Re: state of netbt

To: "tech-net%NetBSD.org@localhost" <tech-net%netbsd.org@localhost>
Subject: Re: state of netbt
From: Iain Hibbert <plunky%ogmig.net@localhost>
Date: Tue, 14 Aug 2018 18:59:37 +0100 (BST)

Hi

While that may be strictly true, at this level we are parsing data provided by the local hardware itself and it should be noted that this can not be controlled by a malicious actor but only by the manufacturer of a device plugged into the machine AND enabled by the admin.

All the higher level parsing of data which could be constructed by a third party computer (l2cap and rfcomm protocols) does check it more thoroughly, as far as I know

If you think it is really necessary to parse this locally produced data in a more complete way, I can look at it later (I'm away sailing now)

Iain

On 4 August 2018 07:53:50 BST, Maxime Villard <max%m00nbsd.net@localhost> wrote:
>Le 03/08/2018 à 20:37, Iain Hibbert a écrit :
>> Hi
>> 
>> Can you explain the horror you are experiencing?
>
>Not "experiencing" strictly speaking (I don't use bluetooth devices),
>but
>a few months ago I scroll-read through the code and found problems.
>
>Eg in hci_event_num_compl_pkts(), the three first lines of the loop:
>
>386 	while (ep.num_con_handles--) {
>387 		m_copydata(m, 0, sizeof(handle), &handle);
>388 		m_adj(m, sizeof(handle));
>
>Here there is no length check, the kernel can crash in m_copydata.

-- 
On my phone

Prev by Date: Re: state of netbt
Next by Date: getprotobyname -- thread local or _r?
Previous by Thread: Re: state of netbt
Next by Thread: WiFi Refresh -- Report 3
Indexes:

Home | Main Index | Thread Index | Old Index