From patchwork Thu Jul 4 10:24:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13723579 Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 845FC1AB90B for ; Thu, 4 Jul 2024 10:26:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720088783; cv=none; b=FPgF/NdNUoGRVQgyik+kI4E7SupZqjDJD+Dc0Bmvat95YkaUL5vmCFPmMBbf2Eebe4eav2hnUDmVPCcrAXfS/2LDm3s7xIVwvzXJSkGZ5XRAq+SPPzIwaSQ5qpRn6bt8+y2TbSxOsmnDjkQKqBgEniYytgYq/NiT++0Zk2OQP2c= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720088783; c=relaxed/simple; bh=1mmU6nPD6m4Swz7UeXdpRrTFshfVYLP6F8b8V2+GLgs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=MqvvXiW1/DRhN0D+C1XqM+5uIfiaom7fLewDlIFh4x3gpwbJNceydnopIiO09YyAt2hxHCs4loe0U5rSRZjqxhIXaAUUUKNxe2heHXFlEHNCbVQ0lBt8qHXkiG+ytqtRv6D2+lHmJvoC1QiwzPmJt1eCnprWhtPXPJ9P5wkfjiA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 8D33D240009; Thu, 4 Jul 2024 10:26:18 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 01/12] gatt-server: Don't allocate negative data Date: Thu, 4 Jul 2024 12:24:32 +0200 Message-ID: <20240704102617.1132337-2-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240704102617.1132337-1-hadess@hadess.net> References: <20240704102617.1132337-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Set a lower-bound to the data MTU to avoid allocating -1 elements if bt_att_get_mtu() returns zero. Error: OVERRUN (CWE-119): [#def36] [important] bluez-5.76/src/shared/gatt-server.c:1121:2: zero_return: Function call "bt_att_get_mtu(server->att)" returns 0. bluez-5.76/src/shared/gatt-server.c:1121:2: assignment: Assigning: "data->mtu" = "bt_att_get_mtu(server->att)". The value of "data->mtu" is now 0. bluez-5.76/src/shared/gatt-server.c:1123:19: assignment: Assigning: "__n" = "(size_t)(data->mtu - 1UL)". The value of "__n" is now 18446744073709551615. bluez-5.76/src/shared/gatt-server.c:1123:19: assignment: Assigning: "__s" = "1UL". bluez-5.76/src/shared/gatt-server.c:1123:19: overrun-buffer-arg: Calling "memset" with "__p" and "__n * __s" is suspicious because of the very large index, 18446744073709551615. The index may be due to a negative parameter being interpreted as unsigned. [Note: The source code implementation of the function has been overridden by a builtin model.] 1121| data->mtu = bt_att_get_mtu(server->att); 1122| data->length = 0; 1123|-> data->rsp_data = new0(uint8_t, data->mtu - 1); 1124| 1125| return data; --- src/shared/gatt-server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c index 3a53d5dfde6b..c587553d655d 100644 --- a/src/shared/gatt-server.c +++ b/src/shared/gatt-server.c @@ -1118,7 +1118,7 @@ static struct read_mult_data *read_mult_data_new(struct bt_gatt_server *server, data->server = server; data->num_handles = num_handles; data->cur_handle = 0; - data->mtu = bt_att_get_mtu(server->att); + data->mtu = MAX(bt_att_get_mtu(server->att), BT_ATT_DEFAULT_LE_MTU); data->length = 0; data->rsp_data = new0(uint8_t, data->mtu - 1); From patchwork Thu Jul 4 10:24:33 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13723580 Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3566F1AB90C for ; Thu, 4 Jul 2024 10:26:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720088783; cv=none; b=bOwvrhuaeiBsmlwLEPoTZHoZauxLMZnNgOMYWAsvyC11jSWtmzL2M0+4G7Kl3JC2G1p3yChtgCl7tFRmPpi8BrgUWKQOtpTpvZIOJKrrIgTRM4z8vuPn+S5CdsOiz1RTBMjZ20ZXPIIkdiOzSLPgqRFfJlYvXU59f1OArR+Od1E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720088783; c=relaxed/simple; bh=ECtqWYTcAPckF0WWaeMAUT+FoPOcYaVoMlu+OHa+850=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ALTP9WkOI3EoAFN33sZ/M6OPQYRVMrQEH87vIXkmUV/X8TMLFZWFpdnv0bqhuMI74t/JPvCa99b6NRYN2JiMo3sG5nzqweojz9Vq6uIgqZAfihYVWmhWLPk8fFxHWrpOWuoeSlsLdBk5pKAv7kMUV/CM7LvB1wD8leSlirNYHr4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 168B924000C; Thu, 4 Jul 2024 10:26:18 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 02/12] shared/shell: Free w.we_wordv on early function exit Date: Thu, 4 Jul 2024 12:24:33 +0200 Message-ID: <20240704102617.1132337-3-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240704102617.1132337-1-hadess@hadess.net> References: <20240704102617.1132337-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: RESOURCE_LEAK (CWE-772): [#def38] [important] bluez-5.76/src/shared/shell.c:519:2: alloc_arg: "parse_args" allocates memory that is stored into "w.we_wordv". bluez-5.76/src/shared/shell.c:523:3: leaked_storage: Variable "w" going out of scope leaks the storage "w.we_wordv" points to. 521| "Unable to parse mandatory command arguments: %s", man ); 522| free(man); 523|-> return -EINVAL; 524| } 525| Error: RESOURCE_LEAK (CWE-772): [#def39] [important] bluez-5.76/src/shared/shell.c:539:2: alloc_arg: "parse_args" allocates memory that is stored into "w.we_wordv". bluez-5.76/src/shared/shell.c:543:3: leaked_storage: Variable "w" going out of scope leaks the storage "w.we_wordv" points to. 541| "Unable to parse optional command arguments: %s", opt); 542| free(opt); 543|-> return -EINVAL; 544| } 545| --- src/shared/shell.