QA:
Please subscribe desktop team to bug reports if not needed
Upstream code:
Source code wise i checked how the input data from device is processed and found a nit:
in device_data_input the buffer bounds are not properly/explicitly checked in daemon.c, like
in connection_device_input: memcpy(conn->ib_buf + conn->ib_size, payload, payload_length);
should only happen if payload_length < CONN_INBUF_SIZE - conn->ib_size
in device_data_input: memcpy(dev->pktbuf + dev->pktlen, buffer, length);
should only happen if length < DEV_PKTBUF_SIZE - dev->pkglen
memcpy(dev->pktbuf, buffer, length);
should only happen if length < DEV_PKTBUF_SIZE
in client.c: memcpy(client->ob_buf + client->ob_size + sizeof(hdr), payload, payload_length);
has the same issue ... though that doesnt process stuff coming from the device - so isnt that critical imo.
Packaing:
looks good.
QA:
Please subscribe desktop team to bug reports if not needed
Upstream code:
Source code wise i checked how the input data from device is processed and found a nit:
in device_data_input the buffer bounds are not properly/explicitly checked in daemon.c, like
in connection_ device_ input:
memcpy( conn->ib_ buf + conn->ib_size, payload, payload_length);
should only happen if payload_length < CONN_INBUF_SIZE - conn->ib_size
in device_data_input:
memcpy( dev->pktbuf + dev->pktlen, buffer, length);
should only happen if length < DEV_PKTBUF_SIZE - dev->pkglen
should only happen if length < DEV_PKTBUF_SIZE
in client.c:
memcpy( client- >ob_buf + client->ob_size + sizeof(hdr), payload, payload_length);
has the same issue ... though that doesnt process stuff coming from the device - so isnt that critical imo.