Prevent the heap buffer overflow

It is possible to occur the heap buffer overflow without
checking the length. So limit the maximum length for it.

==bluetooth-native-itc==12977==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xaf4531e0 at pc 0xb6a037eb bp 0xbedf4994 sp 0xbedf4560
READ of size 18 at 0xaf4531e0 thread T0
0xb6a037e8 in printf_common(void*, char const*, std::__va_list) /usr/src/debug/gcc-9.2.0/obj/armv7l-tizen-linux-gnueabi/libsanitizer/asan/../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:546
0xb6a0452e in __interceptor_vfprintf /usr/src/debug/gcc-9.2.0/obj/armv7l-tizen-linux-gnueabi/libsanitizer/asan/../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1720 (discriminator 10)
0xaf4531e0 is located 0 bytes to the right of 16-byte region [0xaf4531d0,0xaf4531e0)
0xb67ed18e in bt_adapter_get_local_oob_data /usr/src/debug/capi-network-bluetooth-0.5.3/src/bluetooth-adapter.c:1107
0xb6f68994 in ITc_bluetooth_adapter_bt_adapter_get_local_oob_data_p src/ITs-bluetooth-adapter.c:750

Change-Id: I719c97fd97f919a5376cd9fd7e633612b855655e
Signed-off-by: DoHyun Pyun <dh79.pyun@samsung.com>

diff --git a/src/bluetooth-adapter.c b/src/bluetooth-adapter.c
index f3b6c0d..668041e 100644 (file)
--- a/src/bluetooth-adapter.c
+++ b/src/bluetooth-adapter.c
@@ -1104,6 +1104,12 @@ int bt_adapter_get_local_oob_data(unsigned char **hash,
 
        ret = _bt_get_error_code(bluetooth_oob_read_local_data(&oob_data));
        if (BT_ERROR_NONE == ret) {
+               if (oob_data.hash_len > BLUETOOTH_OOB_DATA_LENGTH)
+                       oob_data.hash_len = BLUETOOTH_OOB_DATA_LENGTH;
+
+               if (oob_data.randomizer_len > BLUETOOTH_OOB_DATA_LENGTH)
+                       oob_data.randomizer_len = BLUETOOTH_OOB_DATA_LENGTH;
+
                *hash = g_memdup(oob_data.hash, oob_data.hash_len);
                *randomizer = g_memdup(oob_data.randomizer,
                                                oob_data.randomizer_len);