Parent: 0831bd39a0bde1492f2174153b60b582c4f3100e
Author: Pauli Virtanen <pav@iki.fi>
Committer: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: 2025-05-05 19:41:38
Tree: 689c581c105a7c833d5cd770a9b3424b3c5d588c
shared/vcp: use iov_pull in input parsing Check input is right size by using iov_pull* when parsing. Also replace custom iov_pull_mem by equivalent util_iov_pull_mem, and add iov_pull_string. Fixes handling of zero-length string-valued descriptors, !value is not error. Fixes crashes like: ERROR: AddressSanitizer: stack-buffer-overflow WRITE of size 3 at 0x7b878bb77161 thread T0 #0 0x7f878eee4821 in memcpy #1 0x0000009544d4 in read_aics_aud_ip_type src/shared/vcp.c:2713 #2 0x000000950cec in vcp_pending_complete src/shared/vcp.c:2394 #3 0x00000088b2ce in read_cb src/shared/gatt-client.c:2717
Diffstat
| M | src/shared/vcp.c | | | 238 | ++++++++++++++++++++++++++++++++++++++++- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
1 files changed, 128 insertions(+), 110 deletions(-)