From patchwork Tue Jul 2 08:47:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13719118 Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 111AC146D65 for ; Tue, 2 Jul 2024 08:49:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.196 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719910150; cv=none; b=Ux1n9pFUZBed6DMGSmd2eqRbHEzAxNjMVKfrLrKxIo/h1tCs7CwSzdyPUR5uxcCdcwQuai9NvIFDm43Mh/KC9WZEhTCIumvAEV5yJR8UKzhPkSFNC2TH2QXyOE3OyFVgdCgAYQGonYFYgZEEt8bhe4+PstwPVvSLVQcKdT3Wm4I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719910150; c=relaxed/simple; bh=SygPxPvYyqAKNBGu+ImyRhBldapxXCSzpjOLb0s9Gxo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=FnsxDaEB7ENSr76/QIyjFIqqb8TLgMle1CZTkCrq1yD5R7bVWYPxNxGxO6ufCchzqzeCSeaeR7LQKPQ14eR10yRHWzkuPYMtk668VdT3kchlF/c/KXgPIF0oZjMD3zzly5u20ab4IDB8FRPa80gpUpid8Y5/XotBZ8MjjxXTDzI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.196 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 28257E0004; Tue, 2 Jul 2024 08:49:01 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [PATCH 1/9] main: Simplify parse_config_string() Date: Tue, 2 Jul 2024 10:47:16 +0200 Message-ID: <20240702084900.773620-2-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240702084900.773620-1-hadess@hadess.net> References: <20240702084900.773620-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net The memory management done by parse_config_string() was quite complicated, as it expected to be able to free the value in the return variable if it was already allocated. That particular behaviour was only used for a single variable which was set to its default value during startup and might be overwritten after this function call. Use an intermediate variable to check whether we need to free btd_opts.name and simplify parse_config_string(). Error: RESOURCE_LEAK (CWE-772): [#def39] [important] bluez-5.75/src/main.c:425:2: alloc_fn: Storage is returned from allocation function "g_key_file_get_string". bluez-5.75/src/main.c:425:2: var_assign: Assigning: "tmp" = storage returned from "g_key_file_get_string(config, group, key, &err)". bluez-5.75/src/main.c:433:2: noescape: Assuming resource "tmp" is not freed or pointed-to as ellipsis argument to "btd_debug". bluez-5.75/src/main.c:440:2: leaked_storage: Variable "tmp" going out of scope leaks the storage it points to. 438| } 439| 440|-> return true; 441| } 442| --- src/main.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/src/main.c b/src/main.c index 62453bffaf57..9db8d7000490 100644 --- a/src/main.c +++ b/src/main.c @@ -420,9 +420,10 @@ static bool parse_config_string(GKeyFile *config, const char *group, const char *key, char **val) { GError *err = NULL; - char *tmp; - tmp = g_key_file_get_string(config, group, key, &err); + g_return_val_if_fail(val, false); + + *val = g_key_file_get_string(config, group, key, &err); if (err) { if (err->code != G_KEY_FILE_ERROR_KEY_NOT_FOUND) DBG("%s", err->message); @@ -430,12 +431,7 @@ static bool parse_config_string(GKeyFile *config, const char *group, return false; } - DBG("%s.%s = %s", group, key, tmp); - - if (val) { - g_free(*val); - *val = tmp; - } + DBG("%s.%s = %s", group, key, *val); return true; } @@ -1004,7 +1000,12 @@ static void parse_secure_conns(GKeyFile *config) static void parse_general(GKeyFile *config) { - parse_config_string(config, "General", "Name", &btd_opts.name); + char *str = NULL; + + if (parse_config_string(config, "General", "Name", &str)) { + g_free(btd_opts.name); + btd_opts.name = str; + } parse_config_hex(config, "General", "Class", &btd_opts.class); parse_config_u32(config, "General", "DiscoverableTimeout", &btd_opts.discovto, From patchwork Tue Jul 2 08:47:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13719119 Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D911984D39 for ; Tue, 2 Jul 2024 08:49:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.196 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719910150; cv=none; b=WityVT/Y3zWEBhTOpJMlplZo4JA7Cv4uHSLwZEWcYxtIF5MoSKyOLsKMQ23vKFCOwAr790YpEeIbrkSDacm3ANGqB99DgRD8787oE50wgjFUDsylGaH2Jg6W0uNoTnadVv0udDHO1i2zqBkpUh2wi3csghOe5a2AvUbGTA9fvC0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719910150; c=relaxed/simple; bh=nxQmHvj5d+IOf5OrJz12+hosL98o57kQzrHPM1hlJc8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=II5PXwjCtx5/Q2XO2qUglhfT4b2cVnl+DW0TJN02533xh0FpQ1Dr674MEarjaRh6v6WCbLx9pWJnl2HkVikPThSYimNpXmU0/goqU7tNXSZZHHFHT84O0aF50Y3qx9vUr78T+SDSlJomrt1xkYXG2S5lqlUTdlrrG9I6fkWF9B0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.196 