mirror/btstack
1
0
Fork 0
mirror of https://github.com/bluekitchen/btstack.git synced 2025-01-03 23:47:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fixed buffer overflow in event package assembly in bnep_emit_incoming_connection()

Browse Source
This commit is contained in:
ole.reinhardt@googlemail.com 2014-11-19 01:01:22 +00:00
parent 0f62875543
commit 17d9831b7e
2 changed files with 9 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
example/embedded/panu_demo.c
View File

@ -330,13 +330,12 @@ static void packet_handler (void * connection, uint8_t packet_type, uint16_t cha
break;
case BNEP_EVENT_INCOMING_CONNECTION:
// data: event(8), len(8), status (8), bnep source uuid (16), bnep destination uuid (16), remote_address (48)
uuid_source = READ_BT_16(packet, 3);
uuid_dest = READ_BT_16(packet, 5);
mtu = READ_BT_16(packet, 7);
// data: event(8), len(8), bnep source uuid (16), bnep destination uuid (16), remote_address (48)
uuid_source = READ_BT_16(packet, 2);
uuid_dest = READ_BT_16(packet, 4);
mtu = READ_BT_16(packet, 6);
bnep_cid = channel;
//bt_flip_addr(event_addr, &packet[9]);
memcpy(&event_addr, &packet[9], sizeof(bd_addr_t));
memcpy(&event_addr, &packet[8], sizeof(bd_addr_t));
printf("BNEP connection from %s source UUID 0x%04x dest UUID: 0x%04x, max frame size: %u\n", bd_addr_to_str(event_addr), uuid_source, uuid_dest, mtu);
/* Create the tap interface */
tap_fd = tap_alloc(tap_dev_name, *hci_local_bd_addr());

8
src/bnep.c
View File

@ -105,10 +105,10 @@ static void bnep_emit_incoming_connection(bnep_channel_t *channel)
uint8_t event[2 + sizeof(bd_addr_t) + 3 * sizeof(uint16_t)];
event[0] = BNEP_EVENT_INCOMING_CONNECTION;
event[1] = sizeof(event) - 2;
bt_store_16(event, 3, channel->uuid_source);
bt_store_16(event, 5, channel->uuid_dest);
bt_store_16(event, 7, channel->max_frame_size);
BD_ADDR_COPY(&event[9], channel->remote_addr);
bt_store_16(event, 2, channel->uuid_source);
bt_store_16(event, 4, channel->uuid_dest);
bt_store_16(event, 6, channel->max_frame_size);
BD_ADDR_COPY(&event[8], channel->remote_addr);
hci_dump_packet( HCI_EVENT_PACKET, 0, event, sizeof(event));
(*app_packet_handler)(channel->connection, HCI_EVENT_PACKET, channel->l2cap_cid, (uint8_t *) event, sizeof(event));
}