[BlueZ,7/9] obexd: Fix buffer overrun

Message ID	20240530150057.444585-8-hadess@hadess.net (mailing list archive)
State	Accepted
Commit	1764cea5c7fd4f4a7af06c183822158c1e4c6fe7
Headers	show Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 54D7F17C214 for <linux-bluetooth@vger.kernel.org>; Thu, 30 May 2024 15:01:01 +0000 (UTC) From: Bastien Nocera <hadess@hadess.net> To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera <hadess@hadess.net> Subject: [BlueZ 7/9] obexd: Fix buffer overrun Date: Thu, 30 May 2024 16:58:01 +0200 Message-ID: <20240530150057.444585-8-hadess@hadess.net> In-Reply-To: <20240530150057.444585-1-hadess@hadess.net> References: <20240530150057.444585-1-hadess@hadess.net> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Fix a number of static analysis issues #3 \| expand [BlueZ,0/9] Fix a number of static analysis issues #3 [BlueZ,1/9] rctest: Fix possible overrun [BlueZ,2/9] mgmt-tester: Fix buffer overrun [BlueZ,3/9] l2test: Add missing error checking [BlueZ,4/9] rfkill: Avoid using a signed int for an unsigned variable [BlueZ,5/9] shared/mainloop: Fix integer overflow [BlueZ,6/9] sdp: Fix ineffective error guard [BlueZ,7/9] obexd: Fix buffer overrun [BlueZ,8/9] bap: Fix more memory leaks on error [BlueZ,9/9] avdtp: Fix manipulating struct as an array

Message ID

20240530150057.444585-8-hadess@hadess.net (mailing list archive)

State

Accepted

Commit

1764cea5c7fd4f4a7af06c183822158c1e4c6fe7

Headers

From: Bastien Nocera <hadess@hadess.net>
To: linux-bluetooth@vger.kernel.org
Cc: Bastien Nocera <hadess@hadess.net>
Subject: [BlueZ 7/9] obexd: Fix buffer overrun
Date: Thu, 30 May 2024 16:58:01 +0200
Message-ID: <20240530150057.444585-8-hadess@hadess.net>
In-Reply-To: <20240530150057.444585-1-hadess@hadess.net>
References: <20240530150057.444585-1-hadess@hadess.net>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Fix a number of static analysis issues #3 | expand

Checks

Context	Check	Description
tedd_an/pre-ci_am	success	Success
tedd_an/CheckPatch	warning	WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line) #57: 1142\|-> p->req_id = g_obex_setpath(p->session->obex, first, setpath_cb, p, err); /github/workspace/src/src/13680515.patch total: 0 errors, 1 warnings, 8 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. /github/workspace/src/src/13680515.patch has style problems, please review. NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS.
tedd_an/GitLint	fail	WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 6: B1 Line exceeds max length (141>80): "bluez-5.76/obexd/client/session.c:1135:2: alias: Assigning: "first" = """". "first" now points to byte 0 of """" (which consists of 1 bytes)." 7: B1 Line exceeds max length (177>80): "bluez-5.76/obexd/client/session.c:1142:2: overrun-buffer-val: Overrunning buffer pointed to by "first" of 1 bytes by passing it to a function which accesses it at byte offset 2." 8: B3 Line contains hard tab characters (\t): "1140\| req->index++;" 10: B1 Line exceeds max length (81>80): "1142\|-> p->req_id = g_obex_setpath(p->session->obex, first, setpath_cb, p, err);" 10: B3 Line contains hard tab characters (\t): "1142\|-> p->req_id = g_obex_setpath(p->session->obex, first, setpath_cb, p, err);" 11: B3 Line contains hard tab characters (\t): "1143\| if (err != NULL)" 12: B3 Line contains hard tab characters (\t): "1144\| return (err)->code;"
tedd_an/IncrementalBuild	success	Incremental Build PASS

Context

Check

Description

tedd_an/pre-ci_am

success

Success

tedd_an/CheckPatch

warning

WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line) #57: 1142|-> p->req_id = g_obex_setpath(p->session->obex, first, setpath_cb, p, err); /github/workspace/src/src/13680515.patch total: 0 errors, 1 warnings, 8 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. /github/workspace/src/src/13680515.patch has style problems, please review. NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS.

tedd_an/GitLint

fail

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 6: B1 Line exceeds max length (141>80): "bluez-5.76/obexd/client/session.c:1135:2: alias: Assigning: "first" = """". "first" now points to byte 0 of """" (which consists of 1 bytes)." 7: B1 Line exceeds max length (177>80): "bluez-5.76/obexd/client/session.c:1142:2: overrun-buffer-val: Overrunning buffer pointed to by "first" of 1 bytes by passing it to a function which accesses it at byte offset 2." 8: B3 Line contains hard tab characters (\t): "1140| req->index++;" 10: B1 Line exceeds max length (81>80): "1142|-> p->req_id = g_obex_setpath(p->session->obex, first, setpath_cb, p, err);" 10: B3 Line contains hard tab characters (\t): "1142|-> p->req_id = g_obex_setpath(p->session->obex, first, setpath_cb, p, err);" 11: B3 Line contains hard tab characters (\t): "1143| if (*err != NULL)" 12: B3 Line contains hard tab characters (\t): "1144| return (*err)->code;"

tedd_an/IncrementalBuild

success

Incremental Build PASS

Commit Message

Bastien Nocera May 30, 2024, 2:58 p.m. UTC

Don't access path at byte 2 when it might only contain a single byte.

Error: OVERRUN (CWE-119): [#def27] [important]
bluez-5.76/obexd/client/session.c:1135:2: alias: Assigning: "first" = """". "first" now points to byte 0 of """" (which consists of 1 bytes).
bluez-5.76/obexd/client/session.c:1142:2: overrun-buffer-val: Overrunning buffer pointed to by "first" of 1 bytes by passing it to a function which accesses it at byte offset 2.
1140|		req->index++;
1141|
1142|->		p->req_id = g_obex_setpath(p->session->obex, first, setpath_cb, p, err);
1143|		if (*err != NULL)
1144|			return (*err)->code;
---
 gobex/gobex.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gobex/gobex.c b/gobex/gobex.c
index fdeb11c65130..40d6b8129b00 100644
--- a/gobex/gobex.c
+++ b/gobex/gobex.c
@@ -1611,7 +1611,7 @@  guint g_obex_setpath(GObex *obex, const char *path, GObexResponseFunc func,
 
 	memset(&data, 0, sizeof(data));
 
-	if (path != NULL && strncmp("..", path, 2) == 0) {
+	if (path != NULL && strlen(path) >= 2 && strncmp("..", path, 2) == 0) {
 		data.flags = 0x03;
 		folder = (path[2] == '/') ? &path[3] : NULL;
 	} else {