Bug 4789 - ipctest.c input_cb seems to pass a reference to a freed pointer to sscanf
: ipctest.c input_cb seems to pass a reference to a freed pointer to sscanf
Status: RESOLVED FIXED
Product: Connectivity
Bluetooth
: 5.0/(3.2010.02-8)
: All All
: Low minor (vote)
: 5.0/(10.2010.19-1)
Assigned To: unassigned
: bluetooth-bugs
: http://www.google.com/codesearch/p?hl...
:
:
:
  Show dependency tree
 
Reported: 2009-07-15 22:02 UTC by timeless
Modified: 2010-03-15 20:52 UTC (History)
1 user (show)

See Also:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description timeless (reporter) 2009-07-15 22:02:19 UTC
IF_CMD(bdaddr) {
                if (u->address)
                        free(u->address);
                if (sscanf(line, "%*s %as", &u->address) != 1)
                        DBG("set with bdaddr BDADDR");
                DBG("bdaddr %s", u->address);
        }

i know this is just a test, but this code is just scary.
Comment 1 Andre Klapper maemo.org 2010-03-04 22:23:09 UTC
This does not happen anymore in bluez 4.60 which will be used in PR1.2, code is
now:
    IF_CMD(bdaddr) {
        char *address;
        if (sscanf(line, "%*s %as", &address) != 1)
            DBG("set with bdaddr BDADDR");
        if (u->address)
            free(u->address);
        u->address = address;
        DBG("bdaddr %s", u->address);
    }

Closing as FIXED.
Comment 2 Andre Klapper maemo.org 2010-03-15 20:52:33 UTC
Setting explicit PR1.2 milestone (so it's clearer in which public release the
fix will be available to users).

Sorry for the bugmail noise (you can filter on this message).