applied > -----Original Message----- > From: linux-bluetooth-owner@xxxxxxxxxxxxxxx [mailto:linux-bluetooth- > owner@xxxxxxxxxxxxxxx] On Behalf Of Inga Stotland > Sent: Friday, March 1, 2019 3:53 PM > To: linux-bluetooth@xxxxxxxxxxxxxxx > Cc: Gix, Brian <brian.gix@xxxxxxxxx>; johan.hedberg@xxxxxxxxx; > luiz.dentz@xxxxxxxxx; Stotland, Inga <inga.stotland@xxxxxxxxx> > Subject: [PATCH BlueZ] mesh: Fix array processing in Send, Publish, Join > > Use correct parameters when calling > l_dbus_message_iter_get_fixed_array(). > Also, check the return value and the length of the processed array and return > an error if the checks fail. > --- > mesh/mesh.c | 11 ++++------- > mesh/node.c | 26 +++++++++++++------------- > 2 files changed, 17 insertions(+), 20 deletions(-) > > diff --git a/mesh/mesh.c b/mesh/mesh.c > index 8db83b7c3..a0a9a7c8e 100644 > --- a/mesh/mesh.c > +++ b/mesh/mesh.c > @@ -73,7 +73,7 @@ struct join_data{ > const char *app_path; > struct mesh_node *node; > uint32_t disc_watch; > - uint8_t uuid[16]; > + uint8_t *uuid; > }; > > struct attach_data { > @@ -561,7 +561,6 @@ static struct l_dbus_message > *join_network_call(struct l_dbus *dbus, { > const char *app_path, *sender; > struct l_dbus_message_iter iter_uuid; > - uint8_t *uuid; > uint32_t n; > > l_debug("Join network request"); > @@ -576,17 +575,15 @@ static struct l_dbus_message > *join_network_call(struct l_dbus *dbus, > > join_pending = l_new(struct join_data, 1); > > - l_dbus_message_iter_get_fixed_array(&iter_uuid, &uuid, &n); > - > - if (n != 16) { > + if (!l_dbus_message_iter_get_fixed_array(&iter_uuid, > + &join_pending->uuid, &n) > + || n != 16) { > l_free(join_pending); > join_pending = NULL; > return dbus_error(msg, MESH_ERROR_INVALID_ARGS, > "Bad device UUID"); > } > > - memcpy(join_pending->uuid, uuid, 16); > - > sender = l_dbus_message_get_sender(msg); > > join_pending->sender = l_strdup(sender); diff --git a/mesh/node.c > b/mesh/node.c index 6a7b4a260..761a67af4 100644 > --- a/mesh/node.c > +++ b/mesh/node.c > @@ -1537,7 +1537,7 @@ static struct l_dbus_message *send_call(struct > l_dbus *dbus, > struct l_dbus_message_iter iter_data; > struct node_element *ele; > uint16_t dst, app_idx, src; > - uint8_t data[MESH_MAX_ACCESS_PAYLOAD]; > + uint8_t *data; > uint32_t len; > struct l_dbus_message *reply; > > @@ -1559,10 +1559,10 @@ static struct l_dbus_message *send_call(struct > l_dbus *dbus, > > src = node_get_primary(node) + ele->idx; > > - l_dbus_message_iter_get_fixed_array(&iter_data, data, &len); > - if (!len) > + if (!l_dbus_message_iter_get_fixed_array(&iter_data, &data, &len) > || > + !len || len > > MESH_MAX_ACCESS_PAYLOAD) > return dbus_error(msg, MESH_ERROR_INVALID_ARGS, > - "Mesh message is empty"); > + "Incorrect data"); > > if (!mesh_model_send(node, src, dst, app_idx, > mesh_net_get_default_ttl(node->net), data, > len)) @@ -1583,7 +1583,7 @@ static struct l_dbus_message > *publish_call(struct l_dbus *dbus, > struct l_dbus_message_iter iter_data; > uint16_t mod_id, src; > struct node_element *ele; > - uint8_t data[MESH_MAX_ACCESS_PAYLOAD]; > + uint8_t *data; > uint32_t len; > struct l_dbus_message *reply; > int result; > @@ -1606,10 +1606,10 @@ static struct l_dbus_message *publish_call(struct > l_dbus *dbus, > > src = node_get_primary(node) + ele->idx; > > - l_dbus_message_iter_get_fixed_array(&iter_data, data, &len); > - if (!len) > + if (!l_dbus_message_iter_get_fixed_array(&iter_data, &data, &len) > || > + !len || len > > MESH_MAX_ACCESS_PAYLOAD) > return dbus_error(msg, MESH_ERROR_INVALID_ARGS, > - "Mesh message is empty"); > + "Incorrect data"); > > result = mesh_model_publish(node, VENDOR_ID_MASK | mod_id, > src, > mesh_net_get_default_ttl(node->net), data, > len); @@ -1634,7 +1634,7 @@ static struct l_dbus_message > *vendor_publish_call(struct l_dbus *dbus, > uint16_t model_id, vendor; > uint32_t vendor_mod_id; > struct node_element *ele; > - uint8_t data[MESH_MAX_ACCESS_PAYLOAD]; > + uint8_t *data = NULL; > uint32_t len; > struct l_dbus_message *reply; > int result; > @@ -1657,10 +1657,10 @@ static struct l_dbus_message > *vendor_publish_call(struct l_dbus *dbus, > > src = node_get_primary(node) + ele->idx; > > - l_dbus_message_iter_get_fixed_array(&iter_data, data, &len); > - if (!len) > + if (!l_dbus_message_iter_get_fixed_array(&iter_data, &data, &len) > || > + !len || len > > MESH_MAX_ACCESS_PAYLOAD) > return dbus_error(msg, MESH_ERROR_INVALID_ARGS, > - "Mesh message is empty"); > + "Incorrect data"); > > vendor_mod_id = (vendor << 16) | model_id; > result = mesh_model_publish(node, vendor_mod_id, src, @@ - > 1686,7 +1686,7 @@ static void setup_node_interface(struct l_dbus_interface > *iface) > "", "oqqay", "element_path", > "vendor", "model_id", > "data"); > > - /*TODO: Properties */ > + /* TODO: Properties */ > } > > bool node_dbus_init(struct l_dbus *bus) > -- > 2.17.2
