Re: [PATCH BlueZ 1/1] Fixed heap-buffer-overflow in `compute_seq_size`.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dear Oliver,


Am 10.08.25 um 10:20 schrieb Oliver Chang:


Thank you for the patch. For the summary, I’d use imperative mood and do
not add a dot/period at the end:

Fix heap-buffer-overflow in `compute_seq_size`


Thank you for the suggestion, I will make sure to do this for future
commit summaries. What do I need to do here in this instance to make
this change? Do I need to resend the patch with a new subject?


If you want to, you could send v2. (`git format-patch -v2`)


The last comment says:


This issue was migrated from crbug.com/oss-fuzz/51480?no_tracker_redirect=1


But that URL gives *Page Not Found*.


Apologies for that. We had a migration from a legacy issue tracking
system, and that legacy system has since been turned down.


Understood. No problem.


https://oss-fuzz.com/testcase-detail/5896441415729152


I am unable to access this without logging in.


The emails that can access this are the ones listed here:
https://github.com/google/oss-fuzz/blob/ef1c29822d62470fb6b0af7b73412d245d05f80c/projects/bluez/project.yaml#L3.
Are there any other emails we should add?
I am not a maintainer, so, as these might security sensitive, I guess it’s fine, that I am unable to access it in general. 


These emails also receive automatic email notifications whenever
OSS-Fuzz finds a new bug. Note though, to view the oss-fuzz.com
report, you'll need either a GitHub or Google account associated with
the email.

https://oss-fuzz.com/testcase-detail/5896441415729152 contains the
ASan stacktrace, which I've also included in my earlier email.
Understood, in the cover letter [1]. Thank you! I personally prefer everything to be in the commit message, so it’s self-contained. 


With your patch and the test case, what error is logged now?


There is still a memory leak detected by ASan that's unrelated to this
patch/issue, but the buffer overflow report is gone.

I don't see any other log messages, including the ones I added in the
patch. This is likely because `sdp_xml_parse_record` calls
`g_markup_parse_context_parse` with a NULL `error`, so any parsing
errors encountered are not propagated.

```
if (g_markup_parse_context_parse(ctx, data, size, NULL) == FALSE) {
```

It seems useful to enable propagating of parsing errors to
`sdp_xml_parse_record` in the future. But if preferred, I can remove
the logging I added since they're not going anywhere right now.
Thank you for analyzing this, and giving the reason. I’d keep it like this, but add a note to the commit message. 


Thank you again and kind regards,

Paul
[1]: https://lore.kernel.org/all/20250810064656.1810093-2-ochang@xxxxxxxxxx/#t
[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux