In extract_str() we create sdp_data_t with strings and allocate
sdp_data_t->val.str an extra 0-byte as NULL termination. In
sdp_data_alloc_with_length() we're missing this, and strlen() in
sdp_get_string_attr() ends up overrunning the sdpdata->val.str buffer
looking for the NULL termination.
Allocate the extra 0-byte for sdp_data_t->val.str to ensure this
overrun can't happen.
Co-developed-by: Zander Brown <zbrown@xxxxxxxxx>
---
lib/sdp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/sdp.c b/lib/sdp.c
index 844ae0d25..1565259a3 100644
--- a/lib/sdp.c
+++ b/lib/sdp.c
@@ -420,7 +420,7 @@ sdp_data_t *sdp_data_alloc_with_length(uint8_t dtd, const void *value,
d->unitSize += length;
if (length <= USHRT_MAX) {
- d->val.str = malloc(length);
+ d->val.str = bt_malloc0(length + 1);
if (!d->val.str) {
free(d);
return NULL;
--
2.41.0
