When sending notification and indication data, the size of the allocated packet is the smallest of the MTU and the payload size. The copy procedure uses the payload size in all cases, which can lead to memory corruption. Use the packet size instead. --- src/shared/gatt-server.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c index b406ed6..dd9c88f 100644 --- a/src/shared/gatt-server.c +++ b/src/shared/gatt-server.c @@ -1506,7 +1506,7 @@ bool bt_gatt_server_send_notification(struct bt_gatt_server *server, return false; put_le16(handle, pdu); - memcpy(pdu + 2, value, length); + memcpy(pdu + 2, value, pdu_len - 2); result = !!bt_att_send(server->att, BT_ATT_OP_HANDLE_VAL_NOT, pdu, pdu_len, NULL, NULL, NULL); @@ -1571,7 +1571,7 @@ bool bt_gatt_server_send_indication(struct bt_gatt_server *server, data->user_data = user_data; put_le16(handle, pdu); - memcpy(pdu + 2, value, length); + memcpy(pdu + 2, value, pdu_len - 2); result = !!bt_att_send(server->att, BT_ATT_OP_HANDLE_VAL_IND, pdu, pdu_len, conf_cb, -- 2.1.0 -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
