From 4c1271805e62098d87e523dca33563b8a00ba01b Mon Sep 17 00:00:00 2001 From: Vlad Pruteanu Date: Mon, 17 Jun 2024 09:56:58 +0300 Subject: [PATCH] bluez5: bap: Fix parsing of broadcast code This fixes the endianness of the parsed broadcast code. It also fixes pontetial out-of-bouns write by using a bigger, temporary bcode string, then, after checking it's length, copying it's content to big_entry->broadcast_code. --- spa/plugins/bluez5/bluez5-dbus.c | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/spa/plugins/bluez5/bluez5-dbus.c b/spa/plugins/bluez5/bluez5-dbus.c index fe288219f..10ef181a8 100644 --- a/spa/plugins/bluez5/bluez5-dbus.c +++ b/spa/plugins/bluez5/bluez5-dbus.c @@ -6140,6 +6140,7 @@ static void parse_broadcast_source_config(struct spa_bt_monitor *monitor, const char key[256]; char bis_key[256]; char qos_key[256]; + char bcode[BROADCAST_CODE_LEN + 3]; int cursor; int big_id = 0; struct spa_json it[4], it_array[4]; @@ -6171,22 +6172,10 @@ static void parse_broadcast_source_config(struct spa_bt_monitor *monitor, const /* Iterate on all BIG values */ while (spa_json_get_string(&it[1], key, sizeof(key)) > 0) { if (spa_streq(key, "broadcast_code")) { - /* Len is BROADCAST_CODE_LEN plus 2 (for the quotes, as they count towards the string length - * even if they don't appear in the final big_entry->broadcast_code string) plus 1 for the - * null string terminator. - */ - if (spa_json_get_string(&it[1], big_entry->broadcast_code,BROADCAST_CODE_LEN + 2 + 1) <= 0) + if (spa_json_get_string(&it[1], bcode, sizeof(bcode)) <= 0) goto parse_failed; - /* BLUETOOTH CORE SPECIFICATION Version 5.4 | Vol 3, Part C - * 3.2.6.3 Representation - * - * The transformation from string to number shall be by - * representing the string in UTF-8, placing the resulting bytes in 8-bit fields of the - * value starting at the least significant bit, and then padding with zeros in the - * most significant bits if necessary. - */ - for (int i = 0; i <= BROADCAST_CODE_LEN/2 - 1; i++) - SPA_SWAP(big_entry->broadcast_code[i], big_entry->broadcast_code[BROADCAST_CODE_LEN - 1 -i]); + if (strlen(bcode) <= 16) + memcpy(big_entry->broadcast_code, bcode, strlen(bcode)); spa_log_debug(monitor->log, "big_entry->broadcast_code %s", big_entry->broadcast_code); } else if (spa_streq(key, "encryption")) { if (spa_json_get_bool(&it[1], &big_entry->encryption) <= 0)