From patchwork Tue Jul 9 12:00:28 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roman Smirnov X-Patchwork-Id: 13727741 Received: from mx01.omp.ru (mx01.omp.ru [90.154.21.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F33761586C3 for ; Tue, 9 Jul 2024 12:01:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=90.154.21.10 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720526480; cv=none; b=iMWkoXBUYy45algy/g2ltpci5hzCmwBYQX4nP3s2RkjFCL8VyQ7CK8Xfu8dgvLdpWjZfOloVzyXF2YOV+WMvYMlPoT+k+7+BRnmaW8BJPrxizfdnlQCNctuSCsLU+DPE9I9xqqu3+eej+fhrz+41XGpTW8Hs+Mpz2h2puj8+izE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720526480; c=relaxed/simple; bh=vhrdcBVQZoZrccPSJiEm7syXScooPKEPuKqw+PcZYsQ=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=Wu/0446BqpLEDOVs+0eZxo04ZmdP/GhjIwnBPBeyGnWpccpu0FxlG8fE5Ug/fbGsTMhxPuIKxO6UIlFn6WBxHvHSbNKwd2tQkkRwREZzStRXgvJmpNwKK4rODd9rVAzfc3bm2Z/PuMxn6yxSGdmwCIHZBy2xf0CXZ93PtMUWfaI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=omp.ru; spf=pass smtp.mailfrom=omp.ru; arc=none smtp.client-ip=90.154.21.10 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=omp.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=omp.ru Received: from inp1wst083.omp.ru (81.22.207.138) by msexch01.omp.ru (10.188.4.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.1258.12; Tue, 9 Jul 2024 15:00:53 +0300 From: Roman Smirnov To: CC: Roman Smirnov Subject: [PATCH BlueZ v1 1/4] health: mcap: add checks for NULL mcap_notify_error() Date: Tue, 9 Jul 2024 15:00:28 +0300 Message-ID: <20240709120031.105038-2-r.smirnov@omp.ru> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240709120031.105038-1-r.smirnov@omp.ru> References: <20240709120031.105038-1-r.smirnov@omp.ru> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: msexch01.omp.ru (10.188.4.12) To msexch01.omp.ru (10.188.4.12) X-KSE-ServerInfo: msexch01.omp.ru, 9 X-KSE-AntiSpam-Interceptor-Info: scan successful X-KSE-AntiSpam-Version: 6.1.0, Database issued on: 07/09/2024 11:45:20 X-KSE-AntiSpam-Status: KAS_STATUS_NOT_DETECTED X-KSE-AntiSpam-Method: none X-KSE-AntiSpam-Rate: 19 X-KSE-AntiSpam-Info: Lua profiles 186390 [Jul 09 2024] X-KSE-AntiSpam-Info: Version: 6.1.0.4 X-KSE-AntiSpam-Info: Envelope from: r.smirnov@omp.ru X-KSE-AntiSpam-Info: LuaCore: 23 0.3.23 8881c50ebb08f9085352475be251cf18bb0fcfdd X-KSE-AntiSpam-Info: {rep_avail} X-KSE-AntiSpam-Info: {Tracking_from_domain_doesnt_match_to} X-KSE-AntiSpam-Info: {SMTP from is not routable} X-KSE-AntiSpam-Info: {Found in DNSBL: 81.22.207.138 in (user) b.barracudacentral.org} X-KSE-AntiSpam-Info: 81.22.207.138:7.1.2;inp1wst083.omp.ru:7.1.1;127.0.0.199:7.1.2;omp.ru:7.1.1;d41d8cd98f00b204e9800998ecf8427e.com:7.1.1 X-KSE-AntiSpam-Info: FromAlignment: s X-KSE-AntiSpam-Info: {fromrtbl complete} X-KSE-AntiSpam-Info: ApMailHostAddress: 81.22.207.138 X-KSE-AntiSpam-Info: {DNS response errors} X-KSE-AntiSpam-Info: Rate: 19 X-KSE-AntiSpam-Info: Status: not_detected X-KSE-AntiSpam-Info: Method: none X-KSE-AntiSpam-Info: Auth:dmarc=none header.from=omp.ru;spf=none