Fix stack smashing detected issue

le_conn_param data should be filled as a uint16 not uint32.
it can cause stack overflow.

 #3  0xf7233a70 in __GI___fortify_fail_abort (need_backtrace=
     need_backtrace@entry=false, msg=0xf72741cc "stack smashing detected")
     at fortify_fail.c:28
 No locals.
 #4  0xf7233a34 in __stack_chk_fail () at stack_chk_fail.c:29
 No locals.
 #5  0x00958f88 in update_le_conn_parm (conn=<optimized out>, msg=0x0,
     user_data=<optimized out>) at src/device.c:4216
         device = <optimized out>
         io = <optimized out>
         fd = <optimized out>
         param = {min = 72, max = 72, latency = 0, to_multiplier = 200}
         __func__ = "update_le_conn_parm"

Change-Id: Ia0df33fc30e31057ef4b2a07a0ac64d61d67dd81

diff --git a/src/device.c b/src/device.c
index 2701bf7..2819c3d 100644 (file)
--- a/src/device.c
+++ b/src/device.c
@@ -4171,6 +4171,7 @@ static DBusMessage *update_le_conn_parm(DBusConnection *conn, DBusMessage *msg,
        GIOChannel *io;
        int fd;
        struct le_conn_param param = {0, 0, 0, 0};
+       uint32_t min, max, latency, to_multiplier;
 
        DBG("");
 
@@ -4200,15 +4201,25 @@ static DBusMessage *update_le_conn_parm(DBusConnection *conn, DBusMessage *msg,
        else
                device_set_conn_update_state(device, true);
 
-       if (!dbus_message_get_args(msg, NULL, DBUS_TYPE_UINT32, &param.min,
-                                       DBUS_TYPE_UINT32, &param.max,
-                                       DBUS_TYPE_UINT32, &param.latency,
-                                       DBUS_TYPE_UINT32, &param.to_multiplier,
+       if (!dbus_message_get_args(msg, NULL, DBUS_TYPE_UINT32, &min,
+                                       DBUS_TYPE_UINT32, &max,
+                                       DBUS_TYPE_UINT32, &latency,
+                                       DBUS_TYPE_UINT32, &to_multiplier,
                                        DBUS_TYPE_INVALID)) {
                error("Invalid args");
                return btd_error_invalid_args(msg);
        }
 
+       if (min > UINT16_MAX || max > UINT16_MAX ||
+                       latency > UINT16_MAX || to_multiplier > UINT16_MAX) {
+               error("Invalid args");
+               return btd_error_invalid_args(msg);
+       }
+       param.min = (uint16_t)min;
+       param.max = (uint16_t)max;
+       param.latency = (uint16_t)latency;
+       param.to_multiplier = (uint16_t)to_multiplier;
+
        if (setsockopt(fd, SOL_BLUETOOTH, BT_LE_CONN_PARAM,
                                &param, sizeof(param)) < 0) {
                error("Can't Update LE conn param : %s (%d)",