From 2c0988ab4c19a04b1bd4044228559e5402d0c164 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Tue, 3 Feb 2026 10:16:22 +0100 Subject: [PATCH] bluez-dbus: fix adapter memcpy length sizeof(adapter) is larger than the big_entry->adapter and so the code would copy too much. Instead only copy the strlen of the parsed adapter, which we checked above to be smaller than the available size. This doesn't copy the 0 byte because the memory is assumed to be 0 filled already by the calloc. If the address is exactly the HCI_DEV_NAME_LEN, it will result in a non-0 terminated string, which may or may not be a problem... --- spa/plugins/bluez5/bluez5-dbus.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spa/plugins/bluez5/bluez5-dbus.c b/spa/plugins/bluez5/bluez5-dbus.c index 0bb5a1a88..a17eedc84 100644 --- a/spa/plugins/bluez5/bluez5-dbus.c +++ b/spa/plugins/bluez5/bluez5-dbus.c @@ -7044,7 +7044,7 @@ static void parse_broadcast_source_config(struct spa_bt_monitor *monitor, const goto parse_failed; if (strlen(adapter) > HCI_DEV_NAME_LEN) goto parse_failed; - memcpy(big_entry->adapter, adapter, sizeof(adapter)); + memcpy(big_entry->adapter, adapter, strlen(adapter)); spa_log_debug(monitor->log, "big_entry->adapter %s", big_entry->adapter); } else if (spa_streq(key, "encryption")) { if (spa_json_get_bool(&it[0], &big_entry->encryption) <= 0)