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/shared/shell.c b/src/shared/shell.c index add4fa131c7a..878be140c336 100644 --- a/src/shared/shell.c +++ b/src/shared/shell.c @@ -525,6 +525,7 @@ static int cmd_exec(const struct bt_shell_menu_entry *entry, print_text(COLOR_HIGHLIGHT, "Unable to parse mandatory command arguments: %s", man ); free(man); + wordfree(&w); return -EINVAL; } @@ -545,6 +546,7 @@ optional: print_text(COLOR_HIGHLIGHT, "Unable to parse optional command arguments: %s", opt); free(opt); + wordfree(&w); return -EINVAL; } From patchwork Thu Jul 4 10:24:34 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13723581 Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6A9CD1AB90F for ; Thu, 4 Jul 2024 10:26:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720088783; cv=none; b=gPHogRC5gCNmrQHnzcW2A+nbLOg5b+9qC7MjbGDhRpCf5xvZ1p1b98yeChrzStgo8118XvpFDY6RyqWxyMkxj7Qp+UeVth+AXk2JspMmd7XP2rmzuwC872P7NaxFziSvb1MSDf3bvBJFcx7aDBNpiQyokwVXo8aXBgXnBeyPOPg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720088783; c=relaxed/simple; bh=7DO1kCsO38UYhE5wxbDolZXtkXl/MAdWhfekreVst+g=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ljTYqUzlT2rDFVJoxhCA+RNBtJS63BH/JRxZ/SjknYQ0AxYs3deXH1Yhn37ow3LY6IEgmnKQJbgwEZWmVJNJf7bDl5fxNWQYFr8I5S0erE5+GZsH8euPT5W1mZ0C4obCCjYcYC8bE1lO9lQJGuXE1fIR8QPVXZzaphPvnXX5SOU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 7E762240004; Thu, 4 Jul 2024 10:26:19 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 03/12] shared/shell: Free memory allocated by wordexp() Date: Thu, 4 Jul 2024 12:24:34 +0200 Message-ID: <20240704102617.1132337-4-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240704102617.1132337-1-hadess@hadess.net> References: <20240704102617.1132337-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: RESOURCE_LEAK (CWE-772): [#def40] [important] bluez-5.76/src/shared/shell.c:1113:3: alloc_arg: "wordexp" allocates memory that is stored into "w.we_wordv". bluez-5.76/src/shared/shell.c:1114:4: leaked_storage: Variable "w" going out of scope leaks the storage "w.we_wordv" points to. 1112| 1113| if (wordexp(rl_line_buffer, &w, WRDE_NOCMD)) 1114|-> return NULL; 1115| 1116| matches = menu_completion(default_menu, text, w.we_wordc, Error: RESOURCE_LEAK (CWE-772): [#def42] [important] bluez-5.76/src/shared/shell.c:1412:2: alloc_arg: "wordexp" allocates memory that is stored into "w.we_wordv". bluez-5.76/src/shared/shell.c:1415:3: leaked_storage: Variable "w" going out of scope leaks the storage "w.we_wordv" points to. 1413| switch (err) { 1414| case WRDE_BADCHAR: 1415|-> return -EBADMSG; 1416| case WRDE_BADVAL: 1417| case WRDE_SYNTAX: Error: RESOURCE_LEAK (CWE-772): [#def43] [important] bluez-5.76/src/shared/shell.c:1412:2: alloc_arg: "wordexp" allocates memory that is stored into "w.we_wordv". bluez-5.76/src/shared/shell.c:1418:3: leaked_storage: Variable "w" going out of scope leaks the storage "w.we_wordv" points to. 1416| case WRDE_BADVAL: 1417| case WRDE_SYNTAX: 1418|-> return -EINVAL; 1419| case WRDE_NOSPACE: 1420| return -ENOMEM; Error: RESOURCE_LEAK (CWE-772): [#def44] [important] bluez-5.76/src/shared/shell.c:1412:2: alloc_arg: "wordexp" allocates memory that is stored into "w.we_wordv". bluez-5.76/src/shared/shell.c:1420:3: leaked_storage: Variable "w" going out of scope leaks the storage "w.we_wordv" points to. 1418| return -EINVAL; 1419| case WRDE_NOSPACE: 1420|-> return -ENOMEM; 1421| case WRDE_CMDSUB: 1422| if (wordexp(input, &w, 0)) Error: RESOURCE_LEAK (CWE-772): [#def45] [important] bluez-5.76/src/shared/shell.c:1422:3: alloc_arg: "wordexp" allocates memory that is stored into "w.we_wordv". bluez-5.76/src/shared/shell.c:1423:4: leaked_storage: Variable "w" going out of scope leaks the storage "w.we_wordv" points to. 1421| case WRDE_CMDSUB: 1422| if (wordexp(input, &w, 0)) 1423|-> return -ENOEXEC; 1424| break; 1425| }; --- src/shared/shell.