diff mbox series

[BlueZ] adapter: fix heap corruption during discovery filter parsing

Message ID 20231107103507.505581-1-lukas.funke-oss@weidmueller.com
State New
Headers show
Series [BlueZ] adapter: fix heap corruption during discovery filter parsing | expand

Commit Message

lukas.funke-oss@weidmueller.com Nov. 7, 2023, 10:35 a.m. UTC 
From: Philipp Meyer <Philipp.Meyer@weidmueller.com>

Must parse as dbus_bool_t, as booleans MUST be 4 bytes for dbus.
stdbool from the filter only has 1 byte in many cases. This will crash
dbus if parsing filter->duplicate directly in
dbus_message_iter_get_basic.
---
 src/adapter.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)
diff mbox series

Patch

diff --git a/src/adapter.c b/src/adapter.c
index 6c539a81e..3655076c4 100644
--- a/src/adapter.c
+++ b/src/adapter.c
@@ -2646,10 +2646,14 @@  static bool parse_transport(DBusMessageIter *value,
 static bool parse_duplicate_data(DBusMessageIter *value,
 					struct discovery_filter *filter)
 {
+	dbus_bool_t duplicate = false;
+
 	if (dbus_message_iter_get_arg_type(value) != DBUS_TYPE_BOOLEAN)
 		return false;
 
-	dbus_message_iter_get_basic(value, &filter->duplicate);
+	DBG("Reading 'duplicate' flag from discovery filter...\n");
+	dbus_message_iter_get_basic(value, &duplicate);
+	filter->duplicate = duplicate;
 
 	return true;
 }
@@ -2657,10 +2661,14 @@  static bool parse_duplicate_data(DBusMessageIter *value,
 static bool parse_discoverable(DBusMessageIter *value,
 					struct discovery_filter *filter)
 {
+	dbus_bool_t discoverable = false;
+
 	if (dbus_message_iter_get_arg_type(value) != DBUS_TYPE_BOOLEAN)
 		return false;
 
-	dbus_message_iter_get_basic(value, &filter->discoverable);
+	DBG("Reading 'discoverable' flag from discovery filter...\n");
+	dbus_message_iter_get_basic(value, &discoverable);
+	filter->discoverable = discoverable;
 
 	return true;
 }