Hi, On Mon, Sep 28, 2009, Steve Grubb wrote: > On Saturday 26 September 2009 06:29:14 pm you wrote: > > > The first is that in audio/pcm_bluetooth.c, a data structure is being > > > overrun. Because the underlying buffer is 512 bytes, no overflow really > > > occurs. What appears to happen is too much data gets copied. > > > > > > diff -urp bluez-4.54.orig/audio/pcm_bluetooth.c > > > bluez-4.54/audio/pcm_bluetooth.c --- > > > bluez-4.54.orig/audio/pcm_bluetooth.c 2009-09-25 11:33:47.000000000 > > > -0400 +++ bluez-4.54/audio/pcm_bluetooth.c 2009-09-25 > > > 14:35:35.000000000 -0400 @@ -729,7 +729,7 @@ static int > > > bluetooth_a2dp_hw_params(snd_ > > > req->h.length = sizeof(*req); > > > > > > memcpy(&req->codec, &a2dp->sbc_capabilities, > > > - sizeof(a2dp->sbc_capabilities)); > > > + sizeof(req->codec)); > > > > Be careful that this structs are different, we really want to copy sbc > > codec capabilities which is used to configure latter. > > OK, I see the uint8_t data[0] in codec_capabilities_t which usually means data > to follow. Missed that. OK, the revised patch would just drop that. This one is now also pushed upstream. Johan -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
