From f96f3b34db40228feb2efb9cc81df92853d0111e Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Mon, 28 Apr 2025 15:49:10 -0400 Subject: [PATCH] shared/bap: Too few arguments to formatting function Each call to the printf function, or a related function, should include the number of arguments defined by the format. Passing the function more arguments than required is harmless (although it may be indicative of other defects). However, passing the function fewer arguments than are defined by the format can be a security vulnerability since the function will process the next item on the stack as the missing arguments. Fixes: https://github.com/bluez/bluez/issues/1221 Fixes: https://github.com/bluez/bluez/issues/1222 --- src/shared/bap.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/shared/bap.c b/src/shared/bap.c index 4c5b38b1e..2a08f3eea 100644 --- a/src/shared/bap.c +++ b/src/shared/bap.c @@ -1630,7 +1630,8 @@ static bool bap_send(struct bt_bap *bap, struct bt_bap_req *req) DBG(bap, "req %p len %u", req, iov.iov_len); if (req->stream && !queue_find(bap->streams, NULL, req->stream)) { - DBG(bap, "stream %p detached, aborting op 0x%02x", req->op); + DBG(bap, "stream %p detached, aborting op 0x%02x", req->stream, + req->op); return false; } @@ -3138,7 +3139,7 @@ static uint8_t ascs_qos(struct bt_ascs *ascs, struct bt_bap *bap, ep = bap_get_local_endpoint_id(bap, req->ase); if (!ep) { - DBG(bap, "%s: Invalid ASE ID 0x%02x", req->ase); + DBG(bap, "Invalid ASE ID 0x%02x", req->ase); ascs_ase_rsp_add(rsp, req->ase, BT_ASCS_RSP_INVALID_ASE, BT_ASCS_REASON_NONE); return 0; -- 2.47.3