mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-04-29 06:46:38 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: fix missing null termination in Bluetooth broadcast code

Browse source 
Memory Safety: Medium

The broadcast_code field is a 16-byte array that can be filled with
exactly 16 bytes of data via memcpy without null termination when the
input string length equals BROADCAST_CODE_LEN. The field is then
logged with %s format, which reads past the buffer boundary into
adjacent struct fields, potentially disclosing sensitive data.

Fix by changing the boundary check from > to >= to ensure room for
the null terminator, and copy the terminator along with the data.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-24 16:13:18 +02:00
parent ed2c0ad4ee
commit 4f9e59b87d
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
spa/plugins/bluez5/bluez5-dbus.c
View file

@ -7117,9 +7117,9 @@ static void parse_broadcast_source_config(struct spa_bt_monitor *monitor, const
if (spa_streq(key, "broadcast_code")) {
if (spa_json_get_string(&it[0], bcode, sizeof(bcode)) <= 0)
goto parse_failed;
if (strlen(bcode) > BROADCAST_CODE_LEN)
if (strlen(bcode) >= BROADCAST_CODE_LEN)
goto parse_failed;
memcpy(big_entry->broadcast_code, bcode, strlen(bcode));
memcpy(big_entry->broadcast_code, bcode, strlen(bcode) + 1);
spa_log_debug(monitor->log, "big_entry->broadcast_code %s", big_entry->broadcast_code);
} else if (spa_streq(key, "adapter")) {
if (spa_json_get_string(&it[0], big_entry->adapter, sizeof(big_entry->adapter)) <= 0)