Hi Johan, -----Original Message----- From: linux-bluetooth-owner@xxxxxxxxxxxxxxx [mailto:linux-bluetooth-owner@xxxxxxxxxxxxxxx] On Behalf Of Johan Hedberg Sent: Thursday, November 11, 2010 1:07 PM To: Vinicius Costa Gomes Cc: linux-bluetooth@xxxxxxxxxxxxxxx; Bruna Moreira Subject: Re: [PATCH v2 1/7] Fix invalid memory access when EIR field length is zero Hi, On Thu, Nov 11, 2010, Vinicius Costa Gomes wrote: > diff --git a/src/adapter.c b/src/adapter.c > index b1aabbd..8b742b7 100644 > --- a/src/adapter.c > +++ b/src/adapter.c > @@ -2977,14 +2977,13 @@ static char **get_eir_uuids(uint8_t *eir_data, size_t *uuid_count) > unsigned int i; > > while (len < EIR_DATA_LENGTH - 1) { > - uint8_t type = eir_data[1]; > uint8_t field_len = eir_data[0]; > > /* Check for the end of EIR */ > if (field_len == 0) > break; > > - switch (type) { > + switch (eir_data[1]) { > case EIR_UUID16_SOME: > case EIR_UUID16_ALL: > uuid16_count = field_len / 2; Pushed upstream. Thanks. Johan -- Was there a bug to begin with? :) The access to eir_data[1] was always valid due to the check (len < EIR_DATA_LENGTH - 1) and the fact that eir_data is a buffer of fixed length of EIR_DATA_LENGTH (240 bytes). Oh well, it's upstream already. Inga -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
