| Message ID | 20240702084900.773620-4-hadess@hadess.net (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Fix a number of static analysis issues #4 | expand |
| Context | Check | Description |
|---|---|---|
| tedd_an/pre-ci_am | success | Success |
| tedd_an/CheckPatch | success | CheckPatch PASS |
| tedd_an/GitLint | fail | WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 8: B1 Line exceeds max length (133>80): "bluez-5.76/mesh/prov-initiator.c:676:2: cond_at_least: Checking "type >= 10UL" implies that "type" is at least 10 on the true branch." 9: B1 Line exceeds max length (195>80): "bluez-5.76/mesh/prov-initiator.c:678:3: overrun-local: Overrunning array "expected_pdu_size" of 10 2-byte elements at element index 10 (byte offset 21) using index "type" (which evaluates to 10)." 10: B3 Line contains hard tab characters (\t): "676| if (type >= L_ARRAY_SIZE(expected_pdu_size) ||" 11: B3 Line contains hard tab characters (\t): "677| len != expected_pdu_size[type]) {" 12: B3 Line contains hard tab characters (\t): "678|-> l_error("Expected PDU size %d, Got %d (type: %2.2x)"," 13: B3 Line contains hard tab characters (\t): "679| expected_pdu_size[type], len, type);" 14: B3 Line contains hard tab characters (\t): "680| fail_code[1] = PROV_ERR_INVALID_FORMAT;" |
| tedd_an/IncrementalBuild | success | Incremental Build PASS |
diff --git a/mesh/prov-initiator.c b/mesh/prov-initiator.c index 653f3ae3e1c2..e353d23865ef 100644 --- a/mesh/prov-initiator.c +++ b/mesh/prov-initiator.c @@ -673,8 +673,13 @@ static void int_prov_rx(void *user_data, const void *dptr, uint16_t len) goto failure; } - if (type >= L_ARRAY_SIZE(expected_pdu_size) || - len != expected_pdu_size[type]) { + if (type >= L_ARRAY_SIZE(expected_pdu_size)) { + l_error("Invalid PDU type %2.2x", type); + fail_code[1] = PROV_ERR_INVALID_FORMAT; + goto failure; + } + + if (len != expected_pdu_size[type]) { l_error("Expected PDU size %d, Got %d (type: %2.2x)", expected_pdu_size[type], len, type); fail_code[1] = PROV_ERR_INVALID_FORMAT;
We would boundary check the expected_pdu_size array based on the value of type, but would still access it out-of-bounds for the debug message. Split off the invalid type check into its own message to avoid this. Error: OVERRUN (CWE-119): [#def23] [important] bluez-5.76/mesh/prov-initiator.c:676:2: cond_at_least: Checking "type >= 10UL" implies that "type" is at least 10 on the true branch. bluez-5.76/mesh/prov-initiator.c:678:3: overrun-local: Overrunning array "expected_pdu_size" of 10 2-byte elements at element index 10 (byte offset 21) using index "type" (which evaluates to 10). 676| if (type >= L_ARRAY_SIZE(expected_pdu_size) || 677| len != expected_pdu_size[type]) { 678|-> l_error("Expected PDU size %d, Got %d (type: %2.2x)", 679| expected_pdu_size[type], len, type); 680| fail_code[1] = PROV_ERR_INVALID_FORMAT; --- mesh/prov-initiator.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-)