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 6F3A6E0007; Tue, 2 Jul 2024 08:49:01 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [PATCH 2/9] avdtp: Fix manipulating struct as an array Date: Tue, 2 Jul 2024 10:47:17 +0200 Message-ID: <20240702084900.773620-3-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240702084900.773620-1-hadess@hadess.net> References: <20240702084900.773620-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Don't manipulate the "req" structs as if they were flat arrays, static analysis and humans are both equally confused by this kind of usage. Error: ARRAY_VS_SINGLETON (CWE-119): [#def26] [important] bluez-5.76/profiles/audio/avdtp.c:1675:2: address_of: Taking address with "&start->first_seid" yields a singleton pointer. bluez-5.76/profiles/audio/avdtp.c:1675:2: assign: Assigning: "seid" = "&start->first_seid". bluez-5.76/profiles/audio/avdtp.c:1679:25: ptr_arith: Using "seid" as an array. This might corrupt or misinterpret adjacent memory locations. 1677| int i; 1678| 1679|-> for (i = 0; i < count; i++, seid++) { 1680| if (seid->seid == id) { 1681| req->collided = TRUE; Error: ARRAY_VS_SINGLETON (CWE-119): [#def27] [important] bluez-5.76/profiles/audio/avdtp.c:1690:2: address_of: Taking address with "&suspend->first_seid" yields a singleton pointer. bluez-5.76/profiles/audio/avdtp.c:1690:2: assign: Assigning: "seid" = "&suspend->first_seid". bluez-5.76/profiles/audio/avdtp.c:1694:25: ptr_arith: Using "seid" as an array. This might corrupt or misinterpret adjacent memory locations. 1692| int i; 1693| 1694|-> for (i = 0; i < count; i++, seid++) { 1695| if (seid->seid == id) { 1696| req->collided = TRUE; Error: ARRAY_VS_SINGLETON (CWE-119): [#def28] [important] bluez-5.76/profiles/audio/avdtp.c:1799:2: address_of: Taking address with "&req->first_seid" yields a singleton pointer. bluez-5.76/profiles/audio/avdtp.c:1799:2: assign: Assigning: "seid" = "&req->first_seid". bluez-5.76/profiles/audio/avdtp.c:1801:30: ptr_arith: Using "seid" as an array. This might corrupt or misinterpret adjacent memory locations. 1799| seid = &req->first_seid; 1800| 1801|-> for (i = 0; i < seid_count; i++, seid++) { 1802| failed_seid = seid->seid; 1803| Error: ARRAY_VS_SINGLETON (CWE-119): [#def29] [important] bluez-5.76/profiles/audio/avdtp.c:1912:2: address_of: Taking address with "&req->first_seid" yields a singleton pointer. bluez-5.76/profiles/audio/avdtp.c:1912:2: assign: Assigning: "seid" = "&req->first_seid". bluez-5.76/profiles/audio/avdtp.c:1914:30: ptr_arith: Using "seid" as an array. This might corrupt or misinterpret adjacent memory locations. 1912| seid = &req->first_seid; 1913| 1914|-> for (i = 0; i < seid_count; i++, seid++) { 1915| failed_seid = seid->seid; 1916| --- profiles/audio/avdtp.c | 45 +++++++++++++++++++++--------------------- 1 file changed, 23 insertions(+), 22 deletions(-) diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c index 3667e08400dd..45d1b120b760 100644 --- a/profiles/audio/avdtp.c +++ b/profiles/audio/avdtp.c @@ -184,13 +184,17 @@ struct getcap_resp { } __attribute__ ((packed)); struct start_req { - struct seid first_seid; - struct seid other_seids[0]; + union { + struct seid required[1]; + struct seid seids[0]; + }; } __attribute__ ((packed)); struct suspend_req { - struct seid first_seid; - struct seid other_seids[0]; + union { + struct seid required[1]; + struct seid seids[0]; + }; } __attribute__ ((packed)); struct seid_rej { @@ -1672,12 +1676,12 @@ static void check_seid_collision(struct pending_req *req, uint8_t id) static void check_start_collision(struct pending_req *req, uint8_t id) { struct start_req *start = req->data; - struct seid *seid = &start->first_seid; int count = 1 + req->data_size - sizeof(struct start_req); int i; - for (i = 0; i < count; i++, seid++) { - if (seid->seid == id) { + for (i = 0; i < count; i++) { + struct seid seid = start->seids[i]; + if (seid.seid == id) { req->collided = TRUE; return; } @@ -1687,12 +1691,12 @@ static void check_start_collision(struct pending_req *req, uint8_t id) static void check_suspend_collision(struct pending_req *req, uint8_t id) { struct suspend_req *suspend = req->data; - struct seid *seid = &suspend->first_seid; int count = 1 + req->data_size - sizeof(struct suspend_req); int i; - for (i = 0; i < count; i++, seid++) { - if (seid->seid == id) { + for (i = 0; i < count; i++) { + struct seid seid = suspend->seids[i]; + if (seid.seid == id) { req->collided = TRUE; return; } @@ -1785,7 +1789,6 @@ static gboolean avdtp_start_cmd(struct avdtp *session, uint8_t transaction, struct avdtp_local_sep *sep; struct avdtp_stream *stream; struct stream_rej rej; - struct seid *seid; uint8_t err, failed_seid; int seid_count, i; @@ -1796,12 +1799,12 @@ static gboolean avdtp_start_cmd(struct avdtp *session, uint8_t transaction, seid_count = 1 + size - sizeof(struct start_req); - seid = &req->first_seid; + for (i = 0; i < seid_count; i++) { + struct seid seid = req->seids[i]; - for (i = 0; i < seid_count; i++, seid++) { - failed_seid = seid->seid; + failed_seid = seid.seid; - sep = find_local_sep_by_seid(session, seid->seid); + sep = find_local_sep_by_seid(session, seid.seid); if (!sep || !sep->stream) { err = AVDTP_BAD_ACP_SEID; goto failed; @@ -1898,7 +1901,6 @@ static gboolean avdtp_suspend_cmd(struct avdtp *session, uint8_t transaction, struct avdtp_local_sep *sep; struct avdtp_stream *stream; struct stream_rej rej; - struct seid *seid; uint8_t err, failed_seid; int seid_count, i; @@ -1909,12 +1911,11 @@ static gboolean avdtp_suspend_cmd(struct avdtp *session, uint8_t transaction, seid_count = 1 + size - sizeof(struct suspend_req); - seid = &req->first_seid; + for (i = 0; i < seid_count; i++) { + struct seid seid = req->seids[i]; + failed_seid = seid.seid; - for (i = 0; i < seid_count; i++, seid++) { - failed_seid = seid->seid; - - sep = find_local_sep_by_seid(session, seid->seid); + sep = find_local_sep_by_seid(session, seid.seid); if (!sep || !sep->stream) { err = AVDTP_BAD_ACP_SEID; goto failed; @@ -3663,7 +3664,7 @@ int avdtp_start(struct avdtp *session, struct avdtp_stream *stream) } memset(&req, 0, sizeof(req)); - req.first_seid.seid = stream->rseid; + req.required->seid = stream->rseid; ret = send_request(session, FALSE, stream, AVDTP_START, &req, sizeof(req)); From patchwork Tue Jul 2 08:47:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13719121 Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EB51C14A62D for ; Tue, 2 Jul 2024 08:49:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.196 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719910151; cv=none; b=TEgsc5/Lxj15Pb5ZxFq7D9DnIhStPUzHgAwlilXaqGsygcxEE8hnmZhm9pHz5cuTn9D80vYM4Gm3cScJVtgyOyf0jCbNlvov1PVQo5HWiiopi33gYvtoQbITnttvAX2KoVTAAdI/z+qzQN3N7JEebXswh6TaD4lXdNGEjtt5a4M= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719910151; c=relaxed/simple; bh=ib/BkXoy0+vwgqUindMB+HL0wQHRNyQmquiFjwvdr24=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=iK79xbmKKyASjWa9rmjcSwvqppbaQhUOOs4gv0nxHM+IxG/mu6BstrjacR4zTwCj7ock3D6xBmAU0XWNFNdnZ0ZjCr9Vy/FVvKsqbmePKK6nxp5982mtqa4BaXnoagmmcijlLEWSzFyVekh/Sz+ad8L1mgwxSzCM+QZnj57beDc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.196 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id C53FAE000A; Tue, 2 Jul 2024 08:49:01 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [PATCH 3/9] mesh: Avoid accessing array out-of-bounds Date: Tue, 2 Jul 2024 10:47:18 +0200 Message-ID: <20240702084900.773620-4-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240702084900.773620-1-hadess@hadess.net> References: <20240702084900.773620-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net We would boundary check the expected_pdu_size array based on the value of type, but would still access it out-of-bounds for the debug message. Split off the invalid type check into its own message to avoid this. Error: OVERRUN (CWE-119): [#def23] [important] bluez-5.76/mesh/prov-initiator.c:676:2: cond_at_least: Checking "type >= 10UL" implies that "type" is at least 10 on the true branch. bluez-5.76/mesh/prov-initiator.c:678:3: overrun-local: Overrunning array "expected_pdu_size" of 10 2-byte elements at element index 10 (byte offset 21) using index "type" (which evaluates to 10). 