Hi Szymon,
>>> Those could lead to reading invalid memory if frames were corrupted.
>>> ---
>>> monitor/packet.c | 10 +++++-----
>>> 1 file changed, 5 insertions(+), 5 deletions(-)
>>>
>>> diff --git a/monitor/packet.c b/monitor/packet.c
>>> index ba58d84..56a315b 100644
>>> --- a/monitor/packet.c
>>> +++ b/monitor/packet.c
>>> @@ -8204,7 +8204,7 @@ static const struct event_data event_table[] = {
>>>
>>> { 0x01, "Inquiry Complete",
>>>
>>> inquiry_complete_evt, 1, true },
>>>
>>> { 0x02, "Inquiry Result",
>>>
>>> - inquiry_result_evt, 1, false },
>>> + inquiry_result_evt, 8, false },
>>
>> these are wrong. That is why fixed size is set to false here. It means that
>> the callback function needs to ensure we do the right checks. If we don't,
>> please with the callback functions.
>
> If fixed==false then passed size is minimum required size and all callbacks
> are expecting those.
>
> From packet_hci_event()
>
> if (event_data->fixed) {
> if (hdr->plen != event_data->size) {
> print_text(COLOR_ERROR, "invalid packet size");
> packet_hexdump(data, size);
> return;
> }
> } else {
> if (hdr->plen < event_data->size) {
> print_text(COLOR_ERROR, "too short packet");
> packet_hexdump(data, size);
> return;
> }
> }
>
> event_data->func(data, hdr->plen);
yes exactly. And the minimum size for inquiry results is 1 octet. The num can be actually 0.
Regards
Marcel
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
