[Problem] btmon crash happens
[Cause & Measure] When SDP continuation is handled, other variable's
value is overwritten because invalid array index is used for memcpy's
src.
[Checking Method] Run btmon -> Connect Android phone to KITT ->
Terminate btmon. In this procedure, btmon crash happens randomly.
When issue happens, irk_list's value is corrupted by invalid memcpy.
This causes crash when it accesses to irk_list.
1: irk_list = (struct queue *) 0xb7cda0a0
(gdb)
499 memcpy(cont_list[i].cont, data + bytes, data[bytes] + 1);
1: irk_list = (struct queue *) 0xb7cda0a0
(gdb)
0xb6f5f1a8 in memcpy@plt ()
1: irk_list = (struct queue *) 0xb7cda0a0
(gdb)
Single stepping until exit from function memcpy@plt,
which has no line number information.
memcpy () at ../sysdeps/arm/memcpy.S:63
...
1: irk_list = (struct queue *) 0xb7000002
(gdb)
search_attr_rsp (frame=0xbeadd3f8, tid=0xb6fcd760 <tid_list>) at monitor/sdp.c:669
669 clear_tid(tid);
1: irk_list = (struct queue *) 0xb7000002
(gdb) p cont_list
$5 = {{channel = 0, cont = '\000' <repeats 16 times>, data = 0xb7cda3a0, size = 656}, {channel = 0, cont = '\000' <repeats 16 times>, data = 0x0, size = 0}, {channel = 0,
cont = '\000' <repeats 16 times>, data = 0x0, size = 0}, {channel = 0, cont = '\000' <repeats 16 times>, data = 0x0, size = 0}, {channel = 0, cont = '\000' <repeats 16 times>,
data = 0x0, size = 0}, {channel = 0, cont = '\000' <repeats 16 times>, data = 0x0, size = 0}, {channel = 0, cont = '\000' <repeats 16 times>, data = 0x0, size = 0}, {channel = 0,
cont = '\000' <repeats 16 times>, data = 0x0, size = 0}}
Change-Id: Id9b35825b18403c89aa0bfd370a48f75c495f60d
Signed-off-by: Seungyoun Ju <sy39.ju@samsung.com>
cont_list[n].data = NULL;
cont_list[n].size = 0;
} else
+#ifdef TIZEN_FEATURE_BLUEZ_MODIFY
+ memcpy(cont_list[n].cont, data + bytes, data[bytes] + 1);
+#else
memcpy(cont_list[i].cont, data + bytes, data[bytes] + 1);
+#endif
}
static uint16_t common_rsp(const struct l2cap_frame *frame,