From 80d7f60680f483a71e413f2453ab20013aff5c5c Mon Sep 17 00:00:00 2001 From: George Burgess IV Date: Wed, 2 Mar 2016 14:00:19 -0800 Subject: [PATCH] Replace all uses of sprintf() with snprint() - sprintf() does not limit the length of the character string when writing to a buffer and may result in buffer overflow - snprintf() requires the maximum write length as a parameter. When the maximum length supported is smaller than the reserved buffer length, the call will not result in buffer overflow Bug: 31859081 Test: TestTracker/64195/3975 Change-Id: I519f8ef7b9b162fd79094f89148250d783c734c0 --- bta/ag/bta_ag_cmd.c | 8 ++++---- bta/gatt/bta_gattc_cache.cc | 11 ++++++----- bta/jv/bta_jv_act.c | 4 ++-- btcore/src/bdaddr.c | 5 ++--- btcore/src/uuid.c | 24 +++++++++++++++--------- btif/co/bta_hh_co.cc | 6 +++--- btif/include/btif_util.h | 2 +- btif/src/btif_dm.cc | 19 ++++++++++--------- btif/src/btif_gatt_test.cc | 29 ++++++++++++++++------------- btif/src/btif_hf.cc | 34 +++++++++++++++++----------------- btif/src/btif_hh.cc | 16 ++++++++-------- btif/src/btif_storage.cc | 2 +- btif/src/btif_util.cc | 10 +++++----- osi/src/config.c | 2 +- stack/btm/btm_inq.c | 3 ++- stack/btm/btm_sec.c | 5 +++-- stack/gatt/gatt_db.c | 16 +++++++--------- stack/gatt/gatt_utils.c | 27 ++++++++++++++------------- stack/l2cap/l2c_fcr.c | 11 ++++++----- stack/pan/pan_utils.c | 3 ++- stack/sdp/sdp_db.c | 6 +++--- stack/sdp/sdp_discovery.c | 3 ++- stack/smp/smp_keys.c | 4 ++-- 23 files changed, 132 insertions(+), 118 deletions(-) diff --git a/bta/ag/bta_ag_cmd.c b/bta/ag/bta_ag_cmd.c index 09419e240..1874f1b27 100644 --- a/bta/ag/bta_ag_cmd.c +++ b/bta/ag/bta_ag_cmd.c @@ -969,12 +969,12 @@ static void bta_ag_bind_response(tBTA_AG_SCB *p_scb, uint8_t arg_type) for (uint32_t i = 0; i < bta_ag_local_hf_ind_cfg[0].ind_id; i++) { - if (bta_ag_local_hf_ind_cfg[i+1].is_supported == true) + if (bta_ag_local_hf_ind_cfg[i+1].is_supported) { /* Add ',' from second indicator */ - if (index > 1) - buffer[index++] = ','; - sprintf(&buffer[index++], "%d", bta_ag_local_hf_ind_cfg[i+1].ind_id); + if (index > 1) buffer[index++] = ','; + snprintf(&buffer[index++], 1, "%d", + bta_ag_local_hf_ind_cfg[i+1].ind_id); } } diff --git a/bta/gatt/bta_gattc_cache.cc b/bta/gatt/bta_gattc_cache.cc index c7275cdfd..121a540d3 100644 --- a/bta/gatt/bta_gattc_cache.cc +++ b/bta/gatt/bta_gattc_cache.cc @@ -58,9 +58,10 @@ tBTA_GATTC_CHARACTERISTIC* bta_gattc_get_characteristic_srcb(tBTA_GATTC_SERV *p #define GATT_CACHE_PREFIX "/data/misc/bluetooth/gatt_cache_" #define GATT_CACHE_VERSION 2 -static void bta_gattc_generate_cache_file_name(char *buffer, BD_ADDR bda) +static void bta_gattc_generate_cache_file_name(char *buffer, + size_t buffer_len, BD_ADDR bda) { - sprintf(buffer, "%s%02x%02x%02x%02x%02x%02x", GATT_CACHE_PREFIX, + snprintf(buffer, buffer_len, "%s%02x%02x%02x%02x%02x%02x", GATT_CACHE_PREFIX, bda[0], bda[1], bda[2], bda[3], bda[4], bda[5]); } @@ -1522,7 +1523,7 @@ void bta_gattc_cache_save(tBTA_GATTC_SERV *p_srvc_cb, uint16_t conn_id) bool bta_gattc_cache_load(tBTA_GATTC_CLCB *p_clcb) { char fname[255] = {0}; - bta_gattc_generate_cache_file_name(fname, p_clcb->p_srcb->server_bda); + bta_gattc_generate_cache_file_name(fname, sizeof(fname), p_clcb->p_srcb->server_bda); FILE *fd = fopen(fname, "rb"); if (!fd) { @@ -1586,7 +1587,7 @@ static void bta_gattc_cache_write(BD_ADDR server_bda, uint16_t num_attr, tBTA_GATTC_NV_ATTR *attr) { char fname[255] = {0}; - bta_gattc_generate_cache_file_name(fname, server_bda); + bta_gattc_generate_cache_file_name(fname, sizeof(fname), server_bda); FILE *fd = fopen(fname, "wb"); if (!fd) { @@ -1632,7 +1633,7 @@ void bta_gattc_cache_reset(BD_ADDR server_bda) { BTIF_TRACE_DEBUG("%s", __func__); char fname[255] = {0}; - bta_gattc_generate_cache_file_name(fname, server_bda); + bta_gattc_generate_cache_file_name(fname, sizeof(fname), server_bda); unlink(fname); } #endif /* BTA_GATT_INCLUDED */ diff --git a/bta/jv/bta_jv_act.c b/bta/jv/bta_jv_act.c index 5927c2173..e5bddc4a1 100644 --- a/bta/jv/bta_jv_act.c +++ b/bta/jv/bta_jv_act.c @@ -84,11 +84,11 @@ static void fcchan_conn_chng_cbk(uint16_t chan, BD_ADDR bd_addr, bool connected, static void fcchan_data_cbk(uint16_t chan, BD_ADDR bd_addr, BT_HDR *p_buf); -extern void uuid_to_string_legacy(bt_uuid_t *p_uuid, char *str); +extern void uuid_to_string_legacy(bt_uuid_t *p_uuid, char *str, size_t str_len); static inline void logu(const char* title, const uint8_t * p_uuid) { char uuids[128]; - uuid_to_string_legacy((bt_uuid_t*)p_uuid, uuids); + uuid_to_string_legacy((bt_uuid_t*)p_uuid, uuids, sizeof(uuids)); APPL_TRACE_DEBUG("%s: %s", title, uuids); } diff --git a/btcore/src/bdaddr.c b/btcore/src/bdaddr.c index c7cecd332..80ad11eee 100644 --- a/btcore/src/bdaddr.c +++ b/btcore/src/bdaddr.c @@ -52,9 +52,8 @@ const char *bdaddr_to_string(const bt_bdaddr_t *addr, char *string, size_t size) return NULL; const uint8_t *ptr = addr->address; - sprintf(string, "%02x:%02x:%02x:%02x:%02x:%02x", - ptr[0], ptr[1], ptr[2], - ptr[3], ptr[4], ptr[5]); + snprintf(string, size, "%02x:%02x:%02x:%02x:%02x:%02x", + ptr[0], ptr[1], ptr[2], ptr[3], ptr[4], ptr[5]); return string; } diff --git a/btcore/src/uuid.c b/btcore/src/uuid.c index 4213ec352..842f29e8a 100644 --- a/btcore/src/uuid.c +++ b/btcore/src/uuid.c @@ -139,25 +139,31 @@ void uuid_to_string(const bt_uuid_t *uuid, uuid_string_t *uuid_string) { assert(uuid_string != NULL); char *string = uuid_string->string; + char *end = string + UUID_WELL_FORMED_STRING_LEN_WITH_NULL; + // XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXX for (int i = 0; i < 4; i++) { - string += sprintf(string, "%02x", uuid->uu[i]); + string += snprintf(string, end - string, "%02x", uuid->uu[i]); } - string += sprintf(string, "-"); + *string = '-'; + ++string; for (int i = 4; i < 6; i++) { - string += sprintf(string, "%02x", uuid->uu[i]); + string += snprintf(string, end - string, "%02x", uuid->uu[i]); } - string += sprintf(string, "-"); + *string = '-'; + ++string; for (int i = 6; i < 8; i++) { - string += sprintf(string, "%02x", uuid->uu[i]); + string += snprintf(string, end - string, "%02x", uuid->uu[i]); } - string += sprintf(string, "-"); + *string = '-'; + ++string; for (int i = 8; i < 10; i++) { - string += sprintf(string, "%02x", uuid->uu[i]); + string += snprintf(string, end - string, "%02x", uuid->uu[i]); } - string += sprintf(string, "-"); + *string = '-'; + ++string; for (int i = 10; i < 16; i++) { - string += sprintf(string, "%02x", uuid->uu[i]); + string += snprintf(string, end - string, "%02x", uuid->uu[i]); } } diff --git a/btif/co/bta_hh_co.cc b/btif/co/bta_hh_co.cc index 7634f4523..a9dc4b146 100644 --- a/btif/co/bta_hh_co.cc +++ b/btif/co/bta_hh_co.cc @@ -527,7 +527,7 @@ void bta_hh_le_co_rpt_info(BD_ADDR remote_bda, tBTA_HH_RPT_CACHE_ENTRY *p_entry, unsigned idx = 0; bdstr_t bdstr; - sprintf(bdstr, "%02x:%02x:%02x:%02x:%02x:%02x", + snprintf(bdstr, sizeof(bdstr), "%02x:%02x:%02x:%02x:%02x:%02x", remote_bda[0], remote_bda[1], remote_bda[2], remote_bda[3], remote_bda[4], remote_bda[5]); @@ -569,7 +569,7 @@ tBTA_HH_RPT_CACHE_ENTRY * bta_hh_le_co_cache_load (BD_ADDR remote_bda, UNUSED(app_id); bdstr_t bdstr; - sprintf(bdstr, "%02x:%02x:%02x:%02x:%02x:%02x", + snprintf(bdstr, sizeof(bdstr), "%02x:%02x:%02x:%02x:%02x:%02x", remote_bda[0], remote_bda[1], remote_bda[2], remote_bda[3], remote_bda[4], remote_bda[5]); @@ -603,7 +603,7 @@ void bta_hh_le_co_reset_rpt_cache (BD_ADDR remote_bda, uint8_t app_id) UNUSED(app_id); bdstr_t bdstr; - sprintf(bdstr, "%02x:%02x:%02x:%02x:%02x:%02x", + snprintf(bdstr, sizeof(bdstr), "%02x:%02x:%02x:%02x:%02x:%02x", remote_bda[0], remote_bda[1], remote_bda[2], remote_bda[3], remote_bda[4], remote_bda[5]); btif_config_remove(bdstr, "HidReport"); diff --git a/btif/include/btif_util.h b/btif/include/btif_util.h index 6dbe7e8cb..7bcb9372d 100644 --- a/btif/include/btif_util.h +++ b/btif/include/btif_util.h @@ -74,6 +74,6 @@ bool string_to_uuid(const char *str, bt_uuid_t *p_uuid); int ascii_2_hex (const char *p_ascii, int len, uint8_t *p_hex); -extern "C" void uuid_to_string_legacy(bt_uuid_t *p_uuid, char *str); +extern "C" void uuid_to_string_legacy(bt_uuid_t *p_uuid, char *str, size_t str_len); #endif /* BTIF_UTIL_H */ diff --git a/btif/src/btif_dm.cc b/btif/src/btif_dm.cc index 0f925cdc5..be4d6b941 100644 --- a/btif/src/btif_dm.cc +++ b/btif/src/btif_dm.cc @@ -1513,7 +1513,8 @@ static void btif_dm_search_services_evt(uint16_t event, char *p_param) for (i=0; i < p_data->disc_res.num_uuids; i++) { char temp[256]; - uuid_to_string_legacy((bt_uuid_t*)(p_data->disc_res.p_uuid_list + (i*MAX_UUID_SIZE)), temp); + uuid_to_string_legacy((bt_uuid_t*)(p_data->disc_res.p_uuid_list + (i*MAX_UUID_SIZE)), temp, + sizeof(temp)); LOG_INFO(LOG_TAG, "%s index:%d uuid:%s", __func__, i, temp); } } @@ -1586,7 +1587,7 @@ static void btif_dm_search_services_evt(uint16_t event, char *p_param) j--; } - uuid_to_string_legacy(&uuid, temp); + uuid_to_string_legacy(&uuid, temp, sizeof(temp)); LOG_INFO(LOG_TAG, "%s uuid:%s", __func__, temp); bdcpy(bd_addr.address, p_data->disc_ble_res.bd_addr); @@ -3012,17 +3013,17 @@ bool btif_dm_proc_rmt_oob(BD_ADDR bd_addr, BT_OCTET16 p_c, BT_OCTET16 p_r) fclose(fp); } BTIF_TRACE_DEBUG("----%s: true", __func__); - sprintf(t, "%02x:%02x:%02x:%02x:%02x:%02x", + snprintf(t, sizeof(t), "%02x:%02x:%02x:%02x:%02x:%02x", oob_cb.bdaddr[0], oob_cb.bdaddr[1], oob_cb.bdaddr[2], oob_cb.bdaddr[3], oob_cb.bdaddr[4], oob_cb.bdaddr[5]); BTIF_TRACE_DEBUG("----%s: peer_bdaddr = %s", __func__, t); - sprintf(t, "%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x", - p_c[0], p_c[1], p_c[2], p_c[3], p_c[4], p_c[5], p_c[6], p_c[7], - p_c[8], p_c[9], p_c[10], p_c[11], p_c[12], p_c[13], p_c[14], p_c[15]); + snprintf(t, sizeof(t), "%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x", + p_c[0], p_c[1], p_c[2], p_c[3], p_c[4], p_c[5], p_c[6], p_c[7], + p_c[8], p_c[9], p_c[10], p_c[11], p_c[12], p_c[13], p_c[14], p_c[15]); BTIF_TRACE_DEBUG("----%s: c = %s", __func__, t); - sprintf(t, "%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x", - p_r[0], p_r[1], p_r[2], p_r[3], p_r[4], p_r[5], p_r[6], p_r[7], - p_r[8], p_r[9], p_r[10], p_r[11], p_r[12], p_r[13], p_r[14], p_r[15]); + snprintf(t, sizeof(t), "%02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x %02x", + p_r[0], p_r[1], p_r[2], p_r[3], p_r[4], p_r[5], p_r[6], p_r[7], + p_r[8], p_r[9], p_r[10], p_r[11], p_r[12], p_r[13], p_r[14], p_r[15]); BTIF_TRACE_DEBUG("----%s: r = %s", __func__, t); bdcpy(bt_bd_addr.address, bd_addr); btif_transfer_context(btif_dm_generic_evt, BTIF_DM_CB_BOND_STATE_BONDING, diff --git a/btif/src/btif_gatt_test.cc b/btif/src/btif_gatt_test.cc index 595ca59e4..f1ead43d6 100644 --- a/btif/src/btif_gatt_test.cc +++ b/btif/src/btif_gatt_test.cc @@ -70,29 +70,32 @@ static btif_test_cb_t test_cb; * Callback functions *******************************************************************************/ -static char * format_uuid(tBT_UUID bt_uuid, char *str_buf) +static char * format_uuid(tBT_UUID bt_uuid, char *str_buf, size_t buf_size) { - int x = 0; + if (bt_uuid.len == LEN_UUID_16) { - sprintf(str_buf, "0x%04x", bt_uuid.uu.uuid16); + snprintf(str_buf, buf_size, "0x%04x", bt_uuid.uu.uuid16); } else if (bt_uuid.len == LEN_UUID_128) { - x += sprintf(&str_buf[x], "%02x%02x%02x%02x-%02x%02x-%02x%02x", + int x = snprintf(str_buf, buf_size, + "%02x%02x%02x%02x-%02x%02x-%02x%02x", bt_uuid.uu.uuid128[15], bt_uuid.uu.uuid128[14], bt_uuid.uu.uuid128[13], bt_uuid.uu.uuid128[12], bt_uuid.uu.uuid128[11], bt_uuid.uu.uuid128[10], bt_uuid.uu.uuid128[9], bt_uuid.uu.uuid128[8]); - sprintf(&str_buf[x], "%02x%02x-%02x%02x%02x%02x%02x%02x", + snprintf(&str_buf[x], buf_size - x, + "%02x%02x-%02x%02x%02x%02x%02x%02x", bt_uuid.uu.uuid128[7], bt_uuid.uu.uuid128[6], bt_uuid.uu.uuid128[5], bt_uuid.uu.uuid128[4], bt_uuid.uu.uuid128[3], bt_uuid.uu.uuid128[2], bt_uuid.uu.uuid128[1], bt_uuid.uu.uuid128[0]); } - else - sprintf(str_buf, "Unknown (len=%d)", bt_uuid.len); + else { + snprintf(str_buf, buf_size, "Unknown (len=%d)", bt_uuid.len); + } return