I've being investigating this Ubuntu 9.04 bug https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/332119 I've verified that the bug is reproducible with bluez-4.32, bluez-4.34 and git-tip (today at 15.00 UTC). The root of the bug is that sdp_gen_pdu doesn't check if the given buffer is big enough to contain the requested data. It's being called from sdp_append_to_pdu, which uses a 512 byte array at the stack but, when pairing with my Nokia 6161, it's called with a d parameter that sums more that 17KB. So the stack is corrupted and the back-trace isn't very useful. All the other callers of sdp_gen_pdu seems to use dynamic memory (malloc), so I've rewritten sdp_append_to_pdu to use dynamic memory and fixed sdp_gen_pdu to grow the given buffer when it gets full.
diff --git a/lib/sdp.c b/lib/sdp.c index 2581a1d..0edf3b0 100644 --- a/lib/sdp.c +++ b/lib/sdp.c @@ -714,6 +714,24 @@ static int get_data_size(sdp_buf_t *buf, sdp_data_t *sdpdata) return n; } +static int sdp_buf_allocate(sdp_buf_t *buf, size_t len) +{ + if (buf->data_size + len > buf->buf_size) + { + int need = buf->buf_size + SDP_PDU_CHUNK_SIZE * ((len / SDP_PDU_CHUNK_SIZE) + 1); + void *tmp = realloc(buf->data, need); + SDPDBG("Realloc'ing : %d\n", need); + + if (tmp == NULL) { + SDPERR("Realloc fails \n"); + return -1; + } + buf->data = tmp; + buf->buf_size = need; + } + return 0; +} + int sdp_gen_pdu(sdp_buf_t *buf, sdp_data_t *d) { uint32_t pdu_size = 0, data_size = 0; @@ -725,6 +743,8 @@ int sdp_gen_pdu(sdp_buf_t *buf, sdp_data_t *d) uint128_t u128; uint8_t *seqp = buf->data + buf->data_size; + if (!sdp_buf_allocate(buf, 5)) + return -1; pdu_size = sdp_set_data_type(buf, dtd); switch (dtd) { @@ -793,14 +813,16 @@ int sdp_gen_pdu(sdp_buf_t *buf, sdp_data_t *d) case SDP_SEQ16: case SDP_SEQ32: is_seq = 1; - data_size = get_data_size(buf, d); + if ((data_size = get_data_size(buf, d)) == -1) + return -1; sdp_set_seq_len(seqp, data_size); break; case SDP_ALT8: case SDP_ALT16: case SDP_ALT32: is_alt = 1; - data_size = get_data_size(buf, d); + if ((data_size = get_data_size(buf, d)) == -1) + return -1; sdp_set_seq_len(seqp, data_size); break; case SDP_UUID16: @@ -822,7 +844,9 @@ int sdp_gen_pdu(sdp_buf_t *buf, sdp_data_t *d) } if (!is_seq && !is_alt) { - if (src && buf && buf->buf_size >= buf->data_size + data_size) { + if (src) { + if (!sdp_buf_allocate(buf, data_size)) + return -1; memcpy(buf->data + buf->data_size, src, data_size); buf->data_size += data_size; } else if (dtd != SDP_DATA_NIL) { @@ -2590,17 +2614,9 @@ void sdp_append_to_buf(sdp_buf_t *dst, uint8_t *data, uint32_t len) SDPDBG("Append src size: %d\n", len); SDPDBG("Append dst size: %d\n", dst->data_size); SDPDBG("Dst buffer size: %d\n", dst->buf_size); - if (dst->data_size + len > dst->buf_size) { - int need = SDP_PDU_CHUNK_SIZE * ((len / SDP_PDU_CHUNK_SIZE) + 1); - dst->data = realloc(dst->data, dst->buf_size + need); - - SDPDBG("Realloc'ing : %d\n", need); + if (sdp_buf_allocate(dst, len) == -1) + return; - if (dst->data == NULL) { - SDPERR("Realloc fails \n"); - } - dst->buf_size += need; - } if (dst->data_size == 0 && dtd == 0) { /* create initial sequence */ *(uint8_t *)p = SDP_SEQ8; @@ -2642,17 +2658,17 @@ void sdp_append_to_buf(sdp_buf_t *dst, uint8_t *data, uint32_t len) void sdp_append_to_pdu(sdp_buf_t *pdu, sdp_data_t *d) { - uint8_t buf[512]; sdp_buf_t append; memset(&append, 0, sizeof(sdp_buf_t)); - append.data = buf; - append.buf_size = sizeof(buf); + append.data = NULL; + append.buf_size = 0; append.data_size = 0; sdp_set_attrid(&append, d->attrId); - sdp_gen_pdu(&append, d); - sdp_append_to_buf(pdu, append.data, append.data_size); + if (sdp_gen_pdu(&append, d) != -1) + sdp_append_to_buf(pdu, append.data, append.data_size); + free(append.data); } /*