Hi Romain, On Fri, Jan 23, 2015 at 4:25 PM, Romain Izard <romain.izard.pro@xxxxxxxxx> wrote: > When sending notification and indication data, the size of the allocated > packet is the smallest of the MTU and the payload size. > > The copy procedure uses the payload size in all cases, which can lead to > memory corruption. Use the packet size instead. > --- > src/shared/gatt-server.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c > index b406ed6..dd9c88f 100644 > --- a/src/shared/gatt-server.c > +++ b/src/shared/gatt-server.c > @@ -1506,7 +1506,7 @@ bool bt_gatt_server_send_notification(struct bt_gatt_server *server, > return false; > > put_le16(handle, pdu); > - memcpy(pdu + 2, value, length); > + memcpy(pdu + 2, value, pdu_len - 2); > > result = !!bt_att_send(server->att, BT_ATT_OP_HANDLE_VAL_NOT, pdu, > pdu_len, NULL, NULL, NULL); > @@ -1571,7 +1571,7 @@ bool bt_gatt_server_send_indication(struct bt_gatt_server *server, > data->user_data = user_data; > > put_le16(handle, pdu); > - memcpy(pdu + 2, value, length); > + memcpy(pdu + 2, value, pdu_len - 2); > > result = !!bt_att_send(server->att, BT_ATT_OP_HANDLE_VAL_IND, pdu, > pdu_len, conf_cb, > -- > 2.1.0 Applied, thanks. -- Luiz Augusto von Dentz -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
