[BlueZ,15/15] android/handsfree: Check sprintf retval

Message ID	20240516090340.61417-16-hadess@hadess.net (mailing list archive)
State	Accepted
Commit	c9fe888793e5422845da9ac9a6a3d8d052a46b81
Headers	show Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A8DBB14375A for <linux-bluetooth@vger.kernel.org>; Thu, 16 May 2024 09:03:51 +0000 (UTC) From: Bastien Nocera <hadess@hadess.net> To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera <hadess@hadess.net> Subject: [BlueZ 15/15] android/handsfree: Check sprintf retval Date: Thu, 16 May 2024 11:03:19 +0200 Message-ID: <20240516090340.61417-16-hadess@hadess.net> In-Reply-To: <20240516090340.61417-1-hadess@hadess.net> References: <20240516090340.61417-1-hadess@hadess.net> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Fix a number of static analysis issues #2 \| expand [BlueZ,00/15] Fix a number of static analysis issues #2 [BlueZ,01/15] main: Simplify variable assignment [BlueZ,02/15] shared/ecc: Fix uninitialised variable usage [BlueZ,03/15] shared/gatt-client: Fix uninitialised variable usage [BlueZ,04/15] tools/mesh-cfgclient: Fix uninitialised variable usage [BlueZ,05/15] test-runner: Remove unused envp [BlueZ,06/15] test-runner: Fix uninitialised variable usage [BlueZ,07/15] test-runner: Fix uninitialised variable usage [BlueZ,08/15] shared/bap: Fix possible use-after-free [BlueZ,09/15] isotest: Fix bad free [BlueZ,10/15] test-runner: Fix fd leak on failure [BlueZ,11/15] isotest: Fix string size expectations [BlueZ,12/15] mgmt-tester: Fix non-nul-terminated string [BlueZ,13/15] gdbus: Check sprintf retval [BlueZ,14/15] shared/bap: Fix memory leak in error path [BlueZ,15/15] android/handsfree: Check sprintf retval

Message ID

20240516090340.61417-16-hadess@hadess.net (mailing list archive)

State

Accepted

Commit

c9fe888793e5422845da9ac9a6a3d8d052a46b81

Headers

From: Bastien Nocera <hadess@hadess.net>
To: linux-bluetooth@vger.kernel.org
Cc: Bastien Nocera <hadess@hadess.net>
Subject: [BlueZ 15/15] android/handsfree: Check sprintf retval
Date: Thu, 16 May 2024 11:03:19 +0200
Message-ID: <20240516090340.61417-16-hadess@hadess.net>
In-Reply-To: <20240516090340.61417-1-hadess@hadess.net>
References: <20240516090340.61417-1-hadess@hadess.net>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Fix a number of static analysis issues #2 | expand

Checks

Context	Check	Description
tedd_an/pre-ci_am	success	Success
tedd_an/CheckPatch	warning	WARNING:LINE_SPACING: Missing a blank line after declarations #80: FILE: android/handsfree.c:1254: + int printed; + printed = sprintf(ptr, "(\"%s\",(%d%c%d)),", /github/workspace/src/src/13665905.patch total: 0 errors, 1 warnings, 32 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. /github/workspace/src/src/13665905.patch has style problems, please review. NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS.
tedd_an/GitLint	fail	WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 4: B1 Line exceeds max length (322>80): "bluez-5.75/android/handsfree.c:1247:15: error[cpp/NegativeIndex]: The value from sprintf, a standard library function that can return a negative value is used as an index. A negative array index can lead to reading or writing outside the bounds of the array. Ensure the value of the index used is within bounds before use." 5: B3 Line contains hard tab characters (\t): "1245\| buf = g_malloc(len);" 7: B3 Line contains hard tab characters (\t): "1247\|-> ptr = buf + sprintf(buf, "+CIND:");" 9: B3 Line contains hard tab characters (\t): "1249\| for (i = 0; i < IND_COUNT; i++) {"

Context

Check

Description

tedd_an/pre-ci_am

success

Success

tedd_an/CheckPatch

warning

WARNING:LINE_SPACING: Missing a blank line after declarations #80: FILE: android/handsfree.c:1254: + int printed; + printed = sprintf(ptr, "(\"%s\",(%d%c%d)),", /github/workspace/src/src/13665905.patch total: 0 errors, 1 warnings, 32 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. /github/workspace/src/src/13665905.patch has style problems, please review. NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS.

tedd_an/GitLint

fail

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 4: B1 Line exceeds max length (322>80): "bluez-5.75/android/handsfree.c:1247:15: error[cpp/NegativeIndex]: The value from sprintf, a standard library function that can return a negative value is used as an index. A negative array index can lead to reading or writing outside the bounds of the array. Ensure the value of the index used is within bounds before use." 5: B3 Line contains hard tab characters (\t): "1245| buf = g_malloc(len);" 7: B3 Line contains hard tab characters (\t): "1247|-> ptr = buf + sprintf(buf, "+CIND:");" 9: B3 Line contains hard tab characters (\t): "1249| for (i = 0; i < IND_COUNT; i++) {"

Commit Message

Bastien Nocera May 16, 2024, 9:03 a.m. UTC

Error: SNYK_CODE_WARNING (CWE-125): [#def62] [important]
bluez-5.75/android/handsfree.c:1247:15: error[cpp/NegativeIndex]: The value from sprintf, a standard library function that can return a negative value is used as an index. A negative array index can lead to reading or writing outside the bounds of the array. Ensure the value of the index used is within bounds before use.
1245|			buf = g_malloc(len);
1246|
1247|->			ptr = buf + sprintf(buf, "+CIND:");
1248|
1249|			for (i = 0; i < IND_COUNT; i++) {
---
 android/handsfree.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/android/handsfree.c b/android/handsfree.c
index 2365356c2cf7..7b803fae5263 100644
--- a/android/handsfree.c
+++ b/android/handsfree.c
@@ -1243,15 +1243,22 @@  static void at_cmd_cind(struct hfp_context *result, enum hfp_gw_cmd_type type,
 		}
 
 		buf = g_malloc(len);
-
-		ptr = buf + sprintf(buf, "+CIND:");
+		if (sprintf(buf, "+CIND:") != strlen("+CIND:")) {
+			g_free(buf);
+			break;
+		}
+		ptr = buf + strlen("+CIND:");
 
 		for (i = 0; i < IND_COUNT; i++) {
-			ptr += sprintf(ptr, "(\"%s\",(%d%c%d)),",
+			int printed;
+			printed = sprintf(ptr, "(\"%s\",(%d%c%d)),",
 					dev->inds[i].name,
 					dev->inds[i].min,
 					dev->inds[i].max == 1 ? ',' : '-',
 					dev->inds[i].max);
+			if (printed < 0)
+				goto fail;
+			ptr += printed;
 		}
 
 		ptr--;
@@ -1273,6 +1280,7 @@  static void at_cmd_cind(struct hfp_context *result, enum hfp_gw_cmd_type type,
 		break;
 	}
 
+fail:
 	hfp_gw_send_result(dev->gw, HFP_RESULT_ERROR);
 
 	if (dev->state != HAL_EV_HANDSFREE_CONN_STATE_SLC_CONNECTED)