| Message ID | 20250425194531.1582203-1-luiz.dentz@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [BlueZ,v1] shared/ad: Fix crash on match_manufacturer | expand |
diff --git a/src/shared/ad.c b/src/shared/ad.c index dac381bbe69a..3f0064dd9570 100644 --- a/src/shared/ad.c +++ b/src/shared/ad.c @@ -1334,7 +1334,7 @@ static bool match_manufacturer(const void *data, const void *user_data) const struct bt_ad_manufacturer_data *manufacturer_data = data; const struct pattern_match_info *info = user_data; const struct bt_ad_pattern *pattern; - uint8_t all_data[BT_AD_MAX_DATA_LEN]; + uint8_t all_data[BT_EA_MAX_DATA_LEN]; if (!manufacturer_data || !info) return false;
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> When matching manufacturer BT_EA_MAX_DATA_LEN in case of EA since that can be bigger than regular advertisements otherwise it can cause the following crash: data #0 __libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:47 1 0xb6e05c58 in __pthread_kill_implementation (threadid=, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:43 2 0xb6e05c8c in __pthread_kill_internal (signo=6, threadid=) at pthread_kill.c:78 3 0xb6dd63ce in __GI_raise (sig=sig@entry=6) at /usr/src/debug/glibc/2.39+git/sysdeps/posix/raise.c:26 4 0xb6dc7f5c in __GI_abort () at abort.c:79 5 0xb6dfd608 in __libc_message_impl (fmt=0xb6ea1a50 "*** %s **: terminated\n") at /usr/src/debug/glibc/2.39+git/sysdeps/posix/libc_fatal.c:134 6 0xb6e5a430 in __GI___fortify_fail (msg=) at fortify_fail.c:24 7 0xb6e59ffe in __GI___chk_fail () at chk_fail.c:28 8 0xb6e5a8a2 in __GI___memcpy_chk (dstpp=dstpp@entry=0xbefff7e6, srcpp=, len=, dstlen=dstlen@entry=29) at memcpy_chk.c:27 9 0x004944f4 in memcpy (__len=, __src=, __dest=0xbefff7e6) at /usr/include/bits/string_fortified.h:29 10 match_manufacturer (data=, user_data=) Fixes: https://github.com/bluez/bluez/issues/1169 --- src/shared/ad.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)