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/shared/shell.c b/src/shared/shell.c index 878be140c336..c09d41ee54df 100644 --- a/src/shared/shell.c +++ b/src/shared/shell.c @@ -1117,8 +1117,10 @@ static char **shell_completion(const char *text, int start, int end) if (start > 0) { wordexp_t w; - if (wordexp(rl_line_buffer, &w, WRDE_NOCMD)) + if (wordexp(rl_line_buffer, &w, WRDE_NOCMD)) { + wordfree(&w); return NULL; + } matches = menu_completion(default_menu, text, w.we_wordc, w.we_wordv[0]); @@ -1421,15 +1423,20 @@ int bt_shell_exec(const char *input) err = wordexp(input, &w, WRDE_NOCMD); switch (err) { case WRDE_BADCHAR: + wordfree(&w); return -EBADMSG; case WRDE_BADVAL: case WRDE_SYNTAX: + wordfree(&w); return -EINVAL; case WRDE_NOSPACE: + wordfree(&w); return -ENOMEM; case WRDE_CMDSUB: - if (wordexp(input, &w, 0)) + if (wordexp(input, &w, 0)) { + wordfree(&w); return -ENOEXEC; + } break; }; From patchwork Thu Jul 4 10:24:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13723582 Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C27D71AB911 for ; Thu, 4 Jul 2024 10:26:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720088783; cv=none; b=WemqLlWbD7HbNxpjgxkbvt41srrgLgp7UN9/aCfl4jHmql5BEiX9aHcfEKGIwg3ENcC/S/LFRGzHFtr4OGabyQMQkYCyGKMyQO1rQ4Vv2FpGocb0joqdJ3L/DPip+88UjV7PrMMQNEXBE44/qgVyE06blLfqeb+kUOo7cLJ7bro= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720088783; c=relaxed/simple; bh=yudE9JDnTEeVHlV5siLpbDQxihf+gd9DYV9bxay1mTA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=md4utmdCSKD8EuBNKJHBE0T4a4COTuIwZhv8YuDeMf0YSjyF6LG6B9dfH1Z8V+sZ1GVzmBRFPz97qrliFabx+zak2Ez6fSkoi2ec4RiOjb9pSOCN8hpmX2SXpn6rT6oWQfCeJufzIXRc87oeewBMxNFVWdSJuLxKpwj6z5jLdqo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id C1489240006; Thu, 4 Jul 2024 10:26:19 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 04/12] shared/shell: Fix fd leak if -s is passed multiple times Date: Thu, 4 Jul 2024 12:24:35 +0200 Message-ID: <20240704102617.1132337-5-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240704102617.1132337-1-hadess@hadess.net> References: <20240704102617.1132337-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: RESOURCE_LEAK (CWE-772): [#def37] [important] bluez-5.76/src/shared/shell.c:1305:5: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.] bluez-5.76/src/shared/shell.c:1305:5: var_assign: Assigning: "data.init_fd" = handle returned from "open(optarg, 0)". bluez-5.76/src/shared/shell.c:1305:5: overwrite_var: Overwriting handle "data.init_fd" in "data.init_fd = open(optarg, 0)" leaks the handle. 1303| case 's': 1304| if (optarg) 1305|-> data.init_fd = open(optarg, O_RDONLY); 1306| if (data.init_fd < 0) 1307| printf("Unable to open %s: %s (%d)\n", optarg, --- src/shared/shell.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/shared/shell.c b/src/shared/shell.c index c09d41ee54df..d500dddf8acf 100644 --- a/src/shared/shell.c +++ b/src/shared/shell.c @@ -1306,11 +1306,12 @@ void bt_shell_init(int argc, char **argv, const struct bt_shell_opt *opt) data.mode = 1; goto done; case 's': - if (optarg) + if (optarg && data.init_fd < 0) { data.init_fd = open(optarg, O_RDONLY); - if (data.init_fd < 0) - printf("Unable to open %s: %s (%d)\n", optarg, + if (data.init_fd < 0) + printf("Unable to open %s: %s (%d)\n", optarg, strerror(errno), errno); + } break; case 't': if (optarg) From patchwork Thu Jul 4 10:24:36 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13723584 Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E46F11AB91B for ; Thu, 4 Jul 2024 10:26:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720088784; cv=none; b=AKL/H6uZ7OvWHeV2kf32QVvI6/tXCsJhYmWfU/a14KMmxCz3FZkqQEV6mtopMmFEJpW8XlHBDA+T6lBsRRfG2i+coA3hwkvw2kqrf2CcOYIbZPfepRUXy2ulB92oOvNykrqPiQKRDHZOSo2WVzL07OZZiZoxiD1ZEN4gHZdLoCE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720088784; c=relaxed/simple; bh=lvIg2+dDecXMydPp3QRxG42uiS2BVeRFzszFwjtEl44=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=apcnjZYG8h1El4pUO+27Yy86/FbaigJ6XLfvY69c3+F6QyUSdXjXt1G0cpKG6mGm7fUvif8R+xkRGpIXAvGHIjCa7IH54R8+5B4p5g9XHESZIYRIUQKJuVgQiTE9U0YBfGKoipIacmHMzj1pTdNmM/iuo3BOzamBap+bTLCx/v4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 1486124000E; Thu, 4 Jul 2024 10:26:19 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 05/12] btsnoop: