Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4c082a0c authored by George Burgess IV's avatar George Burgess IV Committed by Andre Eisenbach
Browse files

Replace all uses of sprintf() with snprint() 

- sprintf() does not limit the length of the character string when writing
  to a buffer and may result in buffer overflow
- snprintf() requires the maximum write length as a parameter. When the
  maximum length supported is smaller than the reserved buffer length,
  the call will not result in buffer overflow

Bug: 31859081
Test: TestTracker/64195/3975
Change-Id: I519f8ef7b9b162fd79094f89148250d783c734c0
parent b31f99b4

system/bta/ag/bta_ag_cmd.c

+4 −4
Original line number Diff line number Diff line
@@ -969,12 +969,12 @@ static void bta_ag_bind_response(tBTA_AG_SCB *p_scb, uint8_t arg_type) 


        for (uint32_t i = 0; i < bta_ag_local_hf_ind_cfg[0].ind_id; i++)

        {

            if (bta_ag_local_hf_ind_cfg[i+1].is_supported == true)

            if (bta_ag_local_hf_ind_cfg[i+1].is_supported)

            {

                /* Add ',' from second indicator */

                if (index > 1)

                    buffer[index++] = ',';

                sprintf(&buffer[index++], "%d", bta_ag_local_hf_ind_cfg[i+1].ind_id);

                if (index > 1) buffer[index++] = ',';

                snprintf(&buffer[index++], 1, "%d",

                    bta_ag_local_hf_ind_cfg[i+1].ind_id);

            }

        }

system/bta/gatt/bta_gattc_cache.cc

+6 −5
Original line number Diff line number Diff line
@@ -58,9 +58,10 @@ tBTA_GATTC_CHARACTERISTIC* bta_gattc_get_characteristic_srcb(tBTA_GATTC_SERV *p 
#define GATT_CACHE_PREFIX "/data/misc/bluetooth/gatt_cache_"

#define GATT_CACHE_VERSION 2



static void bta_gattc_generate_cache_file_name(char *buffer, BD_ADDR bda)

static void bta_gattc_generate_cache_file_name(char *buffer,

    size_t buffer_len, BD_ADDR bda)

{

    sprintf(buffer, "%s%02x%02x%02x%02x%02x%02x", GATT_CACHE_PREFIX,

    snprintf(buffer, buffer_len, "%s%02x%02x%02x%02x%02x%02x", GATT_CACHE_PREFIX,

            bda[0], bda[1], bda[2], bda[3], bda[4], bda[5]);

}
@@ -1522,7 +1523,7 @@ void bta_gattc_cache_save(tBTA_GATTC_SERV *p_srvc_cb, uint16_t conn_id) 
bool bta_gattc_cache_load(tBTA_GATTC_CLCB *p_clcb)

{

    char fname[255] = {0};

    bta_gattc_generate_cache_file_name(fname, p_clcb->p_srcb->server_bda);

    bta_gattc_generate_cache_file_name(fname, sizeof(fname), p_clcb->p_srcb->server_bda);



    FILE *fd = fopen(fname, "rb");

    if (!fd) {
@@ -1586,7 +1587,7 @@ static void bta_gattc_cache_write(BD_ADDR server_bda, uint16_t num_attr, 
                           tBTA_GATTC_NV_ATTR *attr)

{

    char fname[255] = {0};

    bta_gattc_generate_cache_file_name(fname, server_bda);

    bta_gattc_generate_cache_file_name(fname, sizeof(fname), server_bda);



    FILE *fd = fopen(fname, "wb");

    if (!fd) {
@@ -1632,7 +1633,7 @@ void bta_gattc_cache_reset(BD_ADDR server_bda) 
{

    BTIF_TRACE_DEBUG("%s", __func__);

    char fname[255] = {0};

    bta_gattc_generate_cache_file_name(fname, server_bda);

    bta_gattc_generate_cache_file_name(fname, sizeof(fname), server_bda);

    unlink(fname);

}

#endif /* BTA_GATT_INCLUDED */

system/bta/jv/bta_jv_act.c

+2 −2
Original line number Diff line number Diff line
@@ -84,11 +84,11 @@ static void fcchan_conn_chng_cbk(uint16_t chan, BD_ADDR bd_addr, bool connected, 
static void fcchan_data_cbk(uint16_t chan, BD_ADDR bd_addr, BT_HDR *p_buf);





extern void uuid_to_string_legacy(bt_uuid_t *p_uuid, char *str);

extern void uuid_to_string_legacy(bt_uuid_t *p_uuid, char *str, size_t str_len);

static inline void logu(const char* title, const uint8_t * p_uuid)

{

    char uuids[128];

    uuid_to_string_legacy((bt_uuid_t*)p_uuid, uuids);

    uuid_to_string_legacy((bt_uuid_t*)p_uuid, uuids, sizeof(uuids));

    APPL_TRACE_DEBUG("%s: %s", title, uuids);

}

system/btcore/src/bdaddr.c

+2 −3
Original line number Diff line number Diff line
@@ -52,9 +52,8 @@ const char *bdaddr_to_string(const bt_bdaddr_t *addr, char *string, size_t size) 
    return NULL;



  const uint8_t *ptr = addr->address;

  sprintf(string, "%02x:%02x:%02x:%02x:%02x:%02x",

           ptr[0], ptr[1], ptr[2],

           ptr[3], ptr[4], ptr[5]);

  snprintf(string, size, "%02x:%02x:%02x:%02x:%02x:%02x",

           ptr[0], ptr[1], ptr[2], ptr[3], ptr[4], ptr[5]);

  return string;

}

system/btcore/src/uuid.c

+15 −9
Original line number Diff line number Diff line
@@ -139,25 +139,31 @@ void uuid_to_string(const bt_uuid_t *uuid, uuid_string_t *uuid_string) { 
  assert(uuid_string != NULL);



  char *string = uuid_string->string;

  char *end = string + UUID_WELL_FORMED_STRING_LEN_WITH_NULL;



  // XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX

  for (int i = 0; i < 4; i++) {

    string += sprintf(string, "%02x", uuid->uu[i]);

    string += snprintf(string, end - string, "%02x", uuid->uu[i]);

  }

  string += sprintf(string, "-");

  *string = '-';

  ++string;

  for (int i = 4; i < 6; i++) {

    string += sprintf(string, "%02x", uuid->uu[i]);

    string += snprintf(string, end - string, "%02x", uuid->uu[i]);

  }

  string += sprintf(string, "-");

  *string = '-';

  ++string;

  for (int i = 6; i < 8; i++) {

    string += sprintf(string, "%02x", uuid->uu[i]);

    string += snprintf(string, end - string, "%02x", uuid->uu[i]);

  }

  string += sprintf(string, "-");

  *string = '-';

  ++string;

  for (int i = 8; i < 10; i++) {

    string += sprintf(string, "%02x", uuid->uu[i]);

    string += snprintf(string, end - string, "%02x", uuid->uu[i]);

  }

  string += sprintf(string, "-");

  *string = '-';

  ++string;

  for (int i = 10; i < 16; i++) {

    string += sprintf(string, "%02x", uuid->uu[i]);

    string += snprintf(string, end - string, "%02x", uuid->uu[i]);

  }

}