676| if (type >= L_ARRAY_SIZE(expected_pdu_size) || 677| len != expected_pdu_size[type]) { 678|-> l_error("Expected PDU size %d, Got %d (type: %2.2x)", 679| expected_pdu_size[type], len, type); 680| fail_code[1] = PROV_ERR_INVALID_FORMAT; --- mesh/prov-initiator.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/mesh/prov-initiator.c b/mesh/prov-initiator.c index 653f3ae3e1c2..e353d23865ef 100644 --- a/mesh/prov-initiator.c +++ b/mesh/prov-initiator.c @@ -673,8 +673,13 @@ static void int_prov_rx(void *user_data, const void *dptr, uint16_t len) goto failure; } - if (type >= L_ARRAY_SIZE(expected_pdu_size) || - len != expected_pdu_size[type]) { + if (type >= L_ARRAY_SIZE(expected_pdu_size)) { + l_error("Invalid PDU type %2.2x", type); + fail_code[1] = PROV_ERR_INVALID_FORMAT; + goto failure; + } + + if (len != expected_pdu_size[type]) { l_error("Expected PDU size %d, Got %d (type: %2.2x)", expected_pdu_size[type], len, type); fail_code[1] = PROV_ERR_INVALID_FORMAT; From patchwork Tue Jul 2 08:47:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13719122 Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EB4CC14883E for ; Tue, 2 Jul 2024 08:49:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.196 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719910152; cv=none; b=KjFhPOR4cXnhOqOVZ6uticgfwEUBjdkAZxoP5T62Jr4vY8OPeGxWakYUPkikHD1oCT8GB1/iJql4nCd3hCLzrR2rNel+PTcNT9brSApLhXw87sPHD6DSstC4Qb9E5Zcr/3jxmGFjS1g+IsCfEYSBQlPoeywyg0EceZoVMkv7tJc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719910152; c=relaxed/simple; bh=Ou0kGDa50CgH9PnCyq7XPN19GakFWGQO/fwUzDZK+Yg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=oqsn0tuZPBKWN/v4BdVsHNTOh9+OJ5eEzJp1QC2kvaY2fFihZCoI41JTaY6yvJleZe6wk1jldArcPzR7dcc8Rlh892RiocpCBAFX8WPrc9j3nBo8ureT7cAw3KKTyuHB+Ak2tf6PO3YJpjgalLEF0fXNV4z6qfXovdRynebjeKQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.196 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 1ABFDE000B; Tue, 2 Jul 2024 08:49:02 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [PATCH 4/9] obexd: Fix possible memleak Date: Tue, 2 Jul 2024 10:47:19 +0200 Message-ID: <20240702084900.773620-5-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240702084900.773620-1-hadess@hadess.net> References: <20240702084900.773620-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Fix possible resource leak if a attribute is repeated, overriding the original value. Error: RESOURCE_LEAK (CWE-772): [#def28] [important] bluez-5.76/obexd/plugins/messages-dummy.c:362:4: alloc_fn: Storage is returned from allocation function "g_strdup_inline". bluez-5.76/obexd/plugins/messages-dummy.c:362:4: var_assign: Assigning: "entry->handle" = storage returned from "g_strdup_inline(values[i])". bluez-5.76/obexd/plugins/messages-dummy.c:362:4: overwrite_var: Overwriting "entry->handle" in "entry->handle = g_strdup_inline(values[i])" leaks the storage that "entry->handle" points to. 360| for (i = 0 ; names[i]; ++i) { 361| if (g_strcmp0(names[i], "handle") == 0) { 362|-> entry->handle = g_strdup(values[i]); 363| mld->size++; 364| continue; Error: RESOURCE_LEAK (CWE-772): [#def29] [important] bluez-5.76/obexd/plugins/messages-dummy.c:367:4: alloc_fn: Storage is returned from allocation function "g_strdup_inline". bluez-5.76/obexd/plugins/messages-dummy.c:367:4: var_assign: Assigning: "entry->attachment_size" = storage returned from "g_strdup_inline(values[i])". bluez-5.76/obexd/plugins/messages-dummy.c:367:4: overwrite_var: Overwriting "entry->attachment_size" in "entry->attachment_size = g_strdup_inline(values[i])" leaks the storage that "entry->attachment_size" points to. 365| } 366| if (g_strcmp0(names[i], "attachment_size") == 0) { 367|-> entry->attachment_size = g_strdup(values[i]); 368| continue; 369| } Error: RESOURCE_LEAK (CWE-772): [#def30] [important] bluez-5.76/obexd/plugins/messages-dummy.c:371:4: alloc_fn: Storage is returned from allocation function "g_strdup_inline". bluez-5.76/obexd/plugins/messages-dummy.c:371:4: var_assign: Assigning: "entry->datetime" = storage returned from "g_strdup_inline(values[i])". bluez-5.76/obexd/plugins/messages-dummy.c:371:4: overwrite_var: Overwriting "entry->datetime" in "entry->datetime = g_strdup_inline(values[i])" leaks the storage that "entry->datetime" points to. 369| } 370| if (g_strcmp0(names[i], "datetime") == 0) { 371|-> entry->datetime = g_strdup(values[i]); 372| continue; 373| } Error: RESOURCE_LEAK (CWE-772): [#def31] [important] bluez-5.76/obexd/plugins/messages-dummy.c:375:4: alloc_fn: Storage is returned from allocation function "g_strdup_inline". bluez-5.76/obexd/plugins/messages-dummy.c:375:4: var_assign: Assigning: "entry->subject" = storage returned from "g_strdup_inline(values[i])". bluez-5.76/obexd/plugins/messages-dummy.c:375:4: overwrite_var: Overwriting "entry->subject" in "entry->subject = g_strdup_inline(values[i])" leaks the storage that "entry->subject" points to. 373| } 374| if (g_strcmp0(names[i], "subject") == 0) { 375|-> entry->subject = g_strdup(values[i]); 376| continue; 377| } Error: RESOURCE_LEAK (CWE-772): [#def32] [important] bluez-5.76/obexd/plugins/messages-dummy.c:379:4: alloc_fn: Storage is returned from allocation function "g_strdup_inline". bluez-5.76/obexd/plugins/messages-dummy.c:379:4: var_assign: Assigning: "entry->recipient_addressing" = storage returned from "g_strdup_inline(values[i])". bluez-5.76/obexd/plugins/messages-dummy.c:379:4: overwrite_var: Overwriting "entry->recipient_addressing" in "entry->recipient_addressing = g_strdup_inline(values[i])" leaks the storage that "entry->recipient_addressing" points to. 377| } 378| if (g_strcmp0(names[i], "recipient_addressing") == 0) { 379|-> entry->recipient_addressing = g_strdup(values[i]); 380| continue; 381| } Error: RESOURCE_LEAK (CWE-772): [#def33] [important] bluez-5.76/obexd/plugins/messages-dummy.c:383:4: alloc_fn: Storage is returned from allocation function "g_strdup_inline". bluez-5.76/obexd/plugins/messages-dummy.c:383:4: var_assign: Assigning: "entry->sender_addressing" = storage returned from "g_strdup_inline(values[i])". bluez-5.76/obexd/plugins/messages-dummy.c:383:4: overwrite_var: Overwriting "entry->sender_addressing" in "entry->sender_addressing = g_strdup_inline(values[i])" leaks the storage that "entry->sender_addressing" points to. 381| } 382| if (g_strcmp0(names[i], "sender_addressing") == 0) { 383|-> entry->sender_addressing = g_strdup(values[i]); 384| continue; 385| } Error: RESOURCE_LEAK (CWE-772): [#def34] [important] bluez-5.76/obexd/plugins/messages-dummy.c:387:4: alloc_fn: Storage is returned from allocation function "g_strdup_inline". bluez-5.76/obexd/plugins/messages-dummy.c:387:4: var_assign: Assigning: "entry->type" = storage returned from "g_strdup_inline(values[i])". bluez-5.76/obexd/plugins/messages-dummy.c:387:4: overwrite_var: Overwriting "entry->type" in "entry->type = g_strdup_inline(values[i])" leaks the storage that "entry->type" points to. 385| } 386| if (g_strcmp0(names[i], "type") == 0) { 387|-> entry->type = g_strdup(values[i]); 388| continue; 389| } Error: RESOURCE_LEAK (CWE-772): [#def35] [important] bluez-5.76/obexd/plugins/messages-dummy.c:391:4: alloc_fn: Storage is returned from allocation function "g_strdup_inline". bluez-5.76/obexd/plugins/messages-dummy.c:391:4: var_assign: Assigning: "entry->reception_status" = storage returned from "g_strdup_inline(values[i])". bluez-5.76/obexd/plugins/messages-dummy.c:391:4: overwrite_var: Overwriting "entry->reception_status" in "entry->reception_status = g_strdup_inline(values[i])" leaks the storage that "entry->reception_status" points to. 389| } 390| if (g_strcmp0(names[i], "reception_status") == 0) 391|-> entry->reception_status = g_strdup(values[i]); 392| } 393| --- obexd/plugins/messages-dummy.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/obexd/plugins/messages-dummy.c b/obexd/plugins/messages-dummy.c index e37b52df6266..92378dab4b20 100644 --- a/obexd/plugins/messages-dummy.c +++ b/obexd/plugins/messages-dummy.c @@ -359,36 +359,45 @@ static void msg_element(GMarkupParseContext *ctxt, const char *element, for (i = 0 ; names[i]; ++i) { if (g_strcmp0(names[i], "handle") == 0) { + g_free(entry->handle); entry->handle = g_strdup(values[i]); mld->size++; continue; } if (g_strcmp0(names[i], "attachment_size") == 0) { + g_free(entry->attachment_size); entry->attachment_size = g_strdup(values[i]); continue; } if (g_strcmp0(names[i], "datetime") == 0) { + g_free(entry->datetime); entry->datetime = g_strdup(values[i]); continue; } if (g_strcmp0(names[i], "subject") == 0) { + g_free(entry->subject); entry->subject = g_strdup(values[i]); continue; } if (g_strcmp0(names[i], "recipient_addressing") == 0) { + g_free(entry->recipient_addressing); entry->recipient_addressing = g_strdup(values[i]); continue; } if (g_strcmp0(names[i], "sender_addressing") == 0) { + g_free(entry->sender_addressing); entry->sender_addressing = g_strdup(values[i]); continue; } if (g_strcmp0(names[i], "type") == 0) { + g_free(entry->type); entry->type = g_strdup(values[i]); continue; } - if (g_strcmp0(names[i], "reception_status") == 0) + if (g_strcmp0(names[i], "reception_status") == 0) { + g_free(entry->reception_status); entry->reception_status = g_strdup(values[i]); + } } if (mld->size > mld->offset) From patchwork Tue Jul 2 08:47:20 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13719126 Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EB48E1474D3 for ; Tue, 2 Jul 2024 08:49:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.196 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719910153; cv=none; b=nz6X/jMnufaaCp6xprCg/zCMBdpOd3OLtLf0EQHePYxPSH7jjbQLc1XLaovrPU6QQFQS+9LsgaVNpy5FCxyIltJnuAiS6RBKtZiBgjanSer/BK7oSH30MMO2XxeB2Q21fmlIGlXPI7lJ49UGarpIYcXMhMv9D+9BnmbfK6rKZ8U= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719910153; c=relaxed/simple; bh=AKHl5VFto3sNozrQJLDL6JJjajb/DisWdyrWdG2DJK0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=MtK3o9GS/00IguxEGYDeLvfgjs0XWiHQkqgbws/mhXKP0z4oi4286K7ez2Do05JPwAHLFwz3EEkc7L20WSj/cMAkWYkQ0/5yjtp73lzz/lQ/wZ5yV9fL/VO6xMdPIgiAI9xxSoG6ZNkdss9OvTRGn2ziEzY4wE8Gf6w2M81jn0I= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.196 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 62FCDE0006; Tue, 2 Jul 2024 08:49:02 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [PATCH 5/9] obexd: Fix memory leak in entry struct Date: Tue, 2 Jul 2024 10:47:20 +0200 Message-ID: <20240702084900.773620-6-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240702084900.773620-1-hadess@hadess.net> References: <20240702084900.773620-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net recipient_addressing was never freed. Error: RESOURCE_LEAK (CWE-772): [#def36] [important] bluez-5.76/obexd/plugins/messages-dummy.c:379:4: alloc_fn: Storage is returned from allocation function "g_strdup_inline". bluez-5.76/obexd/plugins/messages-dummy.c:379:4: var_assign: Assigning: "entry->recipient_addressing" = storage returned from "g_strdup_inline(values[i])". bluez-5.76/obexd/plugins/messages-dummy.c:404:2: leaked_storage: Freeing "entry" without freeing its pointer field "recipient_addressing" leaks the storage that "recipient_addressing" points to. 402| g_free(entry->attachment_size); 403| g_free(entry->handle); 404|-> g_free(entry); 405| } 406| --- obexd/plugins/messages-dummy.c | 1 + 1 file changed, 1 insertion(+) diff --git a/obexd/plugins/messages-dummy.c b/obexd/plugins/messages-dummy.c index 92378dab4b20..e313c6163ec4 100644 --- a/obexd/plugins/messages-dummy.c +++ b/obexd/plugins/messages-dummy.c @@ -406,6 +406,7 @@ static void msg_element(GMarkupParseContext *ctxt, const char *element, g_free(entry->reception_status); g_free(entry->type); g_free(entry->sender_addressing); + g_free(entry->recipient_addressing); g_free(entry->subject); g_free(entry->datetime); g_free(entry->attachment_size); From patchwork Tue Jul 2 08:47:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13719124 Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0206714F9C8 for ; Tue, 2 Jul 2024 08:49:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.196 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719910152; cv=none; b=aSu/ojWHBxsPQpfK/nVSZ+Vm7is7u94/kYPYkAV25j7gREuz5ltQ/E7vKUwniSAg3E/QpxSHObMWdX32aaUk7s2q6wHmMmQ4ni/pZcXVEl0Z4aMnTLLykSXz9jwCKgOOmsWen0pUk9JeYQfL6dw3H7WXO1ODP7zg/EX5WJ0lel8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719910152; c=relaxed/simple; bh=LY1+OI1MtuM9RErM6AybQdpyESH5/KY00NIOZBUbgEs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=MgI4bCbCQ+4N5n1nNKDma9fJBKmFABx1pV3Ki5KeWDH24BhTI1nIXaFFfqKL3opEzkU4fYGj/N4HTD0H3rzoJ1ht1S0hc0gF4B5JeHCw5AQGc5j205MQO+yW6U/ORasmZpc93VfniyCWrGOrBczo9uTzFsVeafZxSNQdgXlQmus= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.196 