You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@mynewt.apache.org by GitBox <gi...@apache.org> on 2019/12/02 19:16:17 UTC

[GitHub] [mynewt-nimble] simonratner opened a new issue #686: Unsafe handling of 32-bit UUIDs

simonratner opened a new issue #686: Unsafe handling of 32-bit UUIDs
URL: https://github.com/apache/mynewt-nimble/issues/686
 
 
   Looking at this code, copying 32-bit UUIDs into a flat buffer is different to 16-bit UUIDs:
   https://github.com/apache/mynewt-nimble/blob/master/nimble/host/src/ble_uuid.c#L240
   
   Compare to how this function is used:
   https://github.com/apache/mynewt-nimble/blob/master/nimble/host/src/ble_gattc.c#L1600
   
   The length is set to 4 bytes, but the UUID value is not at the start of the buffer, so the att request will always contain `fb 34 9b 5f`.
   
   More worryingly, this is a buffer overrun when used with a 32-bit UUID, as only 4 bytes are ensured to be allocated in buf, but 16 bytes are written:
   https://github.com/apache/mynewt-nimble/blob/master/nimble/host/src/ble_uuid.c#L226

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services