Fix possible negative memcpy length Date: Thu, 4 Jul 2024 12:24:36 +0200 Message-ID: <20240704102617.1132337-6-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240704102617.1132337-1-hadess@hadess.net> References: <20240704102617.1132337-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: INTEGER_OVERFLOW (CWE-190): [#def41] [important] bluez-5.76/tools/btsnoop.c:438:2: tainted_data_return: Called function "read(fd, buf, toread)", and a possible return value may be less than zero. bluez-5.76/tools/btsnoop.c:438:2: assign: Assigning: "len" = "read(fd, buf, toread)". bluez-5.76/tools/btsnoop.c:473:4: overflow: The cast of "len - 9L", which is potentially negative, to an unsigned type could result in an overflow. 471| /* next 4 bytes are data len and cid */ 472| current_cid = buf[8] << 8 | buf[7]; 473|-> memcpy(pdu_buf, buf + 9, len - 9); 474| pdu_len = len - 9; 475| } else if (acl_flags & 0x01) { Error: INTEGER_OVERFLOW (CWE-190): [#def42] [important] bluez-5.76/tools/btsnoop.c:438:2: tainted_data_return: Called function "read(fd, buf, toread)", and a possible return value may be less than zero. bluez-5.76/tools/btsnoop.c:438:2: assign: Assigning: "len" = "read(fd, buf, toread)". bluez-5.76/tools/btsnoop.c:476:4: overflow: The cast of "len - 5L", which is potentially negative, to an unsigned type could result in an overflow. 474| pdu_len = len - 9; 475| } else if (acl_flags & 0x01) { 476|-> memcpy(pdu_buf + pdu_len, buf + 5, len - 5); 477| pdu_len += len - 5; 478| } --- tools/btsnoop.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/btsnoop.c b/tools/btsnoop.c index efaa45db41dd..0bd28b65b6e1 100644 --- a/tools/btsnoop.c +++ b/tools/btsnoop.c @@ -448,7 +448,7 @@ next_packet: acl_flags = buf[2] >> 4; /* use only packet with ACL start flag */ - if (acl_flags & 0x02) { + if ((acl_flags & 0x02) && len > 9) { if (current_cid == 0x0040 && pdu_len > 0) { int i; if (!pdu_first) @@ -472,7 +472,7 @@ next_packet: current_cid = buf[8] << 8 | buf[7]; memcpy(pdu_buf, buf + 9, len - 9); pdu_len = len - 9; - } else if (acl_flags & 0x01) { + } else if ((acl_flags & 0x01) && len > 5) { memcpy(pdu_buf + pdu_len, buf + 5, len - 5); pdu_len += len - 5; } From patchwork Thu Jul 4 10:24:37 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13723583 Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E47591AB91C for ; Thu, 4 Jul 2024 10:26:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720088784; cv=none; b=EAZWTJxl+YtHF2s+Eqd7WhPFnj3mglcQyE5K/FLtlYbt3ww9ffDtGoQ/aKcSdp6vSWgUm6LWhHN2eUlSZHUS9RGN5swmfOglfGHR48sJjZoYaQphGxGGjbNGWwFB0o/4Sun6IbgXvy351mE8Sjvvge9yXwOvFil7RE/pj93vfI8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720088784; c=relaxed/simple; bh=gcgUu0Tuh8qeZ3Gh7h2fkiGCf8wsPAt8jwuDMZhbNS0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=CbbjiGmPfgbKyzyRTQjgD+j/Ah3KFCOXdvSDzwheRhHfgRNilV5ce55F9usIXh+OIgxB21kaoZn/EMw9gq3RmDznl9HkCQO9e1HFNE5wqQqXOlrTm68MhcSwXmI/GgEgJKmSvVlKtYO2y8/6NOIxr6N9m6RlwBJ7Cy8dMvgtdZg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 57BE524000B; Thu, 4 Jul 2024 10:26:21 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 06/12] sdp: Fix possible null dereference Date: Thu, 4 Jul 2024 12:24:37 +0200 Message-ID: <20240704102617.1132337-7-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240704102617.1132337-1-hadess@hadess.net> References: <20240704102617.1132337-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net From the BlueZ scanbot: lib/sdp.c:586:12: warning: Access to field 'attrId' results in a dereference of a null pointer (loaded from variable 'd') d->attrId = attr; ~ ^ lib/sdp.c:967:10: warning: Access to field 'dtd' results in a dereference of a null pointer (loaded from variable 'd') switch (d->dtd) { ^~~~~~ --- lib/sdp.