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id A4B84E000C; Tue, 2 Jul 2024 08:49:02 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [PATCH 6/9] obexd: Fix leak in backup_object struct Date: Tue, 2 Jul 2024 10:47:21 +0200 Message-ID: <20240702084900.773620-7-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240702084900.773620-1-hadess@hadess.net> References: <20240702084900.773620-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: RESOURCE_LEAK (CWE-772): [#def37] [important] bluez-5.76/obexd/plugins/pcsuite.c:370:2: alloc_fn: Storage is returned from allocation function "g_path_get_basename". bluez-5.76/obexd/plugins/pcsuite.c:370:2: var_assign: Assigning: "obj->cmd" = storage returned from "g_path_get_basename(name)". bluez-5.76/obexd/plugins/pcsuite.c:379:3: leaked_storage: Freeing "obj" without freeing its pointer field "cmd" leaks the storage that "cmd" points to. 377| 378| if (send_backup_dbus_message("open", obj, size) == FALSE) { 379|-> g_free(obj); 380| obj = NULL; 381| } --- obexd/plugins/pcsuite.c | 1 + 1 file changed, 1 insertion(+) diff --git a/obexd/plugins/pcsuite.c b/obexd/plugins/pcsuite.c index 752074c08f45..07c444ff27e0 100644 --- a/obexd/plugins/pcsuite.c +++ b/obexd/plugins/pcsuite.c @@ -376,6 +376,7 @@ static void *backup_open(const char *name, int oflag, mode_t mode, obj->error_code = 0; if (send_backup_dbus_message("open", obj, size) == FALSE) { + g_free(obj->cmd); g_free(obj); obj = NULL; } From patchwork Tue Jul 2 08:47:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13719123 Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E84A014F10E for ; Tue, 2 Jul 2024 08:49:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.196 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719910152; cv=none; b=RaXuMVmNPhHuxVpZlXKIO9WSZ6YJbytFthG5g/JXrZjS6zAD5sXRXZMUgcehOftA2nLCzzqlyLqDWLftWMtWCBU91QwqnT112EmPDvOOASwFYEJk4NT/24v9mwNhRw1NstApPT3THoZ0k+GrWq7w9a/s1hgZK9Tphgmvj3JCjg8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719910152; c=relaxed/simple; bh=pEFwQqrxZ7hYKYFfzvdo3ASO2CPzdk2+VAZswynkeqE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=r0LfsFKAPVWOl6g8eXwiTs37Vp1kDzY6eMkH49YD4JS+ADzjXX7wQj9moT4+tmp3uUO0P4YRgcoT5Fz1jlt5SK0bB0NUMN1cbInkBitwzCBVasiH0Qyq9yYe/YI3xXx0y3Bgg7Zrw+8KSAzKq+7XyGY3uGZxG9b1a+07lQa4KdY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.196 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id E7E70E0005; Tue, 2 Jul 2024 08:49:02 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [PATCH 7/9] health/mcap: Fix memory leak in mcl struct Date: Tue, 2 Jul 2024 10:47:22 +0200 Message-ID: <20240702084900.773620-8-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240702084900.773620-1-hadess@hadess.net> References: <20240702084900.773620-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: RESOURCE_LEAK (CWE-772): [#def40] [important] bluez-5.76/profiles/health/mcap.c:2052:3: alloc_arg: "set_default_cb" allocates memory that is stored into "mcl->cb". bluez-5.76/profiles/health/mcap.c:2055:4: leaked_storage: Freeing "mcl" without freeing its pointer field "cb" leaks the storage that "cb" points to. 2053| if (util_getrandom(&val, sizeof(val), 0) < 0) { 2054| mcap_instance_unref(mcl->mi); 2055|-> g_free(mcl); 2056| goto drop; 2057| } --- profiles/health/mcap.c | 1 + 1 file changed, 1 insertion(+) diff --git a/profiles/health/mcap.c b/profiles/health/mcap.c index b544b9a0a9b4..7eceaa88a3a9 100644 --- a/profiles/health/mcap.c +++ b/profiles/health/mcap.c @@ -2052,6 +2052,7 @@ static void connect_mcl_event_cb(GIOChannel *chan, GError *gerr, set_default_cb(mcl); if (util_getrandom(&val, sizeof(val), 0) < 0) { mcap_instance_unref(mcl->mi); + g_free(mcl->cb); g_free(mcl); goto drop; } From patchwork Tue Jul 2 08:47:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13719127 Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E845514E2C2 for ; Tue, 2 Jul 2024 08:49:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.196 