diff options
author | Alex Blasche <alexander.blasche@qt.io> | 2017-06-12 13:23:24 +0200 |
---|---|---|
committer | Alex Blasche <alexander.blasche@qt.io> | 2017-06-12 12:08:41 +0000 |
commit | 3796886c20574d23f690d76358139baa386436ab (patch) | |
tree | 0409db6355adcb234972c2092e34bd151b8524d8 | |
parent | e5ed5619e6a5ca79474bf922743b6f56bd8058ab (diff) |
Fix memory overrun due to wrong header size definition being used
At the same time we remove the redudant and temporary packet variable.
This was highlighted by a compiler warning:
In function void* memcpy(void*, const void*, size_t),
inlined from void qToUnaligned(T, void*) [with T = short unsigned int] at /home/ablasche/dev/qt/qt59/qtbase/include/QtCore/../../src/corelib/global/qendian.h:82:5,
inlined from void qToLittleEndian(T, void*) [with T = short unsigned int] at /home/ablasche/dev/qt/qt59/qtbase/include/QtCore/../../src/corelib/global/qendian.h:227:3,
inlined from void putBtData(T, void*) [with T = short unsigned int] at bluez/bluez_data_p.h:196:5,
inlined from void QLowEnergyControllerPrivate::readServiceValuesByOffset(uint, quint16, bool) at qlowenergycontroller_bluez.cpp:1692:34:
/usr/include/x86_64-linux-gnu/bits/string3.h:53:71: warning: call to void* __builtin___memcpy_chk(void*, const void*, long unsigned int, long unsigned int) will always overflow destination buffer
return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
Change-Id: I5b8d7781b78ea3e07e30b9b830a4d8885bb8c989
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
-rw-r--r-- | src/bluetooth/qlowenergycontroller_bluez.cpp | 11 |
1 files changed, 4 insertions, 7 deletions
diff --git a/src/bluetooth/qlowenergycontroller_bluez.cpp b/src/bluetooth/qlowenergycontroller_bluez.cpp index 1649fe8c..9dadab91 100644 --- a/src/bluetooth/qlowenergycontroller_bluez.cpp +++ b/src/bluetooth/qlowenergycontroller_bluez.cpp @@ -1665,9 +1665,9 @@ void QLowEnergyControllerPrivate::readServiceValuesByOffset( { const QLowEnergyHandle charHandle = (handleData & 0xffff); const QLowEnergyHandle descriptorHandle = ((handleData >> 16) & 0xffff); - quint8 packet[READ_REQUEST_HEADER_SIZE]; - packet[0] = ATT_OP_READ_BLOB_REQUEST; + QByteArray data(READ_BLOB_REQUEST_HEADER_SIZE, Qt::Uninitialized); + data[0] = ATT_OP_READ_BLOB_REQUEST; QLowEnergyHandle handleToRead = charHandle; if (descriptorHandle) { @@ -1688,11 +1688,8 @@ void QLowEnergyControllerPrivate::readServiceValuesByOffset( } } - putBtData(handleToRead, &packet[1]); - putBtData(offset, &packet[3]); - - QByteArray data(READ_BLOB_REQUEST_HEADER_SIZE, Qt::Uninitialized); - memcpy(data.data(), packet, READ_BLOB_REQUEST_HEADER_SIZE); + putBtData(handleToRead, data.data() + 1); + putBtData(offset, data.data() + 3); Request request; request.payload = data; |