Re: [PATCH BlueZ v3 6/7] shared/ad: Use strtoutf8 for name

Luiz Augusto von Dentz <luiz.dentz@xxxxxxxxx> · Tue, 8 Jul 2025 13:19:23 -0400

Hi Pauli,

On Tue, Jul 8, 2025 at 1:13 PM Pauli Virtanen <pav@xxxxxx> wrote:
>
> Hi,
>
> ti, 2025-07-08 kello 17:43 +0200, Frédéric Danis kirjoitti:
> > Truncate the string to first character before invalid UTF-8 one
> > instead of replacing non ascii characters by spaces.
> > ---
> >  src/shared/ad.c | 7 +------
> >  1 file changed, 1 insertion(+), 6 deletions(-)
> >
> > diff --git a/src/shared/ad.c b/src/shared/ad.c
> > index 3f0064dd9..6952a0dab 100644
> > --- a/src/shared/ad.c
> > +++ b/src/shared/ad.c
> > @@ -276,7 +276,6 @@ static bool ad_replace_uuid128(struct bt_ad *ad, struct iovec *iov)
> >  static bool ad_replace_name(struct bt_ad *ad, struct iovec *iov)
> >  {
> >       char utf8_name[HCI_MAX_NAME_LENGTH + 2];
> > -     int i;
> >
> >       memset(utf8_name, 0, sizeof(utf8_name));
> >       strncpy(utf8_name, (const char *)iov->iov_base, iov->iov_len);
> > @@ -284,11 +283,7 @@ static bool ad_replace_name(struct bt_ad *ad, struct iovec *iov)
> >       if (strisutf8(utf8_name, iov->iov_len))
> >               goto done;
> >
> > -     /* Assume ASCII, and replace all non-ASCII with spaces */
> > -     for (i = 0; utf8_name[i] != '\0'; i++) {
> > -             if (!isascii(utf8_name[i]))
> > -                     utf8_name[i] = ' ';
> > -     }
> > +     strtoutf8(utf8_name, iov->iov_len);
>
> Looks like potential out-of-bounds access --- strtoutf8()
> may access iov->iov_base[iov->iov_len]
>
> Cf. for (size_t j = 1; j < size; ++j) loop in strtoutf8().
>
> Also strisutf8() has same problem here.

It does i < len though:

    while (i < len) {
        unsigned char c = str[i];

That said we may need to do something like:

diff --git a/src/shared/util.c b/src/shared/util.c
index 4780f26b6d59..9ba1bdc48f77 100644
--- a/src/shared/util.c
+++ b/src/shared/util.c
@@ -1987,7 +1987,7 @@ char *strtoutf8(char *str, size_t len)
                 * format.
                 */
                for (size_t j = 1; j < size; ++j) {
-                       if (i + j > len || (str[i + j] & 0xC0) != 0x80)
+                       if (i + j >= len || (str[i + j] & 0xC0) != 0x80)
                                /* Invalid UTF-8 sequence */
                                goto done;
                }

Otherwise we may access str[len] which is past the bondaries of str.

>
> >
> >       /* Remove leading and trailing whitespace characters */
> >       strstrip(utf8_name);
>
> --
> Pauli Virtanen
>


-- 
Luiz Augusto von Dentz








