[BlueZ,05/12] btsnoop: Fix possible negative memcpy length

Message ID	20240704102617.1132337-6-hadess@hadess.net (mailing list archive)
State	Superseded
Headers	show Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E46F11AB91B for <linux-bluetooth@vger.kernel.org>; Thu, 4 Jul 2024 10:26:22 +0000 (UTC) From: Bastien Nocera <hadess@hadess.net> To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera <hadess@hadess.net> Subject: [BlueZ 05/12] btsnoop: Fix possible negative memcpy length Date: Thu, 4 Jul 2024 12:24:36 +0200 Message-ID: <20240704102617.1132337-6-hadess@hadess.net> In-Reply-To: <20240704102617.1132337-1-hadess@hadess.net> References: <20240704102617.1132337-1-hadess@hadess.net> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Fix a number of static analysis issues #5 \| expand [BlueZ,00/12] Fix a number of static analysis issues #5 [BlueZ,01/12] gatt-server: Don't allocate negative data [BlueZ,02/12] shared/shell: Free w.we_wordv on early function exit [BlueZ,03/12] shared/shell: Free memory allocated by wordexp() [BlueZ,04/12] shared/shell: Fix fd leak if -s is passed multiple times [BlueZ,05/12] btsnoop: Fix possible negative memcpy length [BlueZ,06/12] sdp: Fix possible null dereference [BlueZ,07/12] sdp: Fix mismatched int casting [BlueZ,08/12] emulator: Fix integer truncation warnings [BlueZ,09/12] gatt-server: Fix integer overflow due to cast operation [BlueZ,10/12] mesh: Fix integer overflow due to cast operation [BlueZ,11/12] tools/mesh: Fix integer overflow due to cast operation [BlueZ,12/12] unit/ringbuf: Fix ineffective guard due to signedness

Message ID

20240704102617.1132337-6-hadess@hadess.net (mailing list archive)

State

Superseded

Headers

From: Bastien Nocera <hadess@hadess.net>
To: linux-bluetooth@vger.kernel.org
Cc: Bastien Nocera <hadess@hadess.net>
Subject: [BlueZ 05/12] btsnoop: Fix possible negative memcpy length
Date: Thu,  4 Jul 2024 12:24:36 +0200
Message-ID: <20240704102617.1132337-6-hadess@hadess.net>
In-Reply-To: <20240704102617.1132337-1-hadess@hadess.net>
References: <20240704102617.1132337-1-hadess@hadess.net>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Fix a number of static analysis issues #5 | expand

Checks

Context	Check	Description
tedd_an/pre-ci_am	success	Success
tedd_an/CheckPatch	success	CheckPatch PASS
tedd_an/GitLint	fail	WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 4: B1 Line exceeds max length (146>80): "bluez-5.76/tools/btsnoop.c:438:2: tainted_data_return: Called function "read(fd, buf, toread)", and a possible return value may be less than zero." 5: B1 Line exceeds max length (85>80): "bluez-5.76/tools/btsnoop.c:438:2: assign: Assigning: "len" = "read(fd, buf, toread)"." 6: B1 Line exceeds max length (147>80): "bluez-5.76/tools/btsnoop.c:473:4: overflow: The cast of "len - 9L", which is potentially negative, to an unsigned type could result in an overflow." 7: B3 Line contains hard tab characters (\t): "471\| /* next 4 bytes are data len and cid */" 8: B3 Line contains hard tab characters (\t): "472\| current_cid = buf[8] << 8 \| buf[7];" 9: B3 Line contains hard tab characters (\t): "473\|-> memcpy(pdu_buf, buf + 9, len - 9);" 10: B3 Line contains hard tab characters (\t): "474\| pdu_len = len - 9;" 11: B3 Line contains hard tab characters (\t): "475\| } else if (acl_flags & 0x01) {" 14: B1 Line exceeds max length (146>80): "bluez-5.76/tools/btsnoop.c:438:2: tainted_data_return: Called function "read(fd, buf, toread)", and a possible return value may be less than zero." 15: B1 Line exceeds max length (85>80): "bluez-5.76/tools/btsnoop.c:438:2: assign: Assigning: "len" = "read(fd, buf, toread)"." 16: B1 Line exceeds max length (147>80): "bluez-5.76/tools/btsnoop.c:476:4: overflow: The cast of "len - 5L", which is potentially negative, to an unsigned type could result in an overflow." 17: B3 Line contains hard tab characters (\t): "474\| pdu_len = len - 9;" 18: B3 Line contains hard tab characters (\t): "475\| } else if (acl_flags & 0x01) {" 19: B3 Line contains hard tab characters (\t): "476\|-> memcpy(pdu_buf + pdu_len, buf + 5, len - 5);" 20: B3 Line contains hard tab characters (\t): "477\| pdu_len += len - 5;" 21: B3 Line contains hard tab characters (\t): "478\| }"
tedd_an/IncrementalBuild	success	Incremental Build PASS

