diff mbox series

[BlueZ,1/6] monitor: Fix out-of-bound read in print_le_states

Message ID 20220401121647.3985682-2-i.kamaletdinov@omp.ru (mailing list archive)
State Accepted
Commit 7fdfb67284a2f93b13c008e69ff04f462e45c791
Headers show
Series Fix bugs found by SVACE static analisys tool | expand

Checks

Context Check Description
tedd_an/pre-ci_am success Success
tedd_an/checkpatch success Checkpatch PASS
tedd_an/gitlint success Gitlint PASS
tedd_an/setupell success Setup ELL PASS
tedd_an/buildprep success Build Prep PASS
tedd_an/build success Build Configuration PASS
tedd_an/makecheck success Make Check PASS
tedd_an/makecheckvalgrind success Make Check PASS
tedd_an/makedistcheck success Make Distcheck PASS
tedd_an/build_extell success Build External ELL PASS
tedd_an/build_extell_make success Build Make with External ELL PASS
tedd_an/incremental_build success Pass

Commit Message

Ildar Kamaletdinov April 1, 2022, 12:16 p.m. UTC 
Accessing le_states_desc_table array with value 15 can cause
out-of-bound read because current size of array is 14.

Currently this cannot lead to any problems becase we do no have such
state in le_states_comb_table but this could be changed in future and
raise described problem.

Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
---
 monitor/packet.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

Comments

bluez.test.bot@gmail.com April 1, 2022, 4 p.m. UTC | #1 
This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=628188

---Test result---

Test Summary:
CheckPatch                    PASS      8.20 seconds
GitLint                       PASS      5.62 seconds
Prep - Setup ELL              PASS      39.64 seconds
Build - Prep                  PASS      0.69 seconds
Build - Configure             PASS      7.87 seconds
Build - Make                  PASS      1330.57 seconds
Make Check                    PASS      11.64 seconds
Make Check w/Valgrind         PASS      404.30 seconds
Make Distcheck                PASS      209.94 seconds
Build w/ext ELL - Configure   PASS      7.88 seconds
Build w/ext ELL - Make        PASS      1278.53 seconds
Incremental Build with patchesPASS      8064.66 seconds



---
Regards,
Linux Bluetooth
diff mbox series

Patch

diff --git a/monitor/packet.c b/monitor/packet.c
index b7431b57d..1f04063d3 100644
--- a/monitor/packet.c
+++ b/monitor/packet.c
@@ -2816,7 +2816,8 @@  static const struct {
 static void print_le_states(const uint8_t *states_array)
 {
 	uint64_t mask, states = 0;
-	int i, n;
+	int i = 0;
+	size_t n = 0;
 
 	for (i = 0; i < 8; i++)
 		states |= ((uint64_t) states_array[i]) << (i * 8);
@@ -2828,12 +2829,12 @@  static void print_le_states(const uint8_t *states_array)
 	for (i = 0; le_states_comb_table[i].states; i++) {
 		uint64_t val = (((uint64_t) 1) << le_states_comb_table[i].bit);
 		const char *str[3] = { NULL, };
-		int num = 0;
+		size_t num = 0;
 
 		if (!(states & val))
 			continue;
 
-		for (n = 0; n < 16; n++) {
+		for (n = 0; n < ARRAY_SIZE(le_states_desc_table); n++) {
 			if (le_states_comb_table[i].states & (1 << n))
 				str[num++] = le_states_desc_table[n].str;
 		}