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/sdp.c b/lib/sdp.c index b64245f668d3..e260a5a9663e 100644 --- a/lib/sdp.c +++ b/lib/sdp.c @@ -582,6 +582,8 @@ int sdp_attr_add(sdp_record_t *rec, uint16_t attr, sdp_data_t *d) if (p) return -1; + if (!d) + return -1; d->attrId = attr; rec->attrlist = sdp_list_insert_sorted(rec->attrlist, d, sdp_attrid_comp_func); @@ -964,6 +966,8 @@ static void data_seq_free(sdp_data_t *seq) void sdp_data_free(sdp_data_t *d) { + if (!d) + return; switch (d->dtd) { case SDP_SEQ8: case SDP_SEQ16: From patchwork Thu Jul 4 10:24:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13723585 Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 491A41ABC25 for ; Thu, 4 Jul 2024 10:26:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720088784; cv=none; b=e3VEaXqhm3zmrzySdKZb80wRf2QTf9BdAjAMxBqaSJb7N2+jaIq/Rcp4zembSCV9eOzZcQZL3Y/ZKMSHvGc2IoPPMSAZ8wsyhA8GrH74e2U3TnP4QubDb/9AMZFgiz8hbWGMbMgRYs6e757pWRjbQpq7fP52cAq96gahaFx0DXU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720088784; c=relaxed/simple; bh=N4pEx5sWh9VmjRl91OoGtPCKaGhZxguLOuuAogGpyCQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=SV2CIRn8FXVL645izS0iod7FK1Z7N7EsnLy04ry0gbHQvzcIxjxM4OMV8lWT1Pk/tqhrLaa73HOUJgUv64ocPnqkh/v9rDlGeY0Gjvrkl3Qgrx1Q/aIPl8TW8F/pyX4XRj1+9CH4NuN6T5R9O/6xgKwOmia0deQ49bEqFoy2B2s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 93DC024000D; Thu, 4 Jul 2024 10:26:21 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 07/12] sdp: Fix mismatched int casting Date: Thu, 4 Jul 2024 12:24:38 +0200 Message-ID: <20240704102617.1132337-8-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240704102617.1132337-1-hadess@hadess.net> References: <20240704102617.1132337-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net --- lib/sdp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/sdp.c b/lib/sdp.c index e260a5a9663e..411a95b8a7d3 100644 --- a/lib/sdp.c +++ b/lib/sdp.c @@ -506,7 +506,7 @@ sdp_data_t *sdp_seq_alloc_with_length(void **dtds, void **values, int *length, for (i = 0; i < len; i++) { sdp_data_t *data; - int8_t dtd = *(uint8_t *) dtds[i]; + uint8_t dtd = *(uint8_t *) dtds[i]; if (dtd >= SDP_SEQ8 && dtd <= SDP_ALT32) data = (sdp_data_t *) values[i]; From patchwork Thu Jul 4 10:24:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13723587 Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 964F91AB90B for ; Thu, 4 Jul 2024 10:26:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720088785; cv=none; b=oXfLDSA+/IR7viDvCc+ri9bWLsuMm3k7Lb7mazLEIt8A5T7LC8nkqz31otOi4soB//XRS598yh1Qo3rz08tH5ln1HXT5EWG5A37jZ9UJJS9rI8gxNp6/qT5us9ruKpY7YS6bXUjVs87pqf7xznn/EAKlg8pKasm6lz37kA338xw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720088785; c=relaxed/simple; bh=E0SSEybmdjBxLSSaKZC832oxacklCxLzNzdU7QbqVes=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=rPl/ngEY+1mnrxmELN7tjz5/CXvbQjahZCD3QISShqS6tb00c+dHhcX3QETsOoTs6xZmHc/1beyaXfAkEUtUH8WNEPKnM1L9Jz36YbIySVKtPdjouFVeHbqnsBJ7iHm7STcuE+5gawOjeriVrvf+moUnSSlXL6D9f6+0OpPnXko= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id DC21124000F; Thu, 4 Jul 2024 10:26:21 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 08/12] emulator: Fix integer truncation warnings Date: Thu, 4 Jul 2024 12:24:39 +0200 Message-ID: <20240704102617.1132337-9-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240704102617.1132337-1-hadess@hadess.net> References: <20240704102617.1132337-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: INTEGER_OVERFLOW (CWE-190): [#def1] [important] bluez-5.76/emulator/amp.c:693:2: cast_overflow: Truncation due to cast operation on "(remain_assoc_len > 248) ? 248 : remain_assoc_len" from 32 to 16 bits. bluez-5.76/emulator/amp.c:693:2: overflow_assign: "fragment_len" is assigned from "(remain_assoc_len > 248) ? 248 : remain_assoc_len". bluez-5.76/emulator/amp.c:698:2: overflow_sink: "fragment_len", which might have overflowed, is passed to "memcpy(rsp.assoc_fragment, amp->local_assoc + len_so_far, fragment_len)". [Note: The source code implementation of the function has been overridden by a builtin model.] 696| rsp.phy_handle = cmd->phy_handle; 697| rsp.remain_assoc_len = cpu_to_le16(remain_assoc_len); 698|-> memcpy(rsp.assoc_fragment, amp->local_assoc + len_so_far, 699| fragment_len); 700| Error: INTEGER_OVERFLOW (CWE-190): [#def2] [important] bluez-5.76/emulator/amp.c:701:2: cast_overflow: Truncation due to cast operation on "4 + fragment_len" from 32 to 8 bits. bluez-5.76/emulator/amp.c:701:2: overflow_sink: "4 + fragment_len", which might have overflowed, is passed to "cmd_complete(amp, 5130, &rsp, 4 + fragment_len)". 699| fragment_len); 700| 701|-> cmd_complete(amp, BT_HCI_CMD_READ_LOCAL_AMP_ASSOC, 702| &rsp, 4 + fragment_len); 703| } Error: INTEGER_OVERFLOW (CWE-190): [#def4] [important] bluez-5.76/emulator/bthost.c:3309:3: cast_overflow: Truncation due to cast operation on "len - offset" from 32 to 8 bits. bluez-5.76/emulator/bthost.c:3309:3: overflow_assign: "cp->data_len" is assigned from "len - offset". bluez-5.76/emulator/bthost.c:3317:2: overflow_sink: "cp->data_len", which might have overflowed, is passed to "memcpy(cp->data, data + offset, cp->data_len)". [Note: The source code implementation of the function has been overridden by a builtin model.] 