Skip to content

Bluetooth: Classic: HFP_AG: Avoid potential array out-of-bounds access issues. #90774

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
lylezhu2012 opened this issue May 29, 2025 · 1 comment
Closed

Bluetooth: Classic: HFP_AG: Avoid potential array out-of-bounds access issues. #90774

lylezhu2012 opened this issue May 29, 2025 · 1 comment
Assignees
@lylezhu2012
Labels
area: Bluetooth Classic Bluetooth Classic (BR/EDR) area: Bluetooth bug The issue is a bug, or the PR is fixing a bug

Comments

@lylezhu2012
Copy link
Collaborator

lylezhu2012 commented May 29, 2025
edited
Loading

Describe the bug

At line 283 of the function get_new_call() in the file zephyr/subsys/bluetooth/host/classic/hfp_ag.c, when accessing a fixed-length data, it is not considered whether the array will cross the boundary.

zephyr/subsys/bluetooth/host/classic/hfp_ag.c

Line 283 in 265cfb4

strcpy(call->number, number);

However, this issue is not possible at present because all callers of the get_new_call() function will confirm that the length of number is less than the buffer size before calling the function get_new_call().

zephyr/subsys/bluetooth/host/classic/hfp_ag.c

Lines 2519 to 2526 in 265cfb4

len = strlen(number);
if (len == 0) {
return -ENOTSUP;
}
if (len > CONFIG_BT_HFP_AG_PHONE_NUMBER_MAX_LEN) {
return -ENAMETOOLONG;
}

zephyr/subsys/bluetooth/host/classic/hfp_ag.c

Lines 3838 to 3841 in 265cfb4

len = strlen(number);
if ((len == 0) || (len > CONFIG_BT_HFP_AG_PHONE_NUMBER_MAX_LEN)) {
return -EINVAL;
}

To avoid potential array out-of-bounds access issues and easy to maintain, improve it.
@lylezhu2012 lylezhu2012 added bug The issue is a bug, or the PR is fixing a bug area: Bluetooth area: Bluetooth Classic Bluetooth Classic (BR/EDR) labels May 29, 2025
@lylezhu2012
Copy link
Collaborator Author

The issue has been fixed by following changes,

zephyr/subsys/bluetooth/host/classic/hfp_ag.c

Lines 282 to 285 in 46f7313

memset(call->number, 0, sizeof(call->number));
if (number != NULL) {
strncpy(call->number, number, sizeof(call->number) - 1);
}

@lylezhu2012 lylezhu2012 mentioned this issue May 29, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lylezhu2012 lylezhu2012

Labels
area: Bluetooth Classic Bluetooth Classic (BR/EDR) area: Bluetooth bug The issue is a bug, or the PR is fixing a bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lylezhu2012