Hi Inga, On Wed, Aug 04, 2010, Inga Stotland wrote: > --- > src/adapter.c | 100 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-- > src/adapter.h | 4 +- > src/dbus-hci.c | 6 ++-- > 3 files changed, 102 insertions(+), 8 deletions(-) I've pushed the six other patches upstream, but I'm still a bit concerned with this one. First there's a minor coding style issue: > +static char **get_eir_uuids(uint8_t *eir_data, size_t *uuid_count) > +{ > + uint8_t len = 0; > + char **uuids = NULL; > + size_t total = 0; Neither the uuids nor the total variable need to be initialized upon declaration if you look at the function's code flow. In general initialization upon declaration of variables is something that should be avoided whenever not strictly needed since it can hide real issues that the compiler would otherwise be able to catch. Then, a more general concern about this function. It will receive data as input that any nearby device that's discoverable has declared in their EIR data. I.e. we need to be super strict about checking the validity of the data and not make any assumptions about the correctness of encoded field lengths etc. in order not to do buffer overflows. Have you taken this into account when designing the function? Looking at it it seems it might be possible to give it data that will cause some buffer overflows (by e.g. placing a uuid list at the very end of the EIR data with an invalid field length value). Johan -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html