[BlueZ,2/9] mgmt-tester: Fix buffer overrun

Message ID	20240530150057.444585-3-hadess@hadess.net (mailing list archive)
State	Accepted
Commit	aa54087f13d54320f57473b5a8e6d979314266bc
Headers	show Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2DC2D1E532 for <linux-bluetooth@vger.kernel.org>; Thu, 30 May 2024 15:00:59 +0000 (UTC) From: Bastien Nocera <hadess@hadess.net> To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera <hadess@hadess.net> Subject: [BlueZ 2/9] mgmt-tester: Fix buffer overrun Date: Thu, 30 May 2024 16:57:56 +0200 Message-ID: <20240530150057.444585-3-hadess@hadess.net> In-Reply-To: <20240530150057.444585-1-hadess@hadess.net> References: <20240530150057.444585-1-hadess@hadess.net> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Fix a number of static analysis issues #3 \| expand [BlueZ,0/9] Fix a number of static analysis issues #3 [BlueZ,1/9] rctest: Fix possible overrun [BlueZ,2/9] mgmt-tester: Fix buffer overrun [BlueZ,3/9] l2test: Add missing error checking [BlueZ,4/9] rfkill: Avoid using a signed int for an unsigned variable [BlueZ,5/9] shared/mainloop: Fix integer overflow [BlueZ,6/9] sdp: Fix ineffective error guard [BlueZ,7/9] obexd: Fix buffer overrun [BlueZ,8/9] bap: Fix more memory leaks on error [BlueZ,9/9] avdtp: Fix manipulating struct as an array

Message ID

20240530150057.444585-3-hadess@hadess.net (mailing list archive)

State

Accepted

Commit

aa54087f13d54320f57473b5a8e6d979314266bc

Headers

From: Bastien Nocera <hadess@hadess.net>
To: linux-bluetooth@vger.kernel.org
Cc: Bastien Nocera <hadess@hadess.net>
Subject: [BlueZ 2/9] mgmt-tester: Fix buffer overrun
Date: Thu, 30 May 2024 16:57:56 +0200
Message-ID: <20240530150057.444585-3-hadess@hadess.net>
In-Reply-To: <20240530150057.444585-1-hadess@hadess.net>
References: <20240530150057.444585-1-hadess@hadess.net>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Fix a number of static analysis issues #3 | expand

Checks

Context	Check	Description
tedd_an/pre-ci_am	success	Success
tedd_an/CheckPatch	warning	WARNING:UNKNOWN_COMMIT_ID: Unknown commit id '49d06560692f', maybe rebased or not pulled? #60: Fixes: 49d06560692f ("mgmt-tester: Fix non-nul-terminated string") /github/workspace/src/src/13680511.patch total: 0 errors, 1 warnings, 8 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. /github/workspace/src/src/13680511.patch has style problems, please review. NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS.
tedd_an/GitLint	fail	WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 4: B1 Line exceeds max length (148>80): "bluez-5.76/tools/mgmt-tester.c:12667:2: identity_transfer: Passing "512UL" as argument 3 to function "vhci_read_devcd", which returns that argument." 5: B1 Line exceeds max length (140>80): "bluez-5.76/tools/mgmt-tester.c:12667:2: assignment: Assigning: "read" = "vhci_read_devcd(vhci, buf, 512UL)". The value of "read" is now 512." 6: B1 Line exceeds max length (159>80): "bluez-5.76/tools/mgmt-tester.c:12674:2: overrun-local: Overrunning array "buf" of 513 bytes at byte offset 513 using index "read + 1" (which evaluates to 513)." 7: B3 Line contains hard tab characters (\t): "12672\| }" 8: B3 Line contains hard tab characters (\t): "12673\| /* Make sure buf is nul-terminated /" 9: B3 Line contains hard tab characters (\t): "12674\|-> buf[read + 1] = '\0';" 11: B3 Line contains hard tab characters (\t): "12676\| / Verify if all devcoredump header fields are present */"
tedd_an/IncrementalBuild	success	Incremental Build PASS

Context

Check

Description

tedd_an/pre-ci_am

success

Success

tedd_an/CheckPatch

warning

WARNING:UNKNOWN_COMMIT_ID: Unknown commit id '49d06560692f', maybe rebased or not pulled? #60: Fixes: 49d06560692f ("mgmt-tester: Fix non-nul-terminated string") /github/workspace/src/src/13680511.patch total: 0 errors, 1 warnings, 8 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. /github/workspace/src/src/13680511.patch has style problems, please review. NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS.

tedd_an/GitLint

fail

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 4: B1 Line exceeds max length (148>80): "bluez-5.76/tools/mgmt-tester.c:12667:2: identity_transfer: Passing "512UL" as argument 3 to function "vhci_read_devcd", which returns that argument." 5: B1 Line exceeds max length (140>80): "bluez-5.76/tools/mgmt-tester.c:12667:2: assignment: Assigning: "read" = "vhci_read_devcd(vhci, buf, 512UL)". The value of "read" is now 512." 6: B1 Line exceeds max length (159>80): "bluez-5.76/tools/mgmt-tester.c:12674:2: overrun-local: Overrunning array "buf" of 513 bytes at byte offset 513 using index "read + 1" (which evaluates to 513)." 7: B3 Line contains hard tab characters (\t): "12672| }" 8: B3 Line contains hard tab characters (\t): "12673| /* Make sure buf is nul-terminated */" 9: B3 Line contains hard tab characters (\t): "12674|-> buf[read + 1] = '\0';" 11: B3 Line contains hard tab characters (\t): "12676| /* Verify if all devcoredump header fields are present */"

tedd_an/IncrementalBuild

success

Incremental Build PASS

Commit Message

Bastien Nocera May 30, 2024, 2:57 p.m. UTC

Error: OVERRUN (CWE-119): [#def56] [important]
bluez-5.76/tools/mgmt-tester.c:12667:2: identity_transfer: Passing "512UL" as argument 3 to function "vhci_read_devcd", which returns that argument.
bluez-5.76/tools/mgmt-tester.c:12667:2: assignment: Assigning: "read" = "vhci_read_devcd(vhci, buf, 512UL)". The value of "read" is now 512.
bluez-5.76/tools/mgmt-tester.c:12674:2: overrun-local: Overrunning array "buf" of 513 bytes at byte offset 513 using index "read + 1" (which evaluates to 513).
12672|		}
12673|		/* Make sure buf is nul-terminated */
12674|->	buf[read + 1] = '\0';
12675|
12676|		/* Verify if all devcoredump header fields are present */

Fixes: 49d06560692f ("mgmt-tester: Fix non-nul-terminated string")
---
 tools/mgmt-tester.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/mgmt-tester.c b/tools/mgmt-tester.c
index 8076ec105ebb..1d5c82ae0745 100644
--- a/tools/mgmt-tester.c
+++ b/tools/mgmt-tester.c
@@ -12671,7 +12671,7 @@  static void verify_devcd(void *user_data)
 		return;
 	}
 	/* Make sure buf is nul-terminated */
-	buf[read + 1] = '\0';
+	buf[read] = '\0';
 
 	/* Verify if all devcoredump header fields are present */
 	line = strtok_r(buf, delim, &saveptr);