Attaching patch without change in src/adapter.c file.
Lukasz Pawlik
2010/10/6 Lukasz Pawlik <lucas.pawlik@xxxxxxxxx>:
> Hi,
>
> Sorry. My bad. It was never my intention to change src/adapter.c. I've
> prepared two patches with the same name and of course send the wrong
> one. Problem with invalid read fix change made in src/sdpd-service.c
> file.
>
> Lukasz
>
> 2010/10/6 Johan Hedberg <johan.hedberg@xxxxxxxxx>:
>> Hi Lukasz,
>>
>> On Wed, Oct 06, 2010, Lukasz Pawlik wrote:
>>> This patch fix problem with reading data from out of the array range in
>>> function used to create EIR response.
>>
>> You'll need to explain in more detail exactly what was wrong with the
>> old code and how your patch fixes it (and why it is the correct fix).
>>
>>> - uint8_t data[240];
>>> + uint8_t data[242];
>>
>> Why 242? The core spec defines the EIR data as a 240 byte field.
>>
>>> - uuid128_data[SIZEOF_UUID128 - k])
>>> + uuid128_data[SIZEOF_UUID128 - 1 - k])
>>
>> This change looks fine (the index of the last byte is sizeof(uuid128) - 1).
>>
>> Johan
>>
>
From 5e6ca8e9dff0ced5aacc1cbfa12318680ade957a Mon Sep 17 00:00:00 2001
From: Lukasz Pawlik <lucas.pawlik@xxxxxxxxx>
Date: Fri, 8 Oct 2010 09:23:26 +0200
Subject: [PATCH] Fix problem with invalid read from array
This patch fix problem with reading data from out of the array range in
function used to create EIR response.
---
src/sdpd-service.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/sdpd-service.c b/src/sdpd-service.c
index 26ab9a5..67dd9af 100644
--- a/src/sdpd-service.c
+++ b/src/sdpd-service.c
@@ -204,7 +204,7 @@ static void eir_generate_uuid128(sdp_list_t *list,
for (i = 0; i < index; i++) {
for (k = 0; k < SIZEOF_UUID128; k++) {
if (uuid128[i * SIZEOF_UUID128 + k] !=
- uuid128_data[SIZEOF_UUID128 - k])
+ uuid128_data[SIZEOF_UUID128 - 1 - k])
break;
}
if (k == SIZEOF_UUID128)
--
1.7.0.4