str_buf; } @@ -144,7 +147,7 @@ static void btif_test_discovery_result_cback(uint16_t conn_id, tGATT_DISC_TYPE d LOG_DEBUG(LOG_TAG, " Attribute handle: 0x%04x (%d)", p_data->handle, p_data->handle); if (disc_type != GATT_DISC_CHAR_DSCPT) { - LOG_DEBUG(LOG_TAG, " Attribute type: %s", format_uuid(p_data->type, str_buf)); + LOG_DEBUG(LOG_TAG, " Attribute type: %s", format_uuid(p_data->type, str_buf, sizeof(str_buf))); } switch (disc_type) @@ -154,7 +157,7 @@ static void btif_test_discovery_result_cback(uint16_t conn_id, tGATT_DISC_TYPE d p_data->handle, p_data->value.group_value.e_handle, p_data->handle, p_data->value.group_value.e_handle); LOG_DEBUG(LOG_TAG, " Service UUID: %s", - format_uuid(p_data->value.group_value.service_type, str_buf)); + format_uuid(p_data->value.group_value.service_type, str_buf, sizeof(str_buf))); break; case GATT_DISC_SRVC_BY_UUID: @@ -168,18 +171,18 @@ static void btif_test_discovery_result_cback(uint16_t conn_id, tGATT_DISC_TYPE d p_data->value.incl_service.s_handle, p_data->value.incl_service.e_handle, p_data->value.incl_service.s_handle, p_data->value.incl_service.e_handle); LOG_DEBUG(LOG_TAG, " Service UUID: %s", - format_uuid(p_data->value.incl_service.service_type, str_buf)); + format_uuid(p_data->value.incl_service.service_type, str_buf, sizeof(str_buf))); break; case GATT_DISC_CHAR: LOG_DEBUG(LOG_TAG, " Properties: 0x%02x", p_data->value.dclr_value.char_prop); LOG_DEBUG(LOG_TAG, " Characteristic UUID: %s", - format_uuid(p_data->value.dclr_value.char_uuid, str_buf)); + format_uuid(p_data->value.dclr_value.char_uuid, str_buf, sizeof(str_buf))); break; case GATT_DISC_CHAR_DSCPT: - LOG_DEBUG(LOG_TAG, " Descriptor UUID: %s", format_uuid(p_data->type, str_buf)); + LOG_DEBUG(LOG_TAG, " Descriptor UUID: %s", format_uuid(p_data->type, str_buf, sizeof(str_buf))); break; } @@ -272,7 +275,7 @@ bt_status_t btif_gattc_test_command_impl(int command, btgatt_test_params_t* para LOG_DEBUG(LOG_TAG, "%s: DISCOVER (%s), conn_id=%d, uuid=%s, handles=0x%04x-0x%04x", __func__, disc_name[params->u1], test_cb.conn_id, - format_uuid(param.service, buf), params->u2, params->u3); + format_uuid(param.service, buf, sizeof(buf)), params->u2, params->u3); GATTC_Discover(test_cb.conn_id, params->u1, ¶m); break; } diff --git a/btif/src/btif_hf.cc b/btif/src/btif_hf.cc index d715df31a..2646a56f6 100644 --- a/btif/src/btif_hf.cc +++ b/btif/src/btif_hf.cc @@ -1067,7 +1067,7 @@ static bt_status_t cops_response(const char *cops, bt_bdaddr_t *bd_addr) tBTA_AG_RES_DATA ag_res; /* Format the response */ - sprintf (ag_res.str, "0,0,\"%.16s\"", cops); + snprintf (ag_res.str, sizeof(ag_res.str), "0,0,\"%.16s\"", cops); ag_res.ok_flag = BTA_AG_OK_DONE; BTA_AgResult (btif_hf_cb[idx].handle, BTA_AG_COPS_RES, &ag_res); @@ -1108,14 +1108,14 @@ static bt_status_t cind_response(int svc, int num_active, int num_held, /* per the errata 2043, call=1 implies atleast one call is in progress (active/held) ** https://www.bluetooth.org/errata/errata_view.cfm?errata_id=2043 **/ - sprintf (ag_res.str, "%d,%d,%d,%d,%d,%d,%d", - (num_active + num_held) ? 1 : 0, /* Call state */ - callstate_to_callsetup(call_setup_state), /* Callsetup state */ - svc, /* network service */ - signal, /* Signal strength */ - roam, /* Roaming indicator */ - batt_chg, /* Battery level */ - ((num_held == 0) ? 0 : ((num_active == 0) ? 2 : 1))); /* Call held */ + snprintf (ag_res.str, sizeof(ag_res.str), "%d,%d,%d,%d,%d,%d,%d", + (num_active + num_held) ? 1 : 0, /* Call state */ + callstate_to_callsetup(call_setup_state), /* Callsetup state */ + svc, /* network service */ + signal, /* Signal strength */ + roam, /* Roaming indicator */ + batt_chg, /* Battery level */ + ((num_held == 0) ? 0 : ((num_active == 0) ? 