smtp.mailfrom=omp.ru;dkim=none X-KSE-Antiphishing-Info: Clean X-KSE-Antiphishing-ScanningType: Heuristic X-KSE-Antiphishing-Method: None X-KSE-Antiphishing-Bases: 07/09/2024 11:49:00 X-KSE-Antivirus-Interceptor-Info: scan successful X-KSE-Antivirus-Info: Clean, bases: 7/9/2024 11:26:00 AM X-KSE-Attachment-Filter-Triggered-Rules: Clean X-KSE-Attachment-Filter-Triggered-Filters: Clean X-KSE-BulkMessagesFiltering-Scan-Result: InTheLimit It is necessary to prevent dereferencing of NULL pointers. Found with the SVACE static analysis tool. --- profiles/health/mcap.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/profiles/health/mcap.c b/profiles/health/mcap.c index 7eceaa88a..2e4214a69 100644 --- a/profiles/health/mcap.c +++ b/profiles/health/mcap.c @@ -336,6 +336,9 @@ static void mcap_notify_error(struct mcap_mcl *mcl, GError *err) case MCAP_MD_CREATE_MDL_REQ: st = MDL_WAITING; l = g_slist_find_custom(mcl->mdls, &st, cmp_mdl_state); + if (!l) + return; + mdl = l->data; mcl->mdls = g_slist_remove(mcl->mdls, mdl); mcap_mdl_unref(mdl); @@ -345,6 +348,9 @@ static void mcap_notify_error(struct mcap_mcl *mcl, GError *err) case MCAP_MD_ABORT_MDL_REQ: st = MDL_WAITING; l = g_slist_find_custom(mcl->mdls, &st, cmp_mdl_state); + if (!l) + return; + shutdown_mdl(l->data); update_mcl_state(mcl); con->cb.notify(err, con->user_data); @@ -362,6 +368,9 @@ static void mcap_notify_error(struct mcap_mcl *mcl, GError *err) case MCAP_MD_RECONNECT_MDL_REQ: st = MDL_WAITING; l = g_slist_find_custom(mcl->mdls, &st, cmp_mdl_state); + if (!l) + return; + shutdown_mdl(l->data); update_mcl_state(mcl); con->cb.op(NULL, err, con->user_data); From patchwork Tue Jul 9 12:00:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roman Smirnov X-Patchwork-Id: 13727742 Received: from mx01.omp.ru (mx01.omp.ru [90.154.21.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 940A6156F45 for ; Tue, 9 Jul 2024 12:01:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=90.154.21.10 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720526486; cv=none; b=AnqGW61AyDjtm6r4pzhc9A5GEdDVLPo3P9YznrngmWFxSvNehnaK6eTi9jPO2r4FggUQLHTBYq5QaUJ1G7uZ1iSBs+FqeemApLN7C/7LvfprM4ancvbcO4WabSOKoJLQbk7NaObL3tg2OUJevmYDzw+ufxwbbWLhnt6D1cHrzU0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720526486; c=relaxed/simple; bh=0ejBL7ZSc7gA/IcHRXJCCK5EfVVRFcFEnRVWsUP1gqk=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=uY1AqUzaUizV8XpZpS38lokw0Z4JkRMwKPu8R/3uB1W3GohHxcRgmo1xtGgWIZZ9fPzmwfrmEQ6k+QrsPvWFk/YpBb3mWVlB+ALEXg5jiiH5sbO6LYUcD898dX2wuLdRjlwG2sfJftf/rEAO+hVgKRHDyqcS6qjbvE2Z9CDg6A0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=omp.ru; spf=pass smtp.mailfrom=omp.ru; arc=none smtp.client-ip=90.154.21.10 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=omp.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=omp.ru Received: from inp1wst083.omp.ru (81.22.207.138) by msexch01.omp.ru (10.188.4.