From ad089d29945ffd0ffb2d8075c25f76ac7c267eba Mon Sep 17 00:00:00 2001
From: Philipp Meyer <Philipp.Meyer@weidmueller.com>
Date: Tue, 7 Nov 2023 11:35:07 +0100
Subject: [PATCH] adapter: fix heap corruption during discovery filter parsing

Must parse as dbus_bool_t, as booleans MUST be 4 bytes for dbus.
stdbool from the filter only has 1 byte in many cases. This will crash
dbus if parsing filter->duplicate directly in
dbus_message_iter_get_basic.
---
 src/adapter.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/adapter.c b/src/adapter.c
index 6c539a81e..2c3cf7600 100644
--- a/src/adapter.c
+++ b/src/adapter.c
@@ -2646,10 +2646,13 @@ static bool parse_transport(DBusMessageIter *value,
 static bool parse_duplicate_data(DBusMessageIter *value,
 					struct discovery_filter *filter)
 {
+	dbus_bool_t duplicate = false;
+
 	if (dbus_message_iter_get_arg_type(value) != DBUS_TYPE_BOOLEAN)
 		return false;
 
-	dbus_message_iter_get_basic(value, &filter->duplicate);
+	dbus_message_iter_get_basic(value, &duplicate);
+	filter->duplicate = duplicate;
 
 	return true;
 }
@@ -2657,10 +2660,13 @@ static bool parse_duplicate_data(DBusMessageIter *value,
 static bool parse_discoverable(DBusMessageIter *value,
 					struct discovery_filter *filter)
 {
+	dbus_bool_t discoverable = false;
+
 	if (dbus_message_iter_get_arg_type(value) != DBUS_TYPE_BOOLEAN)
 		return false;
 
-	dbus_message_iter_get_basic(value, &filter->discoverable);
+	dbus_message_iter_get_basic(value, &discoverable);
+	filter->discoverable = discoverable;
 
 	return true;
 }
-- 
2.47.3