ti, 2025-07-08 kello 20:12 +0300, Pauli Virtanen kirjoitti:
> Hi,
>
> ti, 2025-07-08 kello 17:43 +0200, Frédéric Danis kirjoitti:
> > Truncate the string to first character before invalid UTF-8 one
> > instead of replacing non ascii characters by spaces.
> > ---
> > src/shared/ad.c | 7 +------
> > 1 file changed, 1 insertion(+), 6 deletions(-)
> >
> > diff --git a/src/shared/ad.c b/src/shared/ad.c
> > index 3f0064dd9..6952a0dab 100644
> > --- a/src/shared/ad.c
> > +++ b/src/shared/ad.c
> > @@ -276,7 +276,6 @@ static bool ad_replace_uuid128(struct bt_ad *ad, struct iovec *iov)
> > static bool ad_replace_name(struct bt_ad *ad, struct iovec *iov)
> > {
> > char utf8_name[HCI_MAX_NAME_LENGTH + 2];
> > - int i;
> >
> > memset(utf8_name, 0, sizeof(utf8_name));
> > strncpy(utf8_name, (const char *)iov->iov_base, iov->iov_len);
> > @@ -284,11 +283,7 @@ static bool ad_replace_name(struct bt_ad *ad, struct iovec *iov)
> > if (strisutf8(utf8_name, iov->iov_len))
> > goto done;
> >
> > - /* Assume ASCII, and replace all non-ASCII with spaces */
> > - for (i = 0; utf8_name[i] != '\0'; i++) {
> > - if (!isascii(utf8_name[i]))
> > - utf8_name[i] = ' ';
> > - }
> > + strtoutf8(utf8_name, iov->iov_len);
>
> Looks like potential out-of-bounds access --- strtoutf8()
> may access iov->iov_base[iov->iov_len]
Sorry, never mind --- it's using the temporary buffer here which is
maybe large enough.
>
> Cf. for (size_t j = 1; j < size; ++j) loop in strtoutf8().
>
> Also strisutf8() has same problem here.
>
> >
> > /* Remove leading and trailing whitespace characters */
> > strstrip(utf8_name);
