[BlueZ,v2,19/20] avrcp: Fix uninitialised memory usage

Message ID	20240510121355.3241456-20-hadess@hadess.net (mailing list archive)
State	Accepted
Commit	af2634ce0a62e5b1b98db139daf96b54eb8360d1
Headers	show Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9151416FF36 for <linux-bluetooth@vger.kernel.org>; Fri, 10 May 2024 12:14:15 +0000 (UTC) From: Bastien Nocera <hadess@hadess.net> To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera <hadess@hadess.net> Subject: [BlueZ v2 19/20] avrcp: Fix uninitialised memory usage Date: Fri, 10 May 2024 14:10:29 +0200 Message-ID: <20240510121355.3241456-20-hadess@hadess.net> In-Reply-To: <20240510121355.3241456-1-hadess@hadess.net> References: <20240510121355.3241456-1-hadess@hadess.net> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Fix a number of static analysis issues \| expand [BlueZ,v2,00/20] Fix a number of static analysis issues [BlueZ,v2,01/20] adapter: Use false instead of 0 for bool [BlueZ,v2,02/20] attrib/gatt: Guard against possible integer overflow [BlueZ,v2,03/20] client/gatt: Don't pass negative fd on error [BlueZ,v2,04/20] client/gatt: Check write_value() retval [BlueZ,v2,05/20] client/main: Fix array access [BlueZ,v2,06/20] client/main: Fix mismatched free [BlueZ,v2,07/20] monitor/att: Fix memory leak [BlueZ,v2,08/20] bap: Fix memory leaks [BlueZ,v2,09/20] media: Fix memory leak [BlueZ,v2,10/20] main: Fix memory leaks [BlueZ,v2,11/20] isotest: Consider "0" fd to be valid [BlueZ,v2,12/20] isotest: Fix error check after opening file [BlueZ,v2,13/20] client/player: Fix copy/paste error [BlueZ,v2,14/20] shared/vcp: Fix copy/paste error [BlueZ,v2,15/20] isotest: Fix fd leak [BlueZ,v2,16/20] iso-tester: Fix fd leak [BlueZ,v2,17/20] sdp: Fix use of uninitialised memory [BlueZ,v2,18/20] monitor: Work-around memory leak warning [BlueZ,v2,19/20] avrcp: Fix uninitialised memory usage [BlueZ,v2,20/20] main: Simplify variable assignment

Message ID

20240510121355.3241456-20-hadess@hadess.net (mailing list archive)

State

Accepted

Commit

af2634ce0a62e5b1b98db139daf96b54eb8360d1

Headers

From: Bastien Nocera <hadess@hadess.net>
To: linux-bluetooth@vger.kernel.org
Cc: Bastien Nocera <hadess@hadess.net>
Subject: [BlueZ v2 19/20] avrcp: Fix uninitialised memory usage
Date: Fri, 10 May 2024 14:10:29 +0200
Message-ID: <20240510121355.3241456-20-hadess@hadess.net>
In-Reply-To: <20240510121355.3241456-1-hadess@hadess.net>
References: <20240510121355.3241456-1-hadess@hadess.net>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Fix a number of static analysis issues | expand

Checks

Context	Check	Description
tedd_an/pre-ci_am	success	Success
tedd_an/CheckPatch	warning	WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line) #55: 2567\|-> item = media_player_create_item(mp, name, PLAYER_ITEM_TYPE_AUDIO, uid); /github/workspace/src/src/13661529.patch total: 0 errors, 1 warnings, 26 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. /github/workspace/src/src/13661529.patch has style problems, please review. NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS.
tedd_an/GitLint	fail	WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 4: B1 Line exceeds max length (98>80): "bluez-5.75/profiles/audio/avrcp.c:2550:2: var_decl: Declaring variable "name" without initializer." 5: B1 Line exceeds max length (136>80): "bluez-5.75/profiles/audio/avrcp.c:2567:2: uninit_use_in_call: Using uninitialized value "name" when calling "media_player_create_item"." 6: B3 Line contains hard tab characters (\t): "2565\| mp = player->user_data;" 8: B3 Line contains hard tab characters (\t): "2567\|-> item = media_player_create_item(mp, name, PLAYER_ITEM_TYPE_AUDIO, uid);" 9: B3 Line contains hard tab characters (\t): "2568\| if (item == NULL)" 10: B3 Line contains hard tab characters (\t): "2569\| return NULL;" 13: B1 Line exceeds max length (98>80): "bluez-5.75/profiles/audio/avrcp.c:2583:2: var_decl: Declaring variable "name" without initializer." 14: B1 Line exceeds max length (138>80): "bluez-5.75/profiles/audio/avrcp.c:2601:2: uninit_use_in_call: Using uninitialized value "name" when calling "media_player_create_folder"." 15: B3 Line contains hard tab characters (\t): "2599\| }" 17: B3 Line contains hard tab characters (\t): "2601\|-> item = media_player_create_folder(mp, name, type, uid);" 18: B3 Line contains hard tab characters (\t): "2602\| if (!item)" 19: B3 Line contains hard tab characters (\t): "2603\| return NULL;"

Context

Check

Description

tedd_an/pre-ci_am

success

Success

tedd_an/CheckPatch

warning

WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line) #55: 2567|-> item = media_player_create_item(mp, name, PLAYER_ITEM_TYPE_AUDIO, uid); /github/workspace/src/src/13661529.patch total: 0 errors, 1 warnings, 26 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. /github/workspace/src/src/13661529.patch has style problems, please review. NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS.

tedd_an/GitLint

fail

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 4: B1 Line exceeds max length (98>80): "bluez-5.75/profiles/audio/avrcp.c:2550:2: var_decl: Declaring variable "name" without initializer." 5: B1 Line exceeds max length (136>80): "bluez-5.75/profiles/audio/avrcp.c:2567:2: uninit_use_in_call: Using uninitialized value "*name" when calling "media_player_create_item"." 6: B3 Line contains hard tab characters (\t): "2565| mp = player->user_data;" 8: B3 Line contains hard tab characters (\t): "2567|-> item = media_player_create_item(mp, name, PLAYER_ITEM_TYPE_AUDIO, uid);" 9: B3 Line contains hard tab characters (\t): "2568| if (item == NULL)" 10: B3 Line contains hard tab characters (\t): "2569| return NULL;" 13: B1 Line exceeds max length (98>80): "bluez-5.75/profiles/audio/avrcp.c:2583:2: var_decl: Declaring variable "name" without initializer." 14: B1 Line exceeds max length (138>80): "bluez-5.75/profiles/audio/avrcp.c:2601:2: uninit_use_in_call: Using uninitialized value "*name" when calling "media_player_create_folder"." 15: B3 Line contains hard tab characters (\t): "2599| }" 17: B3 Line contains hard tab characters (\t): "2601|-> item = media_player_create_folder(mp, name, type, uid);" 18: B3 Line contains hard tab characters (\t): "2602| if (!item)" 19: B3 Line contains hard tab characters (\t): "2603| return NULL;"

Commit Message

Bastien Nocera May 10, 2024, 12:10 p.m. UTC

Error: UNINIT (CWE-457): [#def35] [important]
bluez-5.75/profiles/audio/avrcp.c:2550:2: var_decl: Declaring variable "name" without initializer.
bluez-5.75/profiles/audio/avrcp.c:2567:2: uninit_use_in_call: Using uninitialized value "*name" when calling "media_player_create_item".
2565|		mp = player->user_data;
2566|
2567|->		item = media_player_create_item(mp, name, PLAYER_ITEM_TYPE_AUDIO, uid);
2568|		if (item == NULL)
2569|			return NULL;

Error: UNINIT (CWE-457): [#def36] [important]
bluez-5.75/profiles/audio/avrcp.c:2583:2: var_decl: Declaring variable "name" without initializer.
bluez-5.75/profiles/audio/avrcp.c:2601:2: uninit_use_in_call: Using uninitialized value "*name" when calling "media_player_create_folder".
2599|		}
2600|
2601|->		item = media_player_create_folder(mp, name, type, uid);
2602|		if (!item)
2603|			return NULL;
---
 profiles/audio/avrcp.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 36ce01a14eea..752e55be37a4 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -2555,11 +2555,10 @@  static struct media_item *parse_media_element(struct avrcp *session,
 
 	uid = get_be64(&operands[0]);
 
+	memset(name, 0, sizeof(name));
 	namelen = MIN(get_be16(&operands[11]), sizeof(name) - 1);
-	if (namelen > 0) {
+	if (namelen > 0)
 		memcpy(name, &operands[13], namelen);
-		name[namelen] = '\0';
-	}
 
 	player = session->controller->player;
 	mp = player->user_data;
@@ -2592,11 +2591,10 @@  static struct media_item *parse_media_folder(struct avrcp *session,
 	type = operands[8];
 	playable = operands[9];
 
+	memset(name, 0, sizeof(name));
 	namelen = MIN(get_be16(&operands[12]), sizeof(name) - 1);
-	if (namelen > 0) {
+	if (namelen > 0)
 		memcpy(name, &operands[14], namelen);
-		name[namelen] = '\0';
-	}
 
 	item = media_player_create_folder(mp, name, type, uid);
 	if (!item)