| Message ID | 20250425194531.1582203-1-luiz.dentz@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [BlueZ,v1] shared/ad: Fix crash on match_manufacturer | expand |
This is automated email and please do not reply to this email! Dear submitter, Thank you for submitting the patches to the linux bluetooth mailing list. This is a CI test results with your patch series: PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=957173 ---Test result--- Test Summary: CheckPatch PENDING 0.31 seconds GitLint PENDING 0.30 seconds BuildEll PASS 20.27 seconds BluezMake PASS 2617.55 seconds MakeCheck PASS 19.91 seconds MakeDistcheck PASS 197.64 seconds CheckValgrind PASS 279.15 seconds CheckSmatch PASS 303.47 seconds bluezmakeextell PASS 130.17 seconds IncrementalBuild PENDING 0.28 seconds ScanBuild PASS 911.32 seconds Details ############################## Test: CheckPatch - PENDING Desc: Run checkpatch.pl script Output: ############################## Test: GitLint - PENDING Desc: Run gitlint Output: ############################## Test: IncrementalBuild - PENDING Desc: Incremental build with the patches in the series Output: --- Regards, Linux Bluetooth
Hello: This patch was applied to bluetooth/bluez.git (master) by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>: On Fri, 25 Apr 2025 15:45:31 -0400 you wrote: > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > When matching manufacturer BT_EA_MAX_DATA_LEN in case of EA since that > can be bigger than regular advertisements otherwise it can cause the > following crash: > > data #0 __libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:47 > 1 0xb6e05c58 in __pthread_kill_implementation (threadid=, signo=signo@entry=6, > no_tid=no_tid@entry=0) at pthread_kill.c:43 > 2 0xb6e05c8c in __pthread_kill_internal (signo=6, threadid=) at pthread_kill.c:78 > 3 0xb6dd63ce in __GI_raise (sig=sig@entry=6) > at /usr/src/debug/glibc/2.39+git/sysdeps/posix/raise.c:26 > 4 0xb6dc7f5c in __GI_abort () at abort.c:79 > 5 0xb6dfd608 in __libc_message_impl (fmt=0xb6ea1a50 "*** %s **: terminated\n") > at /usr/src/debug/glibc/2.39+git/sysdeps/posix/libc_fatal.c:134 > 6 0xb6e5a430 in __GI___fortify_fail (msg=) at fortify_fail.c:24 > 7 0xb6e59ffe in __GI___chk_fail () at chk_fail.c:28 > 8 0xb6e5a8a2 in __GI___memcpy_chk (dstpp=dstpp@entry=0xbefff7e6, srcpp=, > len=, dstlen=dstlen@entry=29) at memcpy_chk.c:27 > 9 0x004944f4 in memcpy (__len=, __src=, __dest=0xbefff7e6) > at /usr/include/bits/string_fortified.h:29 > 10 match_manufacturer (data=, user_data=) > > [...] Here is the summary with links: - [BlueZ,v1] shared/ad: Fix crash on match_manufacturer https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=1be17107d22b You are awesome, thank you!
diff --git a/src/shared/ad.c b/src/shared/ad.c index dac381bbe69a..3f0064dd9570 100644 --- a/src/shared/ad.c +++ b/src/shared/ad.c @@ -1334,7 +1334,7 @@ static bool match_manufacturer(const void *data, const void *user_data) const struct bt_ad_manufacturer_data *manufacturer_data = data; const struct pattern_match_info *info = user_data; const struct bt_ad_pattern *pattern; - uint8_t all_data[BT_AD_MAX_DATA_LEN]; + uint8_t all_data[BT_EA_MAX_DATA_LEN]; if (!manufacturer_data || !info) return false;
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> When matching manufacturer BT_EA_MAX_DATA_LEN in case of EA since that can be bigger than regular advertisements otherwise it can cause the following crash: data #0 __libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:47 1 0xb6e05c58 in __pthread_kill_implementation (threadid=, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:43 2 0xb6e05c8c in __pthread_kill_internal (signo=6, threadid=) at pthread_kill.c:78 3 0xb6dd63ce in __GI_raise (sig=sig@entry=6) at /usr/src/debug/glibc/2.39+git/sysdeps/posix/raise.c:26 4 0xb6dc7f5c in __GI_abort () at abort.c:79 5 0xb6dfd608 in __libc_message_impl (fmt=0xb6ea1a50 "*** %s **: terminated\n") at /usr/src/debug/glibc/2.39+git/sysdeps/posix/libc_fatal.c:134 6 0xb6e5a430 in __GI___fortify_fail (msg=) at fortify_fail.c:24 7 0xb6e59ffe in __GI___chk_fail () at chk_fail.c:28 8 0xb6e5a8a2 in __GI___memcpy_chk (dstpp=dstpp@entry=0xbefff7e6, srcpp=, len=, dstlen=dstlen@entry=29) at memcpy_chk.c:27 9 0x004944f4 in memcpy (__len=, __src=, __dest=0xbefff7e6) at /usr/include/bits/string_fortified.h:29 10 match_manufacturer (data=, user_data=) Fixes: https://github.com/bluez/bluez/issues/1169 --- src/shared/ad.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)