This patch add some memory checks after malloc is called. Also some blank spaces at the end of the lines are removed. I observed that sometimes functions returns NULL or 0 without any convention. I set all to NULL to formalice the source code. Regards. diff --git a/lib/sdp.c b/lib/sdp.c index 7cf710b..04538bd 100644 --- a/lib/sdp.c +++ b/lib/sdp.c @@ -1078,6 +1078,8 @@ static sdp_data_t *extract_int(const void *p, int bufsize, int *len) } d = malloc(sizeof(sdp_data_t)); + if (!d) + return NULL; SDPDBG("Extracting integer\n"); memset(d, 0, sizeof(sdp_data_t)); @@ -1151,6 +1153,8 @@ static sdp_data_t *extract_uuid(const uint8_t *p, int bufsize, int *len, sdp_record_t *rec) { sdp_data_t *d = malloc(sizeof(sdp_data_t)); + if (!d) + return NULL; SDPDBG("Extracting UUID"); memset(d, 0, sizeof(sdp_data_t)); @@ -1179,6 +1183,8 @@ static sdp_data_t *extract_str(const void *p, int bufsize, int *len) } d = malloc(sizeof(sdp_data_t)); + if (!d) + return NULL; memset(d, 0, sizeof(sdp_data_t)); d->dtd = *(uint8_t *) p; @@ -1214,7 +1220,7 @@ static sdp_data_t *extract_str(const void *p, int bufsize, int *len) default: SDPERR("Sizeof text string > UINT16_MAX\n"); free(d); - return 0; + return NULL; } if (bufsize < n) { @@ -1302,6 +1308,9 @@ static sdp_data_t *extract_seq(const void *p, int bufsize, int *len, sdp_data_t *curr, *prev; sdp_data_t *d = malloc(sizeof(sdp_data_t)); + if (!d) + return NULL; + SDPDBG("Extracting SEQ"); memset(d, 0, sizeof(sdp_data_t)); *len = sdp_extract_seqtype(p, bufsize, &d->dtd, &seqlen); @@ -1771,7 +1780,7 @@ sdp_list_t *sdp_list_append(sdp_list_t *p, void *d) sdp_list_t *q, *n = malloc(sizeof(sdp_list_t)); if (!n) - return 0; + return NULL; n->data = d; n->next = 0; @@ -1809,7 +1818,7 @@ sdp_list_t *sdp_list_insert_sorted(sdp_list_t *list, void *d, n = malloc(sizeof(sdp_list_t)); if (!n) - return 0; + return NULL; n->data = d; for (q = 0, p = list; p; q = p, p = p->next) if (f(p->data, d) >= 0) @@ -1949,6 +1958,8 @@ int sdp_get_uuidseq_attr(const sdp_record_t *rec, uint16_t attr, goto fail; u = malloc(sizeof(uuid_t)); + if (!u) + goto fail; memset(u, 0, sizeof(uuid_t)); *u = d->val.uuid; *seqp = sdp_list_append(*seqp, u); @@ -1974,7 +1985,13 @@ int sdp_set_uuidseq_attr(sdp_record_t *rec, uint16_t aid, sdp_list_t *seq) if (!seq || len == 0) return -1; dtds = (void **)malloc(len * sizeof(void *)); + if (!dtds) + return -1; values = (void **)malloc(len * sizeof(void *)); + if (!values) { + free(dtds); + return -1; + } for (p = seq, i = 0; i < len; i++, p = p->next) { uuid_t *uuid = (uuid_t *)p->data; if (uuid) @@ -2028,6 +2045,8 @@ int sdp_get_lang_attr(const sdp_record_t *rec, sdp_list_t **langSeq) sdp_data_t *pOffset = pEncoding->next; if (pEncoding && pOffset) { lang = malloc(sizeof(sdp_lang_attr_t)); + if (!lang) + goto fail; lang->code_ISO639 = pCode->val.uint16; lang->encoding = pEncoding->val.uint16; lang->base_offset = pOffset->val.uint16; @@ -2039,6 +2058,10 @@ int sdp_get_lang_attr(const sdp_record_t *rec, sdp_list_t **langSeq) curr_data = pOffset->next; } return 0; +fail: + sdp_list_free(*langSeq, free); + *langSeq = NULL; + return -1; } int sdp_get_profile_descs(const sdp_record_t *rec, sdp_list_t **profDescSeq) @@ -2069,6 +2092,8 @@ int sdp_get_profile_descs(const sdp_record_t *rec, sdp_list_t **profDescSeq) if (uuid != NULL) { profDesc = malloc(sizeof(sdp_profile_desc_t)); + if (!profDesc) + goto fail; profDesc->uuid = *uuid; profDesc->version = version; #ifdef SDP_DEBUG @@ -2079,6 +2104,10 @@ int sdp_get_profile_descs(const sdp_record_t *rec, sdp_list_t **profDescSeq) } } return 0; +fail: + sdp_list_free(*profDescSeq, free); + *profDescSeq = NULL; + return -1; } int sdp_get_server_ver(const sdp_record_t *rec, sdp_list_t **u16) @@ -2231,7 +2260,15 @@ static sdp_data_t *access_proto_to_dataseq(sdp_record_t *rec, sdp_list_t *proto) seqlen = sdp_list_len(proto); seqDTDs = (void **)malloc(seqlen * sizeof(void *)); + if (!seqDTDs) + return NULL; + seqs = (void **)malloc(seqlen * sizeof(void *)); + if (!seqs) { + free(seqDTDs); + return NULL; + } + for (i = 0, p = proto; p; p = p->next, i++) { sdp_list_t *elt = (sdp_list_t *)p->data; sdp_data_t *s; @@ -2349,11 +2386,20 @@ int sdp_set_add_access_protos(sdp_record_t *rec, const sdp_list_t *ap) int sdp_set_lang_attr(sdp_record_t *rec, const sdp_list_t *seq) { uint8_t uint16 = SDP_UINT16; + void **dtds, **values; int status = 0, i = 0, seqlen = sdp_list_len(seq); - void **dtds = (void **)malloc(3 * seqlen * sizeof(void *)); - void **values = (void **)malloc(3 * seqlen * sizeof(void *)); const sdp_list_t *p; + dtds = (void **)malloc(3 * seqlen * sizeof(void *)); + if (!dtds) + return -1; + + values = (void **)malloc(3 * seqlen * sizeof(void *)); + if (!values) { + free(dtds); + return -1; + } + for (p = seq; p; p = p->next) { sdp_lang_attr_t *lang = (sdp_lang_attr_t *)p->data; if (!lang) { @@ -2455,10 +2501,18 @@ int sdp_set_profile_descs(sdp_record_t *rec, const sdp_list_t *profiles) uint8_t uuid128 = SDP_UUID128; uint8_t uint16 = SDP_UINT16; int i = 0, seqlen = sdp_list_len(profiles); - void **seqDTDs = (void **)malloc(seqlen * sizeof(void *)); - void **seqs = (void **)malloc(seqlen * sizeof(void *)); + void **seqDTDs; + void **seqs; const sdp_list_t *p; + seqDTDs = (void **)malloc(seqlen * sizeof(void *)); + if (!seqDTDs) + return -1; + seqs = (void **)malloc(seqlen * sizeof(void *)); + if (!seqs) { + free(seqDTDs); + return -1; + } for (p = profiles; p; p = p->next) { sdp_data_t *seq; void *dtds[2], *values[2]; @@ -2642,7 +2696,11 @@ void sdp_uuid32_to_uuid128(uuid_t *uuid128, uuid_t *uuid32) uuid_t *sdp_uuid_to_uuid128(uuid_t *uuid) { - uuid_t *uuid128 = bt_malloc(sizeof(uuid_t)); + uuid_t *uuid128 = malloc(sizeof(uuid_t)); + + if (!uuid128) + return NULL; + memset(uuid128, 0, sizeof(uuid_t)); switch (uuid->type) { case SDP_UUID128: @@ -2796,7 +2854,17 @@ int sdp_device_record_register_binary(sdp_session_t *session, bdaddr_t *device, return -1; } req = malloc(SDP_REQ_BUFFER_SIZE); + if(!req) { + errno = ENOMEM; + return -1; + } + rsp = malloc(SDP_RSP_BUFFER_SIZE); + if(!rsp) { + errno = ENOMEM; + return -1; + } + if (req == NULL || rsp == NULL) { status = -1; errno = ENOMEM; @@ -3087,6 +3155,9 @@ int sdp_record_update(sdp_session_t *session, const sdp_record_t *rec) sdp_record_t *sdp_record_alloc() { sdp_record_t *rec = malloc(sizeof(sdp_record_t)); + + if (!rec) + return NULL; memset((void *)rec, 0, sizeof(sdp_record_t)); rec->handle = 0xffffffff; return rec; @@ -3254,7 +3325,7 @@ static int copy_cstate(uint8_t *pdata, int pdata_len, const sdp_cstate_t *cstate } /* - * This is a service search request. + * This is a service search request. * * INPUT : * @@ -3417,7 +3488,7 @@ end: } /* - * This is a service attribute request. + * This is a service attribute request. * * INPUT : * @@ -3438,7 +3509,7 @@ end: * * sdp_list_t *attrid * Singly linked list containing attribute identifiers desired. - * Every element is either a uint16_t(attrSpec = SDP_ATTR_REQ_INDIVIDUAL) + * Every element is either a uint16_t(attrSpec = SDP_ATTR_REQ_INDIVIDUAL) * or a uint32_t(attrSpec=SDP_ATTR_REQ_RANGE) * * OUTPUT : @@ -3448,7 +3519,7 @@ end: * !0: * The service record */ -sdp_record_t *sdp_service_attr_req(sdp_session_t *session, uint32_t handle, +sdp_record_t *sdp_service_attr_req(sdp_session_t *session, uint32_t handle, sdp_attrreq_type_t reqtype, const sdp_list_t *attrids) { uint32_t reqsize = 0, _reqsize; @@ -3494,7 +3565,7 @@ sdp_record_t *sdp_service_attr_req(sdp_session_t *session, uint32_t handle, pdata += sizeof(uint16_t); // get attr seq PDU form - seqlen = gen_attridseq_pdu(pdata, attrids, + seqlen = gen_attridseq_pdu(pdata, attrids, reqtype == SDP_ATTR_REQ_INDIVIDUAL? SDP_UINT16 : SDP_UINT32); if (seqlen == -1) { errno = EINVAL; @@ -3558,7 +3629,7 @@ sdp_record_t *sdp_service_attr_req(sdp_session_t *session, uint32_t handle, SDPDBG("sdp_cstate_t length : %d\n", cstate_len); /* - * a split response: concatenate intermediate responses + * a split response: concatenate intermediate responses * and the last one (which has cstate_len == 0) */ if (cstate_len > 0 || rsp_concat_buf.data_size != 0) { @@ -3583,7 +3654,7 @@ sdp_record_t *sdp_service_attr_req(sdp_session_t *session, uint32_t handle, } rec = sdp_extract_pdu(pdata, pdata_len, &scanned); } - + end: if (reqbuf) free(reqbuf); @@ -3676,7 +3747,7 @@ int sdp_set_notify(sdp_session_t *session, sdp_callback_t *func, void *udata) /* * This function starts an asynchronous service search request. - * The incomming and outgoing data are stored in the transaction structure + * The incomming and outgoing data are stored in the transaction structure * buffers. When there is incomming data the sdp_process function must be * called to get the data and handle the continuation state. * @@ -3771,7 +3842,7 @@ end: /* * This function starts an asynchronous service attribute request. - * The incomming and outgoing data are stored in the transaction structure + * The incomming and outgoing data are stored in the transaction structure * buffers. When there is incomming data the sdp_process function must be * called to get the data and handle the continuation state. * @@ -3796,7 +3867,7 @@ end: * * sdp_list_t *attrid_list * Singly linked list containing attribute identifiers desired. - * Every element is either a uint16_t(attrSpec = SDP_ATTR_REQ_INDIVIDUAL) + * Every element is either a uint16_t(attrSpec = SDP_ATTR_REQ_INDIVIDUAL) * or a uint32_t(attrSpec=SDP_ATTR_REQ_RANGE) * * OUTPUT : @@ -3912,7 +3983,7 @@ end: * * sdp_list_t *attrid_list * Singly linked list containing attribute identifiers desired. - * Every element is either a uint16_t(attrSpec = SDP_ATTR_REQ_INDIVIDUAL) + * Every element is either a uint16_t(attrSpec = SDP_ATTR_REQ_INDIVIDUAL) * or a uint32_t(attrSpec=SDP_ATTR_REQ_RANGE) * @@ -4130,7 +4201,7 @@ int sdp_process(sdp_session_t *session) pdata += sizeof(uint16_t); /* point to csrc */ /* the first csrc contains the sum of partial csrc responses */ - *pcsrc += bt_get_unaligned((uint16_t *) pdata); + *pcsrc += bt_get_unaligned((uint16_t *) pdata); pdata += sizeof(uint16_t); /* point to the first handle */ rsp_count = csrc * 4; @@ -4141,8 +4212,8 @@ int sdp_process(sdp_session_t *session) case SDP_SVC_SEARCH_ATTR_RSP: rsp_count = ntohs(bt_get_unaligned((uint16_t *) pdata)); SDPDBG("Attrlist byte count : %d\n", rsp_count); - - /* + + /* * Number of bytes in the AttributeLists parameter(without * continuation state) + AttributeListsByteCount field size. */ @@ -4168,7 +4239,7 @@ int sdp_process(sdp_session_t *session) SDPDBG("Cstate length : %d\n", pcstate->length); - /* + /* * Check out of bound. Continuation state must have at least * 1 byte: ZERO to indicate that it is not a partial response. */ @@ -4202,7 +4273,7 @@ int sdp_process(sdp_session_t *session) // set the request header's param length reqhdr->plen = htons(reqsize - sizeof(sdp_pdu_hdr_t)); - + if (sdp_send_req(session, t->reqbuf, reqsize) < 0) { SDPERR("Error sendind data:%s(%d)", strerror(errno), errno); status = 0xffff; @@ -4253,7 +4324,7 @@ end: * * sdp_list_t *attrids * Singly linked list containing attribute identifiers desired. - * Every element is either a uint16_t(attrSpec = SDP_ATTR_REQ_INDIVIDUAL) + * Every element is either a uint16_t(attrSpec = SDP_ATTR_REQ_INDIVIDUAL) * or a uint32_t(attrSpec=SDP_ATTR_REQ_RANGE) * * OUTPUT : -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html