system/pipewire
system/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire synced 2024-09-30 05:05:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

bluez5: bap: Fix parsing of broadcast code

Browse source 
This fixes the endianness of the parsed broadcast code. It also
fixes pontetial out-of-bouns write by using a bigger, temporary
bcode string, then, after checking it's length, copying it's content
to big_entry->broadcast_code.
This commit is contained in:
Vlad Pruteanu 2024-06-17 09:56:58 +03:00 committed by Wim Taymans
parent 1b7cf61632
commit 4c1271805e
1 changed files with 4 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
spa/plugins/bluez5/bluez5-dbus.c
View file

@ -6140,6 +6140,7 @@ static void parse_broadcast_source_config(struct spa_bt_monitor *monitor, const
char key[256];
char bis_key[256];
char qos_key[256];
char bcode[BROADCAST_CODE_LEN + 3];
int cursor;
int big_id = 0;
struct spa_json it[4], it_array[4];
@ -6171,22 +6172,10 @@ static void parse_broadcast_source_config(struct spa_bt_monitor *monitor, const
/* Iterate on all BIG values */
while (spa_json_get_string(&it[1], key, sizeof(key)) > 0) {
if (spa_streq(key, "broadcast_code")) {
/* Len is BROADCAST_CODE_LEN plus 2 (for the quotes, as they count towards the string length
* even if they don't appear in the final big_entry->broadcast_code string) plus 1 for the
* null string terminator.
*/
if (spa_json_get_string(&it[1], big_entry->broadcast_code,BROADCAST_CODE_LEN + 2 + 1) <= 0)
if (spa_json_get_string(&it[1], bcode, sizeof(bcode)) <= 0)
goto parse_failed;
/* BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 3, Part C
* 3.2.6.3 Representation
*
* The transformation from string to number shall be by
* representing the string in UTF-8, placing the resulting bytes in 8-bit fields of the
* value starting at the least significant bit, and then padding with zeros in the
* most significant bits if necessary.
*/
for (int i = 0; i <= BROADCAST_CODE_LEN/2 - 1; i++)
SPA_SWAP(big_entry->broadcast_code[i], big_entry->broadcast_code[BROADCAST_CODE_LEN - 1 -i]);
if (strlen(bcode) <= 16)
memcpy(big_entry->broadcast_code, bcode, strlen(bcode));
spa_log_debug(monitor->log, "big_entry->broadcast_code %s", big_entry->broadcast_code);
} else if (spa_streq(key, "encryption")) {
if (spa_json_get_bool(&it[1], &big_entry->encryption) <= 0)