #11: > AVDTP: Set Configuration (0x03) Response Reject (0x03) type 0x00 label 2 nosp 0 > > - total: 0 errors, 1 warnings, 10 lines checked > > NOTE: For some of the reported defects, checkpatch may be able to > mechanically convert to the typical style using --fix or --fix-inplace. > > "[PATCH] monitor/avdtp: Fix decoding of reject type" has style problems, please review. > > NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPLIT_STRING SSCANF_TO_KSTRTO > > NOTE: If any of the errors are false positives, please report > them to the maintainer, see CHECKPATCH in MAINTAINERS. > > > ############################## > Test: GitLint - FAIL > Desc: Run gitlint with rule in .gitlint > Output: > monitor/avdtp: Fix decoding of reject type > 8: B1 Line exceeds max length (85>80): " AVDTP: Set Configuration (0x03) Response Reject (0x03) type 0x00 label 2 nosp 0" > > > ############################## > Test: Prep - Setup ELL - PASS > Desc: Clone, build, and install ELL > > ############################## > Test: Build - Prep - PASS > Desc: Prepare environment for build > > ############################## > Test: Build - Configure - PASS > Desc: Configure the BlueZ source tree > > ############################## > Test: Build - Make - PASS > Desc: Build the BlueZ source tree > > ############################## > Test: Make Check - PASS > Desc: Run 'make check' > > ############################## > Test: Make Dist - PASS > Desc: Run 'make dist' and build the distribution tarball > > ############################## > Test: Make Dist - Configure - PASS > Desc: Configure the source from distribution tarball > > ############################## > Test: Make Dist - Make - PASS > Desc: Build the source from distribution tarball > > ############################## > Test: Build w/ext ELL - Configure - PASS > Desc: Configure BlueZ source with '--enable-external-ell' configuration > > ############################## > Test: Build w/ext ELL - Make - PASS > Desc: Build BlueZ source with '--enable-external-ell' configuration > > > > --- > Regards, > Linux Bluetooth Pushed. -- Luiz Augusto von Dentz
diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c index 623fe30d3..c7bf99f42 100644 --- a/profiles/audio/avdtp.c +++ b/profiles/audio/avdtp.c @@ -1305,43 +1305,53 @@ struct avdtp_remote_sep *avdtp_find_remote_sep(struct avdtp *session, return NULL; } -static GSList *caps_to_list(uint8_t *data, int size, +static GSList *caps_to_list(uint8_t *data, size_t size, struct avdtp_service_capability **codec, gboolean *delay_reporting) { + struct avdtp_service_capability *cap; GSList *caps; - int processed; if (delay_reporting) *delay_reporting = FALSE; - for (processed = 0, caps = NULL; processed + 2 <= size;) { - struct avdtp_service_capability *cap; - uint8_t length, category; + if (size < sizeof(*cap)) + return NULL; + + for (caps = NULL; size >= sizeof(*cap);) { + struct avdtp_service_capability *cpy; - category = data[0]; - length = data[1]; + cap = (struct avdtp_service_capability *)data; - if (processed + 2 + length > size) { + if (sizeof(*cap) + cap->length >= size) { error("Invalid capability data in getcap resp"); break; } - cap = g_malloc(sizeof(struct avdtp_service_capability) + - length); - memcpy(cap, data, 2 + length); + if (cap->category == AVDTP_MEDIA_CODEC && + cap->length < sizeof(**codec)) { + error("Invalid codec data in getcap resp"); + break; + } + + cpy = btd_malloc(sizeof(*cpy) + cap->length); + memcpy(cpy, cap, sizeof(*cap) + cap->length); - processed += 2 + length; - data += 2 + length; + size -= sizeof(*cap) + cap->length; + data += sizeof(*cap) + cap->length; - caps = g_slist_append(caps, cap); + caps = g_slist_append(caps, cpy); - if (category == AVDTP_MEDIA_CODEC && - length >= - sizeof(struct avdtp_media_codec_capability)) - *codec = cap; - else if (category == AVDTP_DELAY_REPORTING && delay_reporting) - *delay_reporting = TRUE; + switch (cap->category) { + case AVDTP_MEDIA_CODEC: + if (codec) + *codec = cap; + break; + case AVDTP_DELAY_REPORTING: + if (delay_reporting) + *delay_reporting = TRUE; + break; + } } return caps; @@ -1538,6 +1548,12 @@ static gboolean avdtp_setconf_cmd(struct avdtp *session, uint8_t transaction, &stream->codec, &stream->delay_reporting); + if (!stream->caps || !stream->codec) { + err = AVDTP_UNSUPPORTED_CONFIGURATION; + category = 0x00; + goto failed_stream; + } + /* Verify that the Media Transport capability's length = 0. Reject otherwise */ for (l = stream->caps; l != NULL; l = g_slist_next(l)) { struct avdtp_service_capability *cap = l->data;
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Check if capabilities are valid before attempting to copy them. --- profiles/audio/avdtp.c | 56 +++++++++++++++++++++++++++--------------- 1 file changed, 36 insertions(+), 20 deletions(-)