tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: state of netbt
Hi
While that may be strictly true, at this level we are parsing data provided by the local hardware itself and it should be noted that this can not be controlled by a malicious actor but only by the manufacturer of a device plugged into the machine AND enabled by the admin.
All the higher level parsing of data which could be constructed by a third party computer (l2cap and rfcomm protocols) does check it more thoroughly, as far as I know
If you think it is really necessary to parse this locally produced data in a more complete way, I can look at it later (I'm away sailing now)
Iain
On 4 August 2018 07:53:50 BST, Maxime Villard <max%m00nbsd.net@localhost> wrote:
>Le 03/08/2018 à 20:37, Iain Hibbert a écrit :
>> Hi
>>
>> Can you explain the horror you are experiencing?
>
>Not "experiencing" strictly speaking (I don't use bluetooth devices),
>but
>a few months ago I scroll-read through the code and found problems.
>
>Eg in hci_event_num_compl_pkts(), the three first lines of the loop:
>
>386 while (ep.num_con_handles--) {
>387 m_copydata(m, 0, sizeof(handle), &handle);
>388 m_adj(m, sizeof(handle));
>
>Here there is no length check, the kernel can crash in m_copydata.
--
On my phone
Home |
Main Index |
Thread Index |
Old Index