From 3796886c20574d23f690d76358139baa386436ab Mon Sep 17 00:00:00 2001 From: Alex Blasche Date: Mon, 12 Jun 2017 13:23:24 +0200 Subject: Fix memory overrun due to wrong header size definition being used At the same time we remove the redudant and temporary packet variable. This was highlighted by a compiler warning: In function void* memcpy(void*, const void*, size_t), inlined from void qToUnaligned(T, void*) [with T = short unsigned int] at /home/ablasche/dev/qt/qt59/qtbase/include/QtCore/../../src/corelib/global/qendian.h:82:5, inlined from void qToLittleEndian(T, void*) [with T = short unsigned int] at /home/ablasche/dev/qt/qt59/qtbase/include/QtCore/../../src/corelib/global/qendian.h:227:3, inlined from void putBtData(T, void*) [with T = short unsigned int] at bluez/bluez_data_p.h:196:5, inlined from void QLowEnergyControllerPrivate::readServiceValuesByOffset(uint, quint16, bool) at qlowenergycontroller_bluez.cpp:1692:34: /usr/include/x86_64-linux-gnu/bits/string3.h:53:71: warning: call to void* __builtin___memcpy_chk(void*, const void*, long unsigned int, long unsigned int) will always overflow destination buffer return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest)); Change-Id: I5b8d7781b78ea3e07e30b9b830a4d8885bb8c989 Reviewed-by: Timur Pocheptsov --- src/bluetooth/qlowenergycontroller_bluez.cpp | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/src/bluetooth/qlowenergycontroller_bluez.cpp b/src/bluetooth/qlowenergycontroller_bluez.cpp index 1649fe8c..9dadab91 100644 --- a/src/bluetooth/qlowenergycontroller_bluez.cpp +++ b/src/bluetooth/qlowenergycontroller_bluez.cpp @@ -1665,9 +1665,9 @@ void QLowEnergyControllerPrivate::readServiceValuesByOffset( { const QLowEnergyHandle charHandle = (handleData & 0xffff); const QLowEnergyHandle descriptorHandle = ((handleData >> 16) & 0xffff); - quint8 packet[READ_REQUEST_HEADER_SIZE]; - packet[0] = ATT_OP_READ_BLOB_REQUEST; + QByteArray data(READ_BLOB_REQUEST_HEADER_SIZE, Qt::Uninitialized); + data[0] = ATT_OP_READ_BLOB_REQUEST; QLowEnergyHandle handleToRead = charHandle; if (descriptorHandle) { @@ -1688,11 +1688,8 @@ void QLowEnergyControllerPrivate::readServiceValuesByOffset( } } - putBtData(handleToRead, &packet[1]); - putBtData(offset, &packet[3]); - - QByteArray data(READ_BLOB_REQUEST_HEADER_SIZE, Qt::Uninitialized); - memcpy(data.data(), packet, READ_BLOB_REQUEST_HEADER_SIZE); + putBtData(handleToRead, data.data() + 1); + putBtData(offset, data.data() + 3); Request request; request.payload = data; -- cgit v1.2.3