From: Seungyoun Ju <sy39.ju@samsung.com>
Date: Tue, 14 Nov 2017 06:15:00 +0000 (+0900)
Subject: Fix btmon crash
X-Git-Tag: accepted/tizen/unified/20171207.070140~3
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F14%2F162514%2F1;p=platform%2Fupstream%2Fbluez.git

Fix btmon crash

[Problem] btmon crash happens
[Cause & Measure] When SDP continuation is handled, other variable's
 value is overwritten because invalid array index is used for memcpy's
 src.
[Checking Method] Run btmon -> Connect Android phone to KITT ->
 Terminate btmon. In this procedure, btmon crash happens randomly.

When issue happens, irk_list's value is corrupted by invalid memcpy.
This causes crash when it accesses to irk_list.

1: irk_list = (struct queue *) 0xb7cda0a0
(gdb)
499			memcpy(cont_list[i].cont, data + bytes, data[bytes] + 1);
1: irk_list = (struct queue *) 0xb7cda0a0
(gdb)
0xb6f5f1a8 in memcpy@plt ()
1: irk_list = (struct queue *) 0xb7cda0a0
(gdb)
Single stepping until exit from function memcpy@plt,
which has no line number information.
memcpy () at ../sysdeps/arm/memcpy.S:63

...

1: irk_list = (struct queue *) 0xb7000002
(gdb)
search_attr_rsp (frame=0xbeadd3f8, tid=0xb6fcd760 <tid_list>) at monitor/sdp.c:669
669		clear_tid(tid);
1: irk_list = (struct queue *) 0xb7000002
(gdb) p cont_list
$5 = {{channel = 0, cont = '\000' <repeats 16 times>, data = 0xb7cda3a0, size = 656}, {channel = 0, cont = '\000' <repeats 16 times>, data = 0x0, size = 0}, {channel = 0,
    cont = '\000' <repeats 16 times>, data = 0x0, size = 0}, {channel = 0, cont = '\000' <repeats 16 times>, data = 0x0, size = 0}, {channel = 0, cont = '\000' <repeats 16 times>,
    data = 0x0, size = 0}, {channel = 0, cont = '\000' <repeats 16 times>, data = 0x0, size = 0}, {channel = 0, cont = '\000' <repeats 16 times>, data = 0x0, size = 0}, {channel = 0,
    cont = '\000' <repeats 16 times>, data = 0x0, size = 0}}

Change-Id: I3608d1b9cf14bbfc87d17fbad6a443bdcbdf87af
Signed-off-by: Seungyoun Ju <sy39.ju@samsung.com>
Signed-off-by: DoHyun Pyun <dh79.pyun@samsung.com>
---

diff --git a/monitor/sdp.c b/monitor/sdp.c
index 417a21c..e8523a2 100755
--- a/monitor/sdp.c
+++ b/monitor/sdp.c
@@ -496,7 +496,11 @@ static void handle_continuation(struct tid_data *tid, bool nested,
 		cont_list[n].data = NULL;
 		cont_list[n].size = 0;
 	} else
+#ifdef TIZEN_FEATURE_BLUEZ_MODIFY
+		memcpy(cont_list[n].cont, data + bytes, data[bytes] + 1);
+#else
 		memcpy(cont_list[i].cont, data + bytes, data[bytes] + 1);
+#endif
 }
 
 static uint16_t common_rsp(const struct l2cap_frame *frame,