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719910155; cv=none; b=NEaV+iYtzjzJakaxqG0zt7aEP6/qTzeMRNhj34LiUcRWTiaIQUFAqghZ595gXebfXXbkFsZo9hFvQIXwP+U4Bh7sHtz8GKQNhnB1cI86UImWrawbsUvI4P2XJMoztAX5PQG1llAooc69U5KUNh82E7dLPjXpcVBFdx7BRdkxJps= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719910155; c=relaxed/simple; bh=sIwc6ePtSzw560EK6jNHzIqsaPWzGQU3M10lm6e07TI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=l6ahbjIUTYbBcyWAA+arGojDoMWTvZ4eNL44MKGq37AVdwoMa3uwoeiSfFdFGD3K5AqPNBYVJTTgyVaQhvsaP2BuQqv++dlaDLa+OHKGJmPqT8OoPv+I8/zmu3gHuS1QE+UHMmWsiajyGoOQrW7XB3Q5QXkr7MGDdjKn+lqa9NM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.196 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 3AA6FE000F; Tue, 2 Jul 2024 08:49:03 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [PATCH 8/9] sdp: Fix memory leak in sdp_data_alloc*() Date: Tue, 2 Jul 2024 10:47:23 +0200 Message-ID: <20240702084900.773620-9-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240702084900.773620-1-hadess@hadess.net> References: <20240702084900.773620-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Make sure to free already allocated memory if we run out of memory before the end of the loop. Error: RESOURCE_LEAK (CWE-772): [#def8] [important] bluez-5.76/lib/sdp.c:542:4: alloc_fn: Storage is returned from allocation function "sdp_data_alloc". bluez-5.76/lib/sdp.c:542:4: var_assign: Assigning: "data" = storage returned from "sdp_data_alloc(dtd, values[i])". bluez-5.76/lib/sdp.c:550:4: var_assign: Assigning: "seq" = "data". bluez-5.76/lib/sdp.c:552:3: var_assign: Assigning: "curr" = "data". bluez-5.76/lib/sdp.c:553:2: out_of_scope: Variable "data" goes out of scope. bluez-5.76/lib/sdp.c:552:3: overwrite_var: Overwriting "curr" in "curr = data". bluez-5.76/lib/sdp.c:545:4: leaked_storage: Variable "seq" going out of scope leaks the storage it points to. 543| 544| if (!data) 545|-> return NULL; 546| 547| if (curr) --- lib/sdp.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/sdp.c b/lib/sdp.c index 2e66505b21b8..b87951b007a3 100644 --- a/lib/sdp.c +++ b/lib/sdp.c @@ -513,8 +513,10 @@ sdp_data_t *sdp_seq_alloc_with_length(void **dtds, void **values, int *length, else data = sdp_data_alloc_with_length(dtd, values[i], length[i]); - if (!data) + if (!data) { + sdp_data_free(seq); return NULL; + } if (curr) curr->next = data; @@ -541,8 +543,10 @@ sdp_data_t *sdp_seq_alloc(void **dtds, void **values, int len) else data = sdp_data_alloc(dtd, values[i]); - if (!data) + if (!data) { + sdp_data_free(seq); return NULL; + } if (curr) curr->next = data; From patchwork Tue Jul 2 08:47:24 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13719125 Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 020AC14F9CA for ; Tue, 2 Jul 2024 08:49:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.196 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719910152; cv=none; b=VMRdDHEdBHV8YUKCiha2WzrwB31LcGIY+R0PVYns7yfWWrJ+tWMYv0H41GCH33Adev8VvOWxY2gJM4B3xE4XYlE++EntyG1v9UXPizUbeGzm/8B3+4CX2CZnXPCPCIVUMZOnlEAHzjYstBMl9VkX68mk+KlhKgUwLBXrFGNEUow= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719910152; c=relaxed/simple; bh=AMs8ychV2P29ai3YR75bpglgCf2JFXuMVDB5Yw5686M=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Xk6DEJjAxRB6rA2r0qoSxyf1Mfzf5oW/5YfO475HkkOYc2letAMlc3RviRK6yxmfxK++uFlYJBbDQPdO6oKK5msAx+3dAwCdW+Gve1DuiptseW4dW3YLScAOD0+AdCyIHjyELfx97YS2Pze4n7ljdUchghk9KTopMg/K1gsrBhI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.196 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 83C8BE0010; Tue, 2 Jul 2024 08:49:03 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [PATCH 9/9] sdp: Check memory allocation in sdp_copy_seq() Date: Tue, 2 Jul 2024 10:47:24 +0200 Message-ID: <20240702084900.773620-10-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240702084900.773620-1-hadess@hadess.net> References: <20240702084900.773620-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Fix a potential null-dereference if sdp_data_alloc_with_length() fails, as is done in other similar functions. --- lib/sdp.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lib/sdp.c b/lib/sdp.c index b87951b007a3..b64245f668d3 100644 --- a/lib/sdp.c +++ b/lib/sdp.c @@ -1538,6 +1538,11 @@ static sdp_data_t *sdp_copy_seq(sdp_data_t *data) value = sdp_data_value(tmp, &len); datatmp = sdp_data_alloc_with_length(tmp->dtd, value, len); + if (!datatmp) { + sdp_data_free(seq); + return NULL; + } + if (cur) cur->next = datatmp; else