[BlueZ,09/15] isotest: Fix bad free

Message ID	20240516090340.61417-10-hadess@hadess.net (mailing list archive)
State	Accepted
Commit	7a638557049441ec055729055dcfb5fc38c5d06a
Headers	show Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 328A3142E8E for <linux-bluetooth@vger.kernel.org>; Thu, 16 May 2024 09:03:47 +0000 (UTC) From: Bastien Nocera <hadess@hadess.net> To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera <hadess@hadess.net> Subject: [BlueZ 09/15] isotest: Fix bad free Date: Thu, 16 May 2024 11:03:13 +0200 Message-ID: <20240516090340.61417-10-hadess@hadess.net> In-Reply-To: <20240516090340.61417-1-hadess@hadess.net> References: <20240516090340.61417-1-hadess@hadess.net> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Fix a number of static analysis issues #2 \| expand [BlueZ,00/15] Fix a number of static analysis issues #2 [BlueZ,01/15] main: Simplify variable assignment [BlueZ,02/15] shared/ecc: Fix uninitialised variable usage [BlueZ,03/15] shared/gatt-client: Fix uninitialised variable usage [BlueZ,04/15] tools/mesh-cfgclient: Fix uninitialised variable usage [BlueZ,05/15] test-runner: Remove unused envp [BlueZ,06/15] test-runner: Fix uninitialised variable usage [BlueZ,07/15] test-runner: Fix uninitialised variable usage [BlueZ,08/15] shared/bap: Fix possible use-after-free [BlueZ,09/15] isotest: Fix bad free [BlueZ,10/15] test-runner: Fix fd leak on failure [BlueZ,11/15] isotest: Fix string size expectations [BlueZ,12/15] mgmt-tester: Fix non-nul-terminated string [BlueZ,13/15] gdbus: Check sprintf retval [BlueZ,14/15] shared/bap: Fix memory leak in error path [BlueZ,15/15] android/handsfree: Check sprintf retval

Message ID

20240516090340.61417-10-hadess@hadess.net (mailing list archive)

State

Accepted

Commit

7a638557049441ec055729055dcfb5fc38c5d06a

Headers

From: Bastien Nocera <hadess@hadess.net>
To: linux-bluetooth@vger.kernel.org
Cc: Bastien Nocera <hadess@hadess.net>
Subject: [BlueZ 09/15] isotest: Fix bad free
Date: Thu, 16 May 2024 11:03:13 +0200
Message-ID: <20240516090340.61417-10-hadess@hadess.net>
In-Reply-To: <20240516090340.61417-1-hadess@hadess.net>
References: <20240516090340.61417-1-hadess@hadess.net>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Fix a number of static analysis issues #2 | expand

Checks

Context	Check	Description
tedd_an/pre-ci_am	success	Success
tedd_an/CheckPatch	warning	WARNING:LINE_SPACING: Missing a blank line after declarations #75: FILE: tools/isotest.c:1462: + char *tmp = filename; + filename = strdup(strchr(filename, ',') + 1); /github/workspace/src/src/13665901.patch total: 0 errors, 1 warnings, 13 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. /github/workspace/src/src/13665901.patch has style problems, please review. NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS.
tedd_an/GitLint	fail	WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 4: B1 Line exceeds max length (86>80): "bluez-5.75/tools/isotest.c:1461:5: address: Taking offset from "strchr(filename, 44)"." 5: B1 Line exceeds max length (94>80): "bluez-5.75/tools/isotest.c:1461:5: assign: Assigning: "filename" = "strchr(filename, 44) + 1"." 6: B1 Line exceeds max length (93>80): "bluez-5.75/tools/isotest.c:1536:2: incorrect_free: "free" frees incorrect pointer "filename"." 9: B3 Line contains hard tab characters (\t): "1536\|-> free(filename);" 11: B3 Line contains hard tab characters (\t): "1538\| syslog(LOG_INFO, "Exit");"
tedd_an/IncrementalBuild	success	Incremental Build PASS

Context

Check

Description

tedd_an/pre-ci_am

success

Success

tedd_an/CheckPatch

warning

WARNING:LINE_SPACING: Missing a blank line after declarations #75: FILE: tools/isotest.c:1462: + char *tmp = filename; + filename = strdup(strchr(filename, ',') + 1); /github/workspace/src/src/13665901.patch total: 0 errors, 1 warnings, 13 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. /github/workspace/src/src/13665901.patch has style problems, please review. NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS.

tedd_an/GitLint

fail

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 4: B1 Line exceeds max length (86>80): "bluez-5.75/tools/isotest.c:1461:5: address: Taking offset from "strchr(filename, 44)"." 5: B1 Line exceeds max length (94>80): "bluez-5.75/tools/isotest.c:1461:5: assign: Assigning: "filename" = "strchr(filename, 44) + 1"." 6: B1 Line exceeds max length (93>80): "bluez-5.75/tools/isotest.c:1536:2: incorrect_free: "free" frees incorrect pointer "filename"." 9: B3 Line contains hard tab characters (\t): "1536|-> free(filename);" 11: B3 Line contains hard tab characters (\t): "1538| syslog(LOG_INFO, "Exit");"

tedd_an/IncrementalBuild

success

Incremental Build PASS

Commit Message

Bastien Nocera May 16, 2024, 9:03 a.m. UTC

Error: BAD_FREE (CWE-763): [#def58] [important]
bluez-5.75/tools/isotest.c:1461:5: address: Taking offset from "strchr(filename, 44)".
bluez-5.75/tools/isotest.c:1461:5: assign: Assigning: "filename" = "strchr(filename, 44) + 1".
bluez-5.75/tools/isotest.c:1536:2: incorrect_free: "free" frees incorrect pointer "filename".
1534|
1535|   done:
1536|->		free(filename);
1537|
1538|		syslog(LOG_INFO, "Exit");
---
 tools/isotest.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/tools/isotest.c b/tools/isotest.c
index 58293133a304..fc1c26b23c3b 100644
--- a/tools/isotest.c
+++ b/tools/isotest.c
@@ -1457,8 +1457,11 @@  int main(int argc, char *argv[])
 		switch (mode) {
 		case SEND:
 			send_mode(filename, argv[optind + i], i, repeat);
-			if (filename && strchr(filename, ','))
-				filename = strchr(filename, ',') + 1;
+			if (filename && strchr(filename, ',')) {
+				char *tmp = filename;
+				filename = strdup(strchr(filename, ',') + 1);
+				free(tmp);
+			}
 			break;
 
 		case RECONNECT: