[BlueZ,12/15] mgmt-tester: Fix non-nul-terminated string

Message ID	20240516090340.61417-13-hadess@hadess.net (mailing list archive)
State	Accepted
Commit	49d06560692f4307635a28b627a00d8c81948c48
Headers	show Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 94653143757 for <linux-bluetooth@vger.kernel.org>; Thu, 16 May 2024 09:03:51 +0000 (UTC) From: Bastien Nocera <hadess@hadess.net> To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera <hadess@hadess.net> Subject: [BlueZ 12/15] mgmt-tester: Fix non-nul-terminated string Date: Thu, 16 May 2024 11:03:16 +0200 Message-ID: <20240516090340.61417-13-hadess@hadess.net> In-Reply-To: <20240516090340.61417-1-hadess@hadess.net> References: <20240516090340.61417-1-hadess@hadess.net> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Fix a number of static analysis issues #2 \| expand [BlueZ,00/15] Fix a number of static analysis issues #2 [BlueZ,01/15] main: Simplify variable assignment [BlueZ,02/15] shared/ecc: Fix uninitialised variable usage [BlueZ,03/15] shared/gatt-client: Fix uninitialised variable usage [BlueZ,04/15] tools/mesh-cfgclient: Fix uninitialised variable usage [BlueZ,05/15] test-runner: Remove unused envp [BlueZ,06/15] test-runner: Fix uninitialised variable usage [BlueZ,07/15] test-runner: Fix uninitialised variable usage [BlueZ,08/15] shared/bap: Fix possible use-after-free [BlueZ,09/15] isotest: Fix bad free [BlueZ,10/15] test-runner: Fix fd leak on failure [BlueZ,11/15] isotest: Fix string size expectations [BlueZ,12/15] mgmt-tester: Fix non-nul-terminated string [BlueZ,13/15] gdbus: Check sprintf retval [BlueZ,14/15] shared/bap: Fix memory leak in error path [BlueZ,15/15] android/handsfree: Check sprintf retval

Message ID

20240516090340.61417-13-hadess@hadess.net (mailing list archive)

State

Accepted

Commit

49d06560692f4307635a28b627a00d8c81948c48

Headers

From: Bastien Nocera <hadess@hadess.net>
To: linux-bluetooth@vger.kernel.org
Cc: Bastien Nocera <hadess@hadess.net>
Subject: [BlueZ 12/15] mgmt-tester: Fix non-nul-terminated string
Date: Thu, 16 May 2024 11:03:16 +0200
Message-ID: <20240516090340.61417-13-hadess@hadess.net>
In-Reply-To: <20240516090340.61417-1-hadess@hadess.net>
References: <20240516090340.61417-1-hadess@hadess.net>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Fix a number of static analysis issues #2 | expand

Checks

Context	Check	Description
tedd_an/pre-ci_am	success	Success
tedd_an/CheckPatch	success	CheckPatch PASS
tedd_an/GitLint	fail	WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 4: B1 Line exceeds max length (119>80): "bluez-5.75/tools/mgmt-tester.c:12670:2: string_null_source: Function "vhci_read_devcd" does not terminate string "buf"." 5: B1 Line exceeds max length (141>80): "bluez-5.75/tools/mgmt-tester.c:12677:2: string_null: Passing unterminated string "buf" to "strtok_r", which expects a null-terminated string." 7: B3 Line contains hard tab characters (\t): "12676\| /* Verify if all devcoredump header fields are present */" 8: B3 Line contains hard tab characters (\t): "12677\|-> line = strtok_r(buf, delim, &saveptr);" 9: B3 Line contains hard tab characters (\t): "12678\| while (strlen(test->expect_dump_data[i])) {" 10: B3 Line contains hard tab characters (\t): "12679\| if (!line \|\| strcmp(line, test->expect_dump_data[i])) {"

Context

Check

Description

tedd_an/pre-ci_am

success

Success

tedd_an/CheckPatch

success

CheckPatch PASS

tedd_an/GitLint

fail

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 4: B1 Line exceeds max length (119>80): "bluez-5.75/tools/mgmt-tester.c:12670:2: string_null_source: Function "vhci_read_devcd" does not terminate string "buf"." 5: B1 Line exceeds max length (141>80): "bluez-5.75/tools/mgmt-tester.c:12677:2: string_null: Passing unterminated string "buf" to "strtok_r", which expects a null-terminated string." 7: B3 Line contains hard tab characters (\t): "12676| /* Verify if all devcoredump header fields are present */" 8: B3 Line contains hard tab characters (\t): "12677|-> line = strtok_r(buf, delim, &saveptr);" 9: B3 Line contains hard tab characters (\t): "12678| while (strlen(test->expect_dump_data[i])) {" 10: B3 Line contains hard tab characters (\t): "12679| if (!line || strcmp(line, test->expect_dump_data[i])) {"

Commit Message

Bastien Nocera May 16, 2024, 9:03 a.m. UTC

Error: STRING_NULL (CWE-170): [#def59] [important]
bluez-5.75/tools/mgmt-tester.c:12670:2: string_null_source: Function "vhci_read_devcd" does not terminate string "buf".
bluez-5.75/tools/mgmt-tester.c:12677:2: string_null: Passing unterminated string "buf" to "strtok_r", which expects a null-terminated string.
12675|
12676|		/* Verify if all devcoredump header fields are present */
12677|->	line = strtok_r(buf, delim, &saveptr);
12678|		while (strlen(test->expect_dump_data[i])) {
12679|			if (!line || strcmp(line, test->expect_dump_data[i])) {
---
 tools/mgmt-tester.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/tools/mgmt-tester.c b/tools/mgmt-tester.c
index 8a4fbc2eb6a6..8076ec105ebb 100644
--- a/tools/mgmt-tester.c
+++ b/tools/mgmt-tester.c
@@ -12656,18 +12656,22 @@  static void verify_devcd(void *user_data)
 	struct test_data *data = tester_get_data();
 	const struct generic_data *test = data->test_data;
 	struct vhci *vhci = hciemu_get_vhci(data->hciemu);
-	char buf[MAX_COREDUMP_BUF_LEN] = {0};
+	char buf[MAX_COREDUMP_BUF_LEN + 1] = {0};
+	int read;
 	char delim[] = "\n";
 	char *line;
 	char *saveptr;
 	int i = 0;
 
 	/* Read the generated devcoredump file */
-	if (vhci_read_devcd(vhci, buf, sizeof(buf)) <= 0) {
+	read = vhci_read_devcd(vhci, buf, MAX_COREDUMP_BUF_LEN);
+	if (read <= 0) {
 		tester_warn("Unable to read devcoredump");
 		tester_test_failed();
 		return;
 	}
+	/* Make sure buf is nul-terminated */
+	buf[read + 1] = '\0';
 
 	/* Verify if all devcoredump header fields are present */
 	line = strtok_r(buf, delim, &saveptr);