Currently iov_append is defined in 2 places, client/player.c and src/shared/bap.c. The player.c implementation is faulty as it does not allocate additional memory for the data that it appends to the original iovec. This can cause buffer overflows such as the one attached at the end of this message, which was discovered while running an Unicast setup. Therefore, the implementation from src/shared/bap.c was used to create util_iov_append as it allocates new memory appropriately. The existing calls to iov_append from src/shared/bap.c and client/player.c were replaced with the new util_iov_append. ==131878==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000059dda at pc 0x7feee2e70ea3 bp 0x7ffd415773f0 sp 0x7ffd41576b98 WRITE of size 6 at 0x602000059dda thread T0 0 0x7feee2e70ea2 in __interceptor_memcpy ../../../../src/libsanitizer /sanitizer_common/sanitizer_common_interceptors.inc:899 1 0x5579661314aa in memcpy /usr/include/x86_64-linux-gnu/bits/ string_fortified.h:29 2 0x5579661314aa in iov_append client/player.c:2120 3 0x557966132169 in endpoint_select_properties_reply client/player.c:2191 4 0x557966132a6f in endpoint_select_properties client/player.c:2268 5 0x55796616e0b4 in process_message gdbus/object.c:246 Vlad Pruteanu (3): shared/util: Add util_iov_append function shared/bap: Use util_iov_append instead of iov_append client/player: Use util_iov_append instead of iov_append client/player.c | 35 ++++++++++------------------------- src/shared/bap.c | 16 +++++----------- src/shared/util.c | 6 ++++++ src/shared/util.h | 1 + 4 files changed, 22 insertions(+), 36 deletions(-) -- 2.39.2