3315| } 3316| 3317|-> memcpy(cp->data, data + offset, cp->data_len); 3318| 3319| send_command(bthost, BT_HCI_CMD_LE_SET_PA_DATA, buf, --- emulator/amp.c | 3 ++- emulator/bthost.c | 8 +++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/emulator/amp.c b/emulator/amp.c index 49d2df7b39df..6daf00189f3a 100644 --- a/emulator/amp.c +++ b/emulator/amp.c @@ -680,7 +680,8 @@ static void cmd_read_local_amp_assoc(struct bt_amp *amp, { const struct bt_hci_cmd_read_local_amp_assoc *cmd = data; struct bt_hci_rsp_read_local_amp_assoc rsp; - uint16_t len_so_far, remain_assoc_len, fragment_len; + uint16_t len_so_far, remain_assoc_len; + size_t fragment_len; if (cmd->phy_handle != amp->phy_handle) { cmd_status(amp, BT_HCI_ERR_INVALID_PARAMETERS, diff --git a/emulator/bthost.c b/emulator/bthost.c index cc9bf7240531..95160506d0c4 100644 --- a/emulator/bthost.c +++ b/emulator/bthost.c @@ -3290,6 +3290,7 @@ static void set_pa_data(struct bthost *bthost, const uint8_t *data, { struct bt_hci_cmd_le_set_pa_data *cp; uint8_t buf[sizeof(*cp) + BT_PA_MAX_DATA_LEN]; + size_t data_len; cp = (void *)buf; @@ -3299,14 +3300,14 @@ static void set_pa_data(struct bthost *bthost, const uint8_t *data, cp->handle = 1; if (len - offset > BT_PA_MAX_DATA_LEN) { - cp->data_len = BT_PA_MAX_DATA_LEN; + data_len = BT_PA_MAX_DATA_LEN; if (!offset) cp->operation = 0x01; else cp->operation = 0x00; } else { - cp->data_len = len - offset; + data_len = len - offset; if (!offset) cp->operation = 0x03; @@ -3314,7 +3315,8 @@ static void set_pa_data(struct bthost *bthost, const uint8_t *data, cp->operation = 0x02; } - memcpy(cp->data, data + offset, cp->data_len); + memcpy(cp->data, data + offset, data_len); + cp->data_len = data_len; send_command(bthost, BT_HCI_CMD_LE_SET_PA_DATA, buf, sizeof(*cp) + cp->data_len); From patchwork Thu Jul 4 10:24:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13723586 Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B755D1AB90C for ; Thu, 4 Jul 2024 10:26:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720088785; cv=none; b=meE5fa4LqQRCOPAIfu64tlv83INMA/Xyy3CJenpzWBImgrpkFys8fe5G5sao6gpOghFcYzRTrPqmBlSR9F1KqAdz8nxGHqp8wSWQjPA+Ys0/xOBMekLSd4VpDRTHgxiBLGUymoItutiepGfOf86247oBaf90o1Q9tOLMAb7UYWw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720088785; c=relaxed/simple; bh=bqGvTGe2+9YaB6Gc6UdsM+ve3Y+abpuVl8rzLpwmHYE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=UHaa6jU09r1CO43LWZmIabeVWTV597lHSq/5q/o8pdofV1m4TlUVrZUzAR3J4TyR7L2Q10diYWE12vKILUlkP4VPCc7gewBWBGG8cpvhcs3o+Zcpz8RMKA3yXQd3rp2P0Gir3Jk9o/GNk7TkIIfUt4edP+58zMfS0ZzOh4PJbh0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 2A294240010; Thu, 4 Jul 2024 10:26:22 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 09/12] gatt-server: Fix integer overflow due to cast operation Date: Thu, 4 Jul 2024 12:24:40 +0200 Message-ID: <20240704102617.1132337-10-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240704102617.1132337-1-hadess@hadess.net> References: <20240704102617.1132337-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: INTEGER_OVERFLOW (CWE-190): [#def25] [important] bluez-5.76/src/shared/gatt-server.c:927:2: cast_overflow: Truncation due to cast operation on "((unsigned int)mtu - 1U < len) ? (unsigned int)mtu - 1U : len" from 32 to 16 bits. bluez-5.76/src/shared/gatt-server.c:927:2: overflow_sink: "((unsigned int)mtu - 1U < len) ? (unsigned int)mtu - 1U : len", which might have overflowed, is passed to "bt_att_chan_send(op->chan, rsp_opcode, (len ? value : NULL), (((unsigned int)mtu - 1U < len) ? (unsigned int)mtu - 1U : len), NULL, NULL, NULL)". 925| rsp_opcode = get_read_rsp_opcode(op->opcode); 926| 927|-> bt_att_chan_send_rsp(op->chan, rsp_opcode, len ? value : NULL, 928| MIN((unsigned int) mtu - 1, len)); 929| async_read_op_destroy(op); --- src/shared/gatt-server.