2 : 1))); /* Call held */ BTA_AgResult (btif_hf_cb[idx].handle, BTA_AG_CIND_RES, &ag_res); @@ -1247,7 +1247,6 @@ static bt_status_t clcc_response(int index, bthf_call_direction_t dir, if (is_connected(bd_addr) && (idx != BTIF_HF_INVALID_IDX)) { tBTA_AG_RES_DATA ag_res; - int xx; memset (&ag_res, 0, sizeof (ag_res)); @@ -1260,15 +1259,16 @@ static bt_status_t clcc_response(int index, bthf_call_direction_t dir, { BTIF_TRACE_EVENT("clcc_response: [%d] dir %d state %d mode %d number = %s type = %d", index, dir, state, mode, number, type); - xx = sprintf (ag_res.str, "%d,%d,%d,%d,%d", - index, dir, state, mode, mpty); + int xx = snprintf (ag_res.str, sizeof(ag_res.str), "%d,%d,%d,%d,%d", + index, dir, state, mode, mpty); if (number) { + size_t rem_bytes = sizeof(ag_res.str) - xx; if ((type == BTHF_CALL_ADDRTYPE_INTERNATIONAL) && (*number != '+')) - sprintf (&ag_res.str[xx], ",\"+%s\",%d", number, type); + snprintf (&ag_res.str[xx], rem_bytes, ",\"+%s\",%d", number, type); else - sprintf (&ag_res.str[xx], ",\"%s\",%d", number, type); + snprintf (&ag_res.str[xx], rem_bytes, ",\"%s\",%d", number, type); } } BTA_AgResult (btif_hf_cb[idx].handle, BTA_AG_CLCC_RES, &ag_res); @@ -1422,13 +1422,13 @@ static bt_status_t phone_state_change(int num_active, int num_held, bthf_call_st { int xx = 0; if ((type == BTHF_CALL_ADDRTYPE_INTERNATIONAL) && (*number != '+')) - xx = sprintf (ag_res.str, "\"+%s\"", number); + xx = snprintf (ag_res.str, sizeof(ag_res.str), "\"+%s\"", number); else - xx = sprintf (ag_res.str, "\"%s\"", number); + xx = snprintf (ag_res.str, sizeof(ag_res.str), "\"%s\"", number); ag_res.num = type; if (res == BTA_AG_CALL_WAIT_RES) - sprintf(&ag_res.str[xx], ",%d", type); + snprintf(&ag_res.str[xx], sizeof(ag_res.str) - xx, ",%d", type); } break; case BTHF_CALL_STATE_DIALING: diff --git a/btif/src/btif_hh.cc b/btif/src/btif_hh.cc index 8bcb273cf..e2f65720e 100644 --- a/btif/src/btif_hh.cc +++ b/btif/src/btif_hh.cc @@ -556,9 +556,9 @@ bt_status_t btif_hh_virtual_unplug(bt_bdaddr_t *bd_addr) BTIF_TRACE_DEBUG("%s", __func__); btif_hh_device_t *p_dev; char bd_str[18]; - sprintf(bd_str, "%02X:%02X:%02X:%02X:%02X:%02X", - bd_addr->address[0], bd_addr->address[1], bd_addr->address[2], bd_addr->address[3], - bd_addr->address[4], bd_addr->address[5]); + snprintf(bd_str, sizeof(bd_str), "%02X:%02X:%02X:%02X:%02X:%02X", + bd_addr->address[0], bd_addr->address[1], bd_addr->address[2], bd_addr->address[3], + bd_addr->address[4], bd_addr->address[5]); p_dev = btif_hh_find_dev_by_bda(bd_addr); if ((p_dev != NULL) && (p_dev->dev_status == BTHH_CONN_STATE_CONNECTED) && (p_dev->attr_mask & HID_VIRTUAL_CABLE)) @@ -597,8 +597,8 @@ bt_status_t btif_hh_connect(bt_bdaddr_t *bd_addr) CHECK_BTHH_INIT(); dev = btif_hh_find_dev_by_bda(bd_addr); BTIF_TRACE_DEBUG("Connect _hh"); - sprintf(bda_str, "%02X:%02X:%02X:%02X:%02X:%02X", - (*bda)[0], (*bda)[1], (*bda)[2], (*bda)[3], (*bda)[4], (*bda)[5]); + snprintf(bda_str, sizeof(bda_str), "%02X:%02X:%02X:%02X:%02X:%02X", + (*bda)[0], (*bda)[1], (*bda)[2], (*bda)[3], (*bda)[4], (*bda)[5]); if (dev == NULL && btif_hh_cb.device_num >= BTIF_HH_MAX_HID) { // No space for more HID device now. BTIF_TRACE_WARNING("%s: Error, exceeded the maximum supported HID device number %d", @@ -1263,9 +1263,9 @@ static bt_status_t virtual_unplug (bt_bdaddr_t *bd_addr) CHECK_BTHH_INIT(); btif_hh_device_t *p_dev; char bd_str[18]; - sprintf(bd_str, "%02X:%02X:%02X:%02X:%02X:%02X", - bd_addr->address[0], bd_addr->address[1], bd_addr->address[2], bd_addr->address[3], - bd_addr->address[4], bd_addr->address[5]); + snprintf(bd_str, sizeof(bd_str), "%02X:%02X:%02X:%02X:%02X:%02X", + bd_addr->address[0], bd_addr->address[1], bd_addr->address[2], + bd_addr->address[3], bd_addr->address[4], bd_addr->address[5]); if (btif_hh_cb.status == BTIF_HH_DISABLED) { BTIF_TRACE_ERROR("%s: Error, HH status = %d", __func__, btif_hh_cb.status); diff --git a/btif/src/btif_storage.cc b/btif/src/btif_storage.cc index 26b0c16fd..c95fdeba2 100644 --- a/btif/src/btif_storage.cc +++ b/btif/src/btif_storage.cc @@ -222,7 +222,7 @@ static int prop2cfg(bt_bdaddr_t *remote_bd_addr, bt_property_t *prop) { bt_uuid_t *p_uuid = (bt_uuid_t*)prop->val + i; memset(buf, 0, sizeof(buf)); - uuid_to_string_legacy(p_uuid, buf); + uuid_to_string_legacy(p_uuid, buf, sizeof(buf)); strcat(value, buf); //strcat(value, ";"); strcat(value, " "); diff --git a/btif/src/btif_util.cc b/btif/src/btif_util.cc index ad1e9f151..0cdc055d1 100644 --- a/btif/src/btif_util.cc +++ b/btif/src/btif_util.cc @@ -143,7 +143,7 @@ bool string_to_uuid(const char *str, bt_uuid_t *p_uuid) return true; } -void uuid_to_string_legacy(bt_uuid_t *p_uuid, char *str) +void uuid_to_string_legacy(bt_uuid_t *p_uuid, char *str, size_t str_len) { uint32_t uuid0, uuid4; uint16_t uuid1, uuid2, uuid3, uuid5; @@ -155,10 +155,10 @@ void uuid_to_string_legacy(bt_uuid_t *p_uuid, char *str) memcpy(&uuid4, &(p_uuid->uu[10]), 4); memcpy(&uuid5, &(p_uuid->uu[14]), 2); - sprintf((char *)str, "%.8x-%.4x-%.4x-%.4x-%.8x%.4x", - ntohl(uuid0), ntohs(uuid1), - ntohs(uuid2), ntohs(uuid3), - ntohl(uuid4), ntohs(uuid5)); + snprintf(str, str_len, "%.8x-%.4x-%.4x-%.4x-%.8x%.4x", + ntohl(uuid0), ntohs(uuid1), + ntohs(uuid2), ntohs(uuid3), + ntohl(uuid4), ntohs(uuid5)); return; } diff --git a/osi/src/config.c b/osi/src/config.c index 345f907d5..0f3f5648b 100644 --- a/osi/src/config.c +++ b/osi/src/config.c @@ -197,7 +197,7 @@ void config_set_int(config_t *config, const char *section, const char *key, int assert(key != NULL); char value_str[32] = { 0 }; - sprintf(value_str, "%d", value); + snprintf(value_str, sizeof(value_str), "%d", value); config_set_string(config, section, key, value_str); } diff --git a/stack/btm/btm_inq.c b/stack/btm/btm_inq.c index f2370482d..11870e01e 100644 --- a/stack/btm/btm_inq.c +++ b/stack/btm/btm_inq.c @@ -2735,7 +2735,8 @@ uint8_t BTM_GetEirUuidList( uint8_t *p_eir, uint8_t uuid_size, uint8_t *p_num_uu { STREAM_TO_ARRAY16(p_uuid_list + yy * LEN_UUID_128, p_uuid_data); for( xx = 0; xx < LEN_UUID_128; xx++ ) - sprintf(buff + xx*2, "%02X", *(p_uuid_list + yy * LEN_UUID_128 + xx)); + snprintf(buff + xx*2, sizeof(buff) - xx*2, "%02X", + *(p_uuid_list + yy * LEN_UUID_128 + xx)); BTM_TRACE_DEBUG(" 0x%s", buff); } } diff --git a/stack/btm/btm_sec.c b/stack/btm/btm_sec.c index 3236faa91..3fd09c4cf 100644 --- a/stack/btm/btm_sec.c +++ b/stack/btm/btm_sec.c @@ -39,7 +39,7 @@ #include "l2c_int.h" #if (BT_USE_TRACES == TRUE && BT_TRACE_VERBOSE == FALSE) -/* needed for sprintf() */ +/* needed for snprintf() */ #include #endif @@ -5885,7 +5885,8 @@ static char *btm_pair_state_descr (tBTM_PAIRING_STATE state) return("???"); #else - sprintf(btm_cb.state_temp_buffer,"%hhu",state); + snprintf(btm_cb.state_temp_buffer, sizeof(btm_cb.state_temp_buffer), + "%hhu", state); return(btm_cb.state_temp_buffer); #endif diff --git a/stack/gatt/gatt_db.c b/stack/gatt/gatt_db.c index 0b5456ece..9eb2794d4 100644 --- a/stack/gatt/gatt_db.c +++ b/stack/gatt/gatt_db.c @@ -882,29 +882,27 @@ tGATT_STATUS gatts_write_attr_perm_check (tGATT_SVC_DB *p_db, uint8_t op_code, return status; } -static void uuid_to_str(const tBT_UUID bt_uuid, char *str_buf) +static void uuid_to_str(const tBT_UUID bt_uuid, char *str_buf, size_t buf_len) { - int x = 0; - if (bt_uuid.len == LEN_UUID_16) { - sprintf(str_buf, "0x%04x", bt_uuid.uu.uuid16); + snprintf(str_buf, buf_len, "0x%04x", bt_uuid.uu.uuid16); } else if (bt_uuid.len == LEN_UUID_32) { - sprintf(str_buf, "0x%08x", bt_uuid.uu.uuid32); + snprintf(str_buf, buf_len, "0x%08x", bt_uuid.uu.uuid32); } else if (bt_uuid.len == LEN_UUID_128) { - x += sprintf(&str_buf[x], "%02x%02x%02x%02x-%02x%02x-%02x%02x-", + int x = snprintf(str_buf, buf_len, "%02x%02x%02x%02x-%02x%02x-%02x%02x-", bt_uuid.uu.uuid128[15], bt_uuid.uu.uuid128[14], bt_uuid.uu.uuid128[13], bt_uuid.uu.uuid128[12], bt_uuid.uu.uuid128[11], bt_uuid.uu.uuid128[10], bt_uuid.uu.uuid128[9], bt_uuid.uu.uuid128[8]); - sprintf(&str_buf[x], "%02x%02x-%02x%02x%02x%02x%02x%02x", + snprintf(&str_buf[x], buf_len - x, "%02x%02x-%02x%02x%02x%02x%02x%02x", bt_uuid.uu.uuid128[7], bt_uuid.uu.uuid128[6], bt_uuid.uu.uuid128[5], bt_uuid.uu.uuid128[4], bt_uuid.uu.uuid128[3], bt_uuid.uu.uuid128[2], bt_uuid.uu.uuid128[1], bt_uuid.uu.uuid128[0]); } else - sprintf(str_buf, "Unknown (len=%d)", bt_uuid.len); + snprintf(str_buf, buf_len, "Unknown (len=%d)", bt_uuid.len); } /******************************************************************************* @@ -967,7 +965,7 @@ static void *allocate_attr_in_db(tGATT_SVC_DB *p_db, tBT_UUID *p_uuid, tGATT_PER } char uuid_str[37]; - uuid_to_str(p_attr->uuid, uuid_str); + uuid_to_str(p_attr->uuid, uuid_str, sizeof(uuid_str)); GATT_TRACE_ERROR("=====> handle = [0x%04x] uuid = [%s] perm=0x%02x ", p_attr->handle, uuid_str, p_attr->permission); diff --git a/stack/gatt/gatt_utils.c b/stack/gatt/gatt_utils.c index 9d77ed9ba..146a069b5 100644 --- a/stack/gatt/gatt_utils.c +++ b/stack/gatt/gatt_utils.c @@ -2285,28 +2285,29 @@ uint8_t * gatt_dbg_op_name(uint8_t op_code) void gatt_dbg_display_uuid(tBT_UUID bt_uuid) { char str_buf[50]; - int x = 0; if (bt_uuid.len == LEN_UUID_16) { - sprintf(str_buf, "0x%04x", bt_uuid.uu.uuid16); + snprintf(str_buf, sizeof(str_buf), "0x%04x", bt_uuid.uu.uuid16); } else if (bt_uuid.len == LEN_UUID_32) { - sprintf(str_buf, "0x%08x", (unsigned int)bt_uuid.uu.uuid32); + snprintf(str_buf, sizeof(str_buf), "0x%08x", (unsigned int)bt_uuid.uu.uuid32); } else if (bt_uuid.len == LEN_UUID_128) { - x += sprintf(&str_buf[x], "0x%02x%02x%02x%02x%02x%02x%02x%02x", - bt_uuid.uu.uuid128[15], bt_uuid.uu.uuid128[14], - bt_uuid.uu.uuid128[13], bt_uuid.uu.uuid128[12], - bt_uuid.uu.uuid128[11], bt_uuid.uu.uuid128[10], - bt_uuid.uu.uuid128[9], bt_uuid.uu.uuid128[8]); - sprintf(&str_buf[x], "%02x%02x%02x%02x%02x%02x%02x%02x", - bt_uuid.uu.uuid128[7], bt_uuid.uu.uuid128[6], - bt_uuid.uu.uuid128[5], bt_uuid.uu.uuid128[4], - bt_uuid.uu.uuid128[3], bt_uuid.uu.uuid128[2], - bt_uuid.uu.uuid128[1], bt_uuid.uu.uuid128[0]); + int x = snprintf(str_buf, sizeof(str_buf), + "0x%02x%02x%02x%02x%02x%02x%02x%02x", + bt_uuid.uu.uuid128[15], bt_uuid.uu.uuid128[14], + bt_uuid.uu.uuid128[13], bt_uuid.uu.uuid128[12], + bt_uuid.uu.uuid128[11], bt_uuid.uu.uuid128[10], + bt_uuid.uu.uuid128[9], bt_uuid.uu.uuid128[8]); + snprintf(&str_buf[x], sizeof(str_buf) - x, + "%02x%02x%02x%02x%02x%02x%02x%02x", + bt_uuid.uu.uuid128[7], bt_uuid.uu.uuid128[6], + bt_uuid.uu.uuid128[5], bt_uuid.uu.uuid128[4], + bt_uuid.uu.uuid128[3], bt_uuid.uu.uuid128[2], + bt_uuid.uu.uuid128[1], bt_uuid.uu.uuid128[0]); } else strlcpy(str_buf, "Unknown UUID 0", sizeof(str_buf)); diff --git a/stack/l2cap/l2c_fcr.c b/stack/l2cap/l2c_fcr.c index 6cb0bd0a5..90c9dc2a9 100644 --- a/stack/l2cap/l2c_fcr.c +++ b/stack/l2cap/l2c_fcr.c @@ -244,7 +244,8 @@ void l2c_fcr_cleanup (tL2C_CCB *p_ccb) if ( (p_ccb->local_cid >= L2CAP_BASE_APPL_CID) && (p_ccb->peer_cfg.fcr.mode == L2CAP_FCR_ERTM_MODE) ) { uint32_t dur = time_get_os_boottime_ms() - p_ccb->fcrb.connect_tick_count; - char *p_str = (char *)osi_malloc(120); + size_t p_str_size = 120; + char *p_str = (char *)osi_malloc(p_str_size); uint16_t i; uint32_t throughput_avg, ack_delay_avg, ack_q_count_avg; @@ -258,14 +259,14 @@ void l2c_fcr_cleanup (tL2C_CCB *p_ccb) BT_TRACE(TRACE_CTRL_GENERAL | TRACE_LAYER_GKI | TRACE_ORG_GKI , TRACE_TYPE_GENERIC, "max_held_acks:%08u, in_cfg.fcr.tx_win_sz:%08u", p_ccb->fcrb.max_held_acks, p_ccb->peer_cfg.fcr.tx_win_sz ); - sprintf(p_str, "Sent Pkts:%08u Bytes:%10u(%06u/sec) RR:%08u REJ:%08u RNR:%08u SREJ:%08u", + snprintf(p_str, p_str_size, "Sent Pkts:%08u Bytes:%10u(%06u/sec) RR:%08u REJ:%08u RNR:%08u SREJ:%08u", p_ccb->fcrb.ertm_pkt_counts[0], p_ccb->fcrb.ertm_byte_counts[0], (dur >= 10 ? (p_ccb->fcrb.ertm_byte_counts[0] * 100) / (dur / 10) : 0), p_ccb->fcrb.s_frames_sent[0], p_ccb->fcrb.s_frames_sent[1], p_ccb->fcrb.s_frames_sent[2], p_ccb->fcrb.s_frames_sent[3]); BT_TRACE(TRACE_CTRL_GENERAL | TRACE_LAYER_GKI | TRACE_ORG_GKI , TRACE_TYPE_GENERIC, "%s", p_str); - sprintf(p_str, "Rcvd Pkts:%08u Bytes:%10u(%06u/sec) RR:%08u REJ:%08u RNR:%08u SREJ:%08u", + snprintf(p_str, p_str_size, "Rcvd Pkts:%08u Bytes:%10u(%06u/sec) RR:%08u REJ:%08u RNR:%08u SREJ:%08u", p_ccb->fcrb.ertm_pkt_counts[1], p_ccb->fcrb.ertm_byte_counts[1], (dur >= 10 ? (p_ccb->fcrb.ertm_byte_counts[1] * 100) / (dur / 10) : 0), p_ccb->fcrb.s_frames_rcvd[0], p_ccb->fcrb.s_frames_rcvd[1], p_ccb->fcrb.s_frames_rcvd[2], p_ccb->fcrb.s_frames_rcvd[3]); @@ -283,7 +284,7 @@ void l2c_fcr_cleanup (tL2C_CCB *p_ccb) continue; } - sprintf(p_str, "[%02u] throughput: %5u, ack_delay avg:%3u, min:%3u, max:%3u, ack_q_count avg:%3u, min:%3u, max:%3u", + snprintf(p_str, p_str_size, "[%02u] throughput: %5u, ack_delay avg:%3u, min:%3u, max:%3u, ack_q_count avg:%3u, min:%3u, max:%3u", i, p_ccb->fcrb.throughput[i], p_ccb->fcrb.ack_delay_avg[i], p_ccb->fcrb.ack_delay_min[i], p_ccb->fcrb.ack_delay_max[i], p_ccb->fcrb.ack_q_count_avg[i], p_ccb->fcrb.ack_q_count_min[i], p_ccb->fcrb.ack_q_count_max[i] ); @@ -2497,7 +2498,7 @@ static void l2c_fcr_collect_ack_delay (tL2C_CCB *p_ccb, uint8_t num_bufs_acked) p_ccb->fcrb.throughput_start = timestamp; - sprintf(str, "[%02u] throughput: %5u, ack_delay avg:%3u, min:%3u, max:%3u, ack_q_count avg:%3u, min:%3u, max:%3u", + snprintf(str, sizeof(str), "[%02u] throughput: %5u, ack_delay avg:%3u, min:%3u, max:%3u, ack_q_count avg:%3u, min:%3u, max:%3u", index, p_ccb->fcrb.throughput[index], p_ccb->fcrb.ack_delay_avg[index], p_ccb->fcrb.ack_delay_min[index], p_ccb->fcrb.ack_delay_max[index], p_ccb->fcrb.ack_q_count_avg[index], p_ccb->fcrb.ack_q_count_min[index], p_ccb->fcrb.ack_q_count_max[index] ); diff --git a/stack/pan/pan_utils.c b/stack/pan/pan_utils.c index c5555a8a5..54fd524cf 100644 --- a/stack/pan/pan_utils.c +++ b/stack/pan/pan_utils.c @@ -334,7 +334,8 @@ void pan_dump_status (void) for (i = 0, p_pcb = pan_cb.pcb; i < MAX_PAN_CONNS; i++, p_pcb++) { - sprintf (buff, "%d state %d, handle %d, src 0x%x, dst 0x%x, BD %x.%x.%x.%x.%x.%x", + snprintf (buff, sizeof(buff), + "%d state %d, handle %d, src 0x%x, dst 0x%x, BD %x.%x.%x.%x.%x.%x", i, p_pcb->con_state, p_pcb->handle, p_pcb->src_uuid, p_pcb->dst_uuid, p_pcb->rem_bda[0], p_pcb->rem_bda[1], p_pcb->rem_bda[2], p_pcb->rem_bda[3], p_pcb->rem_bda[4], p_pcb->rem_bda[5]); diff --git a/stack/sdp/sdp_db.c b/stack/sdp/sdp_db.c index 03b3497ab..77e4fe425 100644 --- a/stack/sdp/sdp_db.c +++ b/stack/sdp/sdp_db.c @@ -409,13 +409,13 @@ bool SDP_AddAttribute (uint32_t handle, uint16_t attr_id, uint8_t attr_type, (attr_type == DATA_ELE_ALT_DESC_TYPE)) { uint8_t num_array[400]; - uint32_t i; uint32_t len = (attr_len > 200) ? 200 : attr_len; num_array[0] ='\0'; - for (i = 0; i < len; i++) + for (uint32_t i = 0; i < len; i++) { - sprintf((char *)&num_array[i*2],"%02X",(uint8_t)(p_val[i])); + snprintf((char *)&num_array[i*2], sizeof(num_array) - i*2, + "%02X",(uint8_t)(p_val[i])); } SDP_TRACE_DEBUG("SDP_AddAttribute: handle:%X, id:%04X, type:%d, len:%d, p_val:%p, *p_val:%s", handle,attr_id,attr_type,attr_len,p_val,num_array); diff --git a/stack/sdp/sdp_discovery.c b/stack/sdp/sdp_discovery.c index 66d4ac713..d1fdc551d 100644 --- a/stack/sdp/sdp_discovery.c +++ b/stack/sdp/sdp_discovery.c @@ -354,7 +354,8 @@ static void sdp_copy_raw_data (tCONN_CB *p_ccb, bool offset) for (i = 0; i < p_ccb->list_len; i++) { - sprintf((char *)&num_array[i*2],"%02X",(uint8_t)(p_ccb->rsp_list[i])); + snprintf((char *)&num_array[i*2], sizeof(num_array) - i*2, + "%02X",(uint8_t)(p_ccb->rsp_list[i])); } SDP_TRACE_WARNING("result :%s",num_array); #endif diff --git a/stack/smp/smp_keys.c b/stack/smp/smp_keys.c index 7087bc99e..61b6e16b8 100644 --- a/stack/smp/smp_keys.c +++ b/stack/smp/smp_keys.c @@ -77,7 +77,7 @@ void smp_debug_print_nbyte_little_endian(uint8_t *p, const uint8_t *key_name, ui { for (int column = 0, x = 0; (ind < len) && (column < col_count); column++, ind++) { - x += sprintf((char *)&p_buf[x], "%02x ", p[ind]); + x += snprintf((char *)&p_buf[x], sizeof(p_buf) - x, "%02x ", p[ind]); } SMP_TRACE_WARNING(" [%03d]: %s", row * col_count, p_buf); } @@ -101,7 +101,7 @@ void smp_debug_print_nbyte_big_endian (uint8_t *p, const uint8_t *key_name, uint { for (int col = 0, x = 0; (ind < len) && (col < ncols); col++, ind++) { - x += sprintf ((char *)&p_buf[len-x-1], "%02x ", p[ind]); + x += snprintf ((char *)&p_buf[len-x-1], sizeof(p_buf) - (len-x-1), "%02x ", p[ind]); } SMP_TRACE_WARNING("[%03d]: %s", row * ncols, p_buf); } -- 2.11.0