[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bluetooth-dev] Bug in hci_inquiry()?



It seems there is a bug in hci_inquiry(). When this function is invoked, one argument is num_resp, an u8 containing the max number of inquiry responses. Then, inq_res is allocated this way:

         inq_res = (inquiry_results*) kmalloc(sizeof(inquiry_results)
                                              + 6 * num_resp, GFP_ATOMIC);

Then, num_resp is assigned to the Num_Responses field of the HCI command packet (c_pkt.data[4] = num_resp).

According the Bluetooth specs v1.0b, page 543, the Num_Responses field can be 0: it means "unlimited number of responses". If hci_inquiry() is invoked with num_resp=0, no memory is allocated for storing the BD addresses of the devices which responded, 
but an unlimited number of responses can be returned. This can lead to unpleasant results. Probably, memory should be allocated for 255 BD addresses in that case (since, according the Inquiry_Complete event at page 706, the number of responses takes one 
byte)?
---------------------------------------------------------
Fabrizio Gennari          tel. +39 039 203 7816
Philips Research Monza    fax. +39 039 203 7800
via G. Casati 23          fabrizio.gennari@xxxxxxx.com
20052 Monza (MI) Italy    http://www.research.philips.com
-
To unsubscribe from this list: send the line "unsubscribe bluetooth-dev" in
the body of a message to majordomo@xxxxxxx.com