Context

Check

Description

tedd_an/pre-ci_am

success

Success

tedd_an/CheckPatch

success

CheckPatch PASS

tedd_an/GitLint

fail

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search 4: B1 Line exceeds max length (146>80): "bluez-5.76/tools/btsnoop.c:438:2: tainted_data_return: Called function "read(fd, buf, toread)", and a possible return value may be less than zero." 5: B1 Line exceeds max length (85>80): "bluez-5.76/tools/btsnoop.c:438:2: assign: Assigning: "len" = "read(fd, buf, toread)"." 6: B1 Line exceeds max length (147>80): "bluez-5.76/tools/btsnoop.c:473:4: overflow: The cast of "len - 9L", which is potentially negative, to an unsigned type could result in an overflow." 7: B3 Line contains hard tab characters (\t): "471| /* next 4 bytes are data len and cid */" 8: B3 Line contains hard tab characters (\t): "472| current_cid = buf[8] << 8 | buf[7];" 9: B3 Line contains hard tab characters (\t): "473|-> memcpy(pdu_buf, buf + 9, len - 9);" 10: B3 Line contains hard tab characters (\t): "474| pdu_len = len - 9;" 11: B3 Line contains hard tab characters (\t): "475| } else if (acl_flags & 0x01) {" 14: B1 Line exceeds max length (146>80): "bluez-5.76/tools/btsnoop.c:438:2: tainted_data_return: Called function "read(fd, buf, toread)", and a possible return value may be less than zero." 15: B1 Line exceeds max length (85>80): "bluez-5.76/tools/btsnoop.c:438:2: assign: Assigning: "len" = "read(fd, buf, toread)"." 16: B1 Line exceeds max length (147>80): "bluez-5.76/tools/btsnoop.c:476:4: overflow: The cast of "len - 5L", which is potentially negative, to an unsigned type could result in an overflow." 17: B3 Line contains hard tab characters (\t): "474| pdu_len = len - 9;" 18: B3 Line contains hard tab characters (\t): "475| } else if (acl_flags & 0x01) {" 19: B3 Line contains hard tab characters (\t): "476|-> memcpy(pdu_buf + pdu_len, buf + 5, len - 5);" 20: B3 Line contains hard tab characters (\t): "477| pdu_len += len - 5;" 21: B3 Line contains hard tab characters (\t): "478| }"

tedd_an/IncrementalBuild

success

Incremental Build PASS

Commit Message

Bastien Nocera July 4, 2024, 10:24 a.m. UTC

Error: INTEGER_OVERFLOW (CWE-190): [#def41] [important]
bluez-5.76/tools/btsnoop.c:438:2: tainted_data_return: Called function "read(fd, buf, toread)", and a possible return value may be less than zero.
bluez-5.76/tools/btsnoop.c:438:2: assign: Assigning: "len" = "read(fd, buf, toread)".
bluez-5.76/tools/btsnoop.c:473:4: overflow: The cast of "len - 9L", which is potentially negative, to an unsigned type could result in an overflow.
471|			/* next 4 bytes are data len and cid */
472|			current_cid = buf[8] << 8 | buf[7];
473|->			memcpy(pdu_buf, buf + 9, len - 9);
474|			pdu_len = len - 9;
475|		} else if (acl_flags & 0x01) {

Error: INTEGER_OVERFLOW (CWE-190): [#def42] [important]
bluez-5.76/tools/btsnoop.c:438:2: tainted_data_return: Called function "read(fd, buf, toread)", and a possible return value may be less than zero.
bluez-5.76/tools/btsnoop.c:438:2: assign: Assigning: "len" = "read(fd, buf, toread)".
bluez-5.76/tools/btsnoop.c:476:4: overflow: The cast of "len - 5L", which is potentially negative, to an unsigned type could result in an overflow.
474|			pdu_len = len - 9;
475|		} else if (acl_flags & 0x01) {
476|->			memcpy(pdu_buf + pdu_len, buf + 5, len - 5);
477|			pdu_len += len - 5;
478|		}
---
 tools/btsnoop.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tools/btsnoop.c b/tools/btsnoop.c
index efaa45db41dd..0bd28b65b6e1 100644
--- a/tools/btsnoop.c
+++ b/tools/btsnoop.c
@@ -448,7 +448,7 @@  next_packet:
 		acl_flags = buf[2] >> 4;
 
 		/* use only packet with ACL start flag */
-		if (acl_flags & 0x02) {
+		if ((acl_flags & 0x02) && len > 9) {
 			if (current_cid == 0x0040 && pdu_len > 0) {
 				int i;
 				if (!pdu_first)
@@ -472,7 +472,7 @@  next_packet:
 			current_cid = buf[8] << 8 | buf[7];
 			memcpy(pdu_buf, buf + 9, len - 9);
 			pdu_len = len - 9;
-		} else if (acl_flags & 0x01) {
+		} else if ((acl_flags & 0x01) && len > 5) {
 			memcpy(pdu_buf + pdu_len, buf + 5, len - 5);
 			pdu_len += len - 5;
 		}