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c index c587553d655d..6ced21248b75 100644 --- a/src/shared/gatt-server.c +++ b/src/shared/gatt-server.c @@ -908,7 +908,7 @@ static void read_complete_cb(struct gatt_db_attribute *attr, int err, struct async_read_op *op = user_data; struct bt_gatt_server *server = op->server; uint8_t rsp_opcode; - uint16_t mtu; + size_t mtu; uint16_t handle; DBG(server, "Read Complete: err %d", err); @@ -916,7 +916,7 @@ static void read_complete_cb(struct gatt_db_attribute *attr, int err, mtu = bt_att_get_mtu(server->att); handle = gatt_db_attribute_get_handle(attr); - if (err) { + if (err || mtu <= 1) { bt_att_chan_send_error_rsp(op->chan, op->opcode, handle, err); async_read_op_destroy(op); return; @@ -925,7 +925,7 @@ static void read_complete_cb(struct gatt_db_attribute *attr, int err, rsp_opcode = get_read_rsp_opcode(op->opcode); bt_att_chan_send_rsp(op->chan, rsp_opcode, len ? value : NULL, - MIN((unsigned int) mtu - 1, len)); + MIN(mtu - 1, len)); async_read_op_destroy(op); } From patchwork Thu Jul 4 10:24:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13723588 Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 62DA31AB911 for ; Thu, 4 Jul 2024 10:26:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720088786; cv=none; b=IH7BGlUAFK5Ysx2ne3G7R0kjCdmr8yqzv/dXCQXTTEiIZpVRCmR4nJ/aJdxx/1gcbMze4i8hjY2y6xcTgS70WZKa2PR1I6SJ5AOmu1nl8k1n9ZlaKt3CnfQjLz59js4lvI6VCaASnHjZLnhc62Vv169jgU58PssPWQ068wvkzRo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720088786; c=relaxed/simple; bh=U4KEV9TgE6LjgN4RoBixXnh2IWZFkli8ThUMjKtBNkc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=OyLFEgFL5aBEZtaDJWcuxUfvo4U2clJZcY3N4CUrbrjSIabAlalEgyiyonpbLAvpQseuBjDfzFm95LLXIZPJ1tXAQnK0Kff3H/Oirckqi8bNjPefEVGI0jRM3xoVX9YsrszDgKSeJy9upmOBl3bDHq6EFNyY+hC0IShvsnXbOQc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 68613240011; Thu, 4 Jul 2024 10:26:22 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 10/12] mesh: Fix integer overflow due to cast operation Date: Thu, 4 Jul 2024 12:24:41 +0200 Message-ID: <20240704102617.1132337-11-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240704102617.1132337-1-hadess@hadess.net> References: <20240704102617.1132337-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: INTEGER_OVERFLOW (CWE-190): [#def15] [important] bluez-5.76/mesh/pb-adv.c:174:4: cast_overflow: Truncation due to cast operation on "size - consumed" from 32 to 8 bits. bluez-5.76/mesh/pb-adv.c:174:4: overflow_assign: "seg_size" is assigned from "size - consumed". bluez-5.76/mesh/pb-adv.c:177:3: overflow_sink: "seg_size", which might have overflowed, is passed to "memcpy(buf + 7, data + consumed, seg_size)". [Note: The source code implementation of the function has been overridden by a builtin model.] 175| 176| buf[6] = (i << 2) | 0x02; 177|-> memcpy(buf + 7, data + consumed, seg_size); 178| 179| pb_adv_send(session, MESH_IO_TX_COUNT_UNLIMITED, 500, Error: INTEGER_OVERFLOW (CWE-190): [#def16] [important] bluez-5.76/mesh/pb-adv.c:179:3: cast_overflow: Truncation due to cast operation on "seg_size + 7" from 32 to 16 bits. bluez-5.76/mesh/pb-adv.c:179:3: overflow_sink: "seg_size + 7", which might have overflowed, is passed to "pb_adv_send(session, 0, 500, buf, seg_size + 7)". 177| memcpy(buf + 7, data + consumed, seg_size); 178| 179|-> pb_adv_send(session, MESH_IO_TX_COUNT_UNLIMITED, 500, 180| buf, seg_size + 7); --- mesh/pb-adv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mesh/pb-adv.c b/mesh/pb-adv.c index 385d81d65731..7a1dd87dc210 100644 --- a/mesh/pb-adv.c +++ b/mesh/pb-adv.c @@ -166,7 +166,7 @@ static void send_adv_segs(struct pb_adv_session *session, const uint8_t *data, consumed = init_size; for (i = 1; i <= max_seg; i++) { - uint8_t seg_size; /* Amount of payload data being sent */ + size_t seg_size; /* Amount of payload data being sent */ if (size - consumed > PB_ADV_MTU - 1) seg_size = PB_ADV_MTU - 1; From patchwork Thu Jul 4 10:24:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13723589 Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 65FA91ABC50 for ; Thu, 4 Jul 2024 10:26:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720088786; cv=none; b=L6APZyn86zTKjr2z2NCyc3cEGs70nOIz1hInfMSbS2DHF/0uagTp8yn6sHfb0/mZmzm9LOH+N6EE426AcSeomKtlxAAQVa3Y6qx1/mW7es46e0XkjXH0klQH5kOJDsoKztapvzcKrPd1IOsdmBIgVHvEJDN8IboOq6+Z6rQGjDo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720088786; c=relaxed/simple; bh=TKMGjnYLfSaJMx5/+s/oQw42L+XgQWIjL/+FUET1zFE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Ih0b46w5K2WLSy7dFvImWInoGZL1p6aowgEecTfZ6B+0q8C07daKsl24XCqhbXYXTaAm4Fli4iueAd0jzMXXdy3oNflc91SAFCJ0b5a78N9tzn0guo7SMvWOfubNN4Tvl6ydbFqpugfChE/w/DWlYe+4DgcF8DR2e+dxgyzX2Lk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id A5B72240012; Thu, 