From a3671b9d0e7b9df21a1539d3e952b099900b8d10 Mon Sep 17 00:00:00 2001 From: Ido Yariv Date: Mon, 28 May 2012 21:33:05 +0300 Subject: [PATCH] attrib-server: Allow zero length attribute update attrib_db_update always fails when g_try_realloc returns NULL, not taking into account that the length passed to g_try_realloc could be zero. In this case, g_try_realloc frees the currently allocated memory and returns NULL. As a result, not only will attrib_db_update fail needlessly, a use-after-free could occur as the attribute's length will still hold the length of the freed buffer. Fix this by only returning an error if the length is non-zero. --- src/attrib-server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/attrib-server.c b/src/attrib-server.c index 3291e2dfc..dd1bba4b6 100644 --- a/src/attrib-server.c +++ b/src/attrib-server.c @@ -1456,7 +1456,7 @@ int attrib_db_update(struct btd_adapter *adapter, uint16_t handle, a = dl->data; a->data = g_try_realloc(a->data, len); - if (a->data == NULL) + if (len && a->data == NULL) return -ENOMEM; a->len = len; -- 2.47.3