[PATCH] attrib-server: Allow zero length attribute update

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



attrib_db_update always fails when g_try_realloc returns NULL, not
taking into account that the length passed to g_try_realloc could be
zero. In this case, g_try_realloc frees the currently allocated memory
and returns NULL.
As a result, not only will attrib_db_update fail needlessly, a
use-after-free could occur as the attribute's length will still hold the
length of the freed buffer.

Fix this by only returning an error if the length is non-zero.
---
 src/attrib-server.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/attrib-server.c b/src/attrib-server.c
index 3291e2d..dd1bba4 100644
--- a/src/attrib-server.c
+++ b/src/attrib-server.c
@@ -1456,7 +1456,7 @@ int attrib_db_update(struct btd_adapter *adapter, uint16_t handle,
 	a = dl->data;
 
 	a->data = g_try_realloc(a->data, len);
-	if (a->data == NULL)
+	if (len && a->data == NULL)
 		return -ENOMEM;
 
 	a->len = len;
-- 
1.7.7.6

--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux