From d049fd009159a204309d2c51319e13a25b08aa6b Mon Sep 17 00:00:00 2001 From: DoHyun Pyun Date: Fri, 28 Aug 2020 11:16:06 +0900 Subject: [PATCH] Prevent the heap buffer overflow It is possible to occur the heap buffer overflow without checking the length. So limit the maximum length for it. ==bluetooth-native-itc==12977==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xaf4531e0 at pc 0xb6a037eb bp 0xbedf4994 sp 0xbedf4560 READ of size 18 at 0xaf4531e0 thread T0 0xb6a037e8 in printf_common(void*, char const*, std::__va_list) /usr/src/debug/gcc-9.2.0/obj/armv7l-tizen-linux-gnueabi/libsanitizer/asan/../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors_format.inc:546 0xb6a0452e in __interceptor_vfprintf /usr/src/debug/gcc-9.2.0/obj/armv7l-tizen-linux-gnueabi/libsanitizer/asan/../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:1720 (discriminator 10) 0xaf4531e0 is located 0 bytes to the right of 16-byte region [0xaf4531d0,0xaf4531e0) 0xb67ed18e in bt_adapter_get_local_oob_data /usr/src/debug/capi-network-bluetooth-0.5.3/src/bluetooth-adapter.c:1107 0xb6f68994 in ITc_bluetooth_adapter_bt_adapter_get_local_oob_data_p src/ITs-bluetooth-adapter.c:750 Change-Id: I719c97fd97f919a5376cd9fd7e633612b855655e Signed-off-by: DoHyun Pyun --- src/bluetooth-adapter.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/bluetooth-adapter.c b/src/bluetooth-adapter.c index f3b6c0d..668041e 100644 --- a/src/bluetooth-adapter.c +++ b/src/bluetooth-adapter.c @@ -1104,6 +1104,12 @@ int bt_adapter_get_local_oob_data(unsigned char **hash, ret = _bt_get_error_code(bluetooth_oob_read_local_data(&oob_data)); if (BT_ERROR_NONE == ret) { + if (oob_data.hash_len > BLUETOOTH_OOB_DATA_LENGTH) + oob_data.hash_len = BLUETOOTH_OOB_DATA_LENGTH; + + if (oob_data.randomizer_len > BLUETOOTH_OOB_DATA_LENGTH) + oob_data.randomizer_len = BLUETOOTH_OOB_DATA_LENGTH; + *hash = g_memdup(oob_data.hash, oob_data.hash_len); *randomizer = g_memdup(oob_data.randomizer, oob_data.randomizer_len); -- 2.7.4