review.tizen.org Git - platform/upstream/bluez.git/commit

author	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
	Thu, 26 Jan 2023 00:04:01 +0000 (16:04 -0800)
committer	Ayush Garg <ayush.garg@samsung.com>
	Fri, 5 Jan 2024 10:11:34 +0000 (15:41 +0530)
commit	0af53d44d03234ea49023d18b5304d2c149df90f
tree	fdd5643b187af67a2b76de5f95598da4e2888d40	tree \| snapshot
parent	2da24029356352266ca1c9404ea7fdf73c1173d8	commit \| diff

bap: Fix not checking if request fits when grouping

When grouping requests with the same opcode the code was queueing them
without attempt to check that that would fit in the ATT MTU causing the
following trace:

stack-buffer-overflow on address 0x7fffdba951f0 at pc 0x7fc15fc49d21 bp
0x7fffdba95020 sp 0x7fffdba947d0
WRITE of size 9 at 0x7fffdba951f0 thread T0
   #0 0x7fc15fc49d20 in __interceptor_memcpy
(/lib64/libasan.so.8+0x49d20)
   #1 0x71f698 in util_iov_push_mem src/shared/util.c:266
   #2 0x7b9312 in append_group src/shared/bap.c:3424
   #3 0x71ba01 in queue_foreach src/shared/queue.c:207
   #4 0x7b9b66 in bap_send src/shared/bap.c:3459
   #5 0x7ba594 in bap_process_queue src/shared/bap.c:351

Fixes: https://github.com/bluez/bluez/issues/457#issuecomment-1403924708