4 Jul 2024 10:26:22 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 11/12] tools/mesh: Fix integer overflow due to cast operation Date: Thu, 4 Jul 2024 12:24:42 +0200 Message-ID: <20240704102617.1132337-12-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240704102617.1132337-1-hadess@hadess.net> References: <20240704102617.1132337-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: INTEGER_OVERFLOW (CWE-190): [#def29] [important] bluez-5.76/tools/mesh/mesh-db.c:551:3: cast_overflow: Truncation due to cast operation on "ele_cnt" from 32 to 8 bits. bluez-5.76/tools/mesh/mesh-db.c:551:3: overflow_sink: "ele_cnt", which might have overflowed, is passed to "remote_add_node((uint8_t const *)uuid, unicast, ele_cnt, key_idx)". 549| continue; 550| 551|-> remote_add_node((const uint8_t *)uuid, unicast, ele_cnt, 552| key_idx); 553| for (j = 1; j < key_cnt; j++) { --- tools/mesh/mesh-db.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/tools/mesh/mesh-db.c b/tools/mesh/mesh-db.c index 1d047691d240..abcc09d523a5 100644 --- a/tools/mesh/mesh-db.c +++ b/tools/mesh/mesh-db.c @@ -503,7 +503,8 @@ static void load_remotes(json_object *jcfg) uint8_t uuid[16]; uint16_t unicast, key_idx; const char *str; - int ele_cnt, key_cnt; + uint8_t ele_cnt; + int key_cnt; int j; jnode = json_object_array_get_idx(jnodes, i); @@ -533,9 +534,6 @@ static void load_remotes(json_object *jcfg) ele_cnt = json_object_array_length(jarray); - if (ele_cnt > MAX_ELE_COUNT) - continue; - json_object_object_get_ex(jnode, "netKeys", &jarray); if (!jarray || json_object_get_type(jarray) != json_type_array) continue; From patchwork Thu Jul 4 10:24:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 13723590 Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DC5DF1ABCB6 for ; Thu, 4 Jul 2024 10:26:24 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720088787; cv=none; b=KGsgA7JPi5CjITHlPTNN8IlAKJ5l0PzzDryAP/XI58nSJ35GQZTcpEUs2PZvxwCWB0Wh0yWVFXo+6sTMpCoIUT8Ibd9GZUVB24teVVZs4OqgNWz4e7i6y4/bKorSL+UZUA8Jsi5bqfTeiyVM8d0yxR8aQxqxbmbTrOwWMWCK8TI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720088787; c=relaxed/simple; bh=fRriLEuynZ4IQ9BNM3Bvu0fzJ1hoSPesVZtSGdTcsFg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=VW6RexPbvFpKCXHuWDqXlKIF5cqD4d3bBkbmDQ45H7O83x+s/oeexon3Ag7rP4iHnag+mf5kHYgJH3Zx9ZmPPDC71CATJsIYMM3cdJz1qXd9jXRx+py0eJDQLJtUW918jv3es2cMmQAn9zFlcWeG79SnNfM0wLKHl2F+8bJ4AJk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id F3CCE240002; Thu, 4 Jul 2024 10:26:22 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 12/12] unit/ringbuf: Fix ineffective guard due to signedness Date: Thu, 4 Jul 2024 12:24:43 +0200 Message-ID: <20240704102617.1132337-13-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240704102617.1132337-1-hadess@hadess.net> References: <20240704102617.1132337-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net "len - end > 0" can never be false because "end" is unsigned, so the whole left handside of the expression is unsigned, so always positive. Error: INTEGER_OVERFLOW (CWE-190): [#def22] [important] bluez-5.76/src/shared/ringbuf.c:240:2: ineffective_check: The check "len - end > 0UL", which appears to be a guard against integer overflow, is not a useful guard because it is either always true, or never true. This taints "len". bluez-5.76/src/shared/ringbuf.c:242:3: overflow: The expression "len - end" might be negative, but is used in a context that treats it as unsigned. bluez-5.76/src/shared/ringbuf.c:242:3: overflow_sink: "len - end", which might be negative, is passed to "memcpy(ringbuf->buffer, str + end, len - end)". [Note: The source code implementation of the function has been overridden by a builtin model.] 240| if (len - end > 0) { 241| /* Put the remainder of string at the beginning */ 242|-> memcpy(ringbuf->buffer, str + end, len - end); 243| 244| if (ringbuf->in_tracing) --- src/shared/ringbuf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/shared/ringbuf.c b/src/shared/ringbuf.c index 3dc7ed71b2b2..1b7adbb4f513 100644 --- a/src/shared/ringbuf.c +++ b/src/shared/ringbuf.c @@ -237,7 +237,7 @@ int ringbuf_vprintf(struct ringbuf *ringbuf, const char *format, va_list ap) ringbuf->in_tracing(ringbuf->buffer + offset, end, ringbuf->in_data); - if (len - end > 0) { + if ((size_t) len > end) { /* Put the remainder of string at the beginning */ memcpy(ringbuf->buffer, str + end, len - end);