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.1258.12; Tue, 9 Jul 2024 15:00:56 +0300 From: Roman Smirnov To: CC: Roman Smirnov Subject: [PATCH BlueZ v1 2/4] shared: prevent dereferencing of NULL pointers Date: Tue, 9 Jul 2024 15:00:29 +0300 Message-ID: <20240709120031.105038-3-r.smirnov@omp.ru> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240709120031.105038-1-r.smirnov@omp.ru> References: <20240709120031.105038-1-r.smirnov@omp.ru> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: msexch01.omp.ru (10.188.4.12) To msexch01.omp.ru (10.188.4.12) X-KSE-ServerInfo: msexch01.omp.ru, 9 X-KSE-AntiSpam-Interceptor-Info: scan successful X-KSE-AntiSpam-Version: 6.1.0, Database issued on: 07/09/2024 11:45:20 X-KSE-AntiSpam-Status: KAS_STATUS_NOT_DETECTED X-KSE-AntiSpam-Method: none X-KSE-AntiSpam-Rate: 19 X-KSE-AntiSpam-Info: Lua profiles 186390 [Jul 09 2024] X-KSE-AntiSpam-Info: Version: 6.1.0.4 X-KSE-AntiSpam-Info: Envelope from: r.smirnov@omp.ru X-KSE-AntiSpam-Info: LuaCore: 23 0.3.23 8881c50ebb08f9085352475be251cf18bb0fcfdd X-KSE-AntiSpam-Info: {rep_avail} X-KSE-AntiSpam-Info: {Tracking_from_domain_doesnt_match_to} X-KSE-AntiSpam-Info: {SMTP from is not routable} X-KSE-AntiSpam-Info: {Found in DNSBL: 81.22.207.138 in (user) b.barracudacentral.org} X-KSE-AntiSpam-Info: 81.22.207.138:7.1.2;inp1wst083.omp.ru:7.1.1;127.0.0.199:7.1.2;omp.ru:7.1.1;d41d8cd98f00b204e9800998ecf8427e.com:7.1.1 X-KSE-AntiSpam-Info: ApMailHostAddress: 81.22.207.138 X-KSE-AntiSpam-Info: {DNS response errors} X-KSE-AntiSpam-Info: Rate: 19 X-KSE-AntiSpam-Info: Status: not_detected X-KSE-AntiSpam-Info: Method: none X-KSE-AntiSpam-Info: Auth:dmarc=temperror header.from=omp.ru;spf=temperror smtp.mailfrom=omp.ru;dkim=none X-KSE-Antiphishing-Info: Clean X-KSE-Antiphishing-ScanningType: Heuristic X-KSE-Antiphishing-Method: None X-KSE-Antiphishing-Bases: 07/09/2024 11:49:00 X-KSE-Antivirus-Interceptor-Info: scan successful X-KSE-Antivirus-Info: Clean, bases: 7/9/2024 11:26:00 AM X-KSE-Attachment-Filter-Triggered-Rules: Clean X-KSE-Attachment-Filter-Triggered-Filters: Clean X-KSE-BulkMessagesFiltering-Scan-Result: InTheLimit It is necessary to add checks for NULL before dereferencing pointers. Found with the SVACE static analysis tool. --- src/shared/micp.c | 4 ++++ src/shared/vcp.c | 12 ++++++++++++ 2 files changed, 16 insertions(+) diff --git a/src/shared/micp.c b/src/shared/micp.c index b82bd92de..1c34e9d00 100644 --- a/src/shared/micp.c +++ b/src/shared/micp.c @@ -398,6 +398,10 @@ static void mics_mute_write(struct gatt_db_attribute *attrib, } micp_op = iov_pull_mem(&iov, sizeof(*micp_op)); + if (!micp_op) { + DBG(micp, "iov_pull_mem() returned NULL"); + goto respond; + } if ((*micp_op == MICS_DISABLED) || (*micp_op != MICS_NOT_MUTED && *micp_op != MICS_MUTED)) { diff --git a/src/shared/vcp.c b/src/shared/vcp.c index 06264a241..602d46dc1 100644 --- a/src/shared/vcp.c +++ b/src/shared/vcp.c @@ -925,6 +925,10 @@ static void vcs_cp_write(struct gatt_db_attribute *attrib, } vcp_op = iov_pull_mem(&iov, sizeof(*vcp_op)); + if (!vcp_op) { + DBG(vcp, "iov_pull_mem() returned NULL"); + goto respond; + } for (handler = vcp_handlers; handler && handler->str; handler++) { if (handler->op != *vcp_op) @@ -985,6 +989,10 @@ static void vocs_cp_write(struct gatt_db_attribute *attrib, } vcp_op = iov_pull_mem(&iov, sizeof(*vcp_op)); + if (!vcp_op) { + DBG(vcp, "iov_pull_mem() returned NULL"); + goto respond; + } for (handler = vocp_handlers; handler && handler->str; handler++) { if (handler->op != *vcp_op) @@ -1517,6 +1525,10 @@ static void aics_ip_cp_write(struct gatt_db_attribute *attrib, } aics_op = iov_pull_mem(&iov, sizeof(*aics_op)); + if (!aics_op) { + DBG(vcp, "iov_pull_mem() returned NULL"); + goto respond; + } for (handler = aics_handlers; handler && handler->str; handler++) { if (handler->op != *aics_op) From patchwork Tue Jul 9 12:00:30 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roman Smirnov X-Patchwork-Id: 13727743 Received: from mx01.omp.ru (mx01.omp.ru [90.154.21.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4D7F6156F57 for ; Tue, 9 Jul 2024 12:01:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=90.154.21.10 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720526489; cv=none; b=MrRZgNZEHVu6jAXvXvoH/3ZVhn2I/9d9Lek2aDJioN5zXo99DOrceN9PrgBuTChoHPuykrwp6NOA6m8JJERaaarJM6TJgT7Hu46iJML8GFjb/p3llMy3ne3ZpvY/MFwc396ZfIC7ABBuM/xy4BtfVsqiH2b6cYGr4tSvDu/Zz2s= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720526489; c=relaxed/simple; bh=HUEy3qOqz91dePXjcyS+BmDbgbNbaqYucwriaoy8zBc=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=FN/Pm7C169S7JTjytZBxJmQ12OCG0yTwuaOd4qAQAZFcmssRNz22Cm+oFG4eETKMxipGzuHuPvkk75i/CTGhTH1Yl/mAJjfn9eaXCkuBdZuGqSsFgNv3qMPe1mIYbr2sUNl39HSj83DFwaYWJ8LYvbWidFSllGyNIkTSunLDxQs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=omp.ru; spf=pass smtp.mailfrom=omp.ru; arc=none smtp.client-ip=90.154.21.10 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=omp.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=omp.ru Received: from inp1wst083.omp.ru (81.22.207.138) by msexch01.omp.ru (10.188.4.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.1258.12; Tue, 9 Jul 2024 15:01:02 +0300 From: Roman Smirnov To: CC: Roman Smirnov Subject: [PATCH BlueZ v1 3/4] settings: limit the string size in load_service() Date: Tue, 9 Jul 2024 15:00:30 +0300 Message-ID: <20240709120031.105038-4-r.smirnov@omp.ru> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240709120031.105038-1-r.smirnov@omp.ru> References: <20240709120031.105038-1-r.smirnov@omp.ru> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: msexch01.omp.ru (10.188.4.12) To msexch01.omp.ru (10.188.4.12) X-KSE-ServerInfo: msexch01.omp.ru, 9 X-KSE-AntiSpam-Interceptor-Info: scan successful X-KSE-AntiSpam-Version: 6.1.0, Database issued on: 07/09/2024 11:45:20 X-KSE-AntiSpam-Status: KAS_STATUS_NOT_DETECTED X-KSE-AntiSpam-Method: none X-KSE-AntiSpam-Rate: 19 X-KSE-AntiSpam-Info: Lua profiles 186390 [Jul 09 2024] X-KSE-AntiSpam-Info: Version: 6.1.0.4 X-KSE-AntiSpam-Info: Envelope from: r.smirnov@omp.ru X-KSE-AntiSpam-Info: LuaCore: 23 0.3.23 8881c50ebb08f9085352475be251cf18bb0fcfdd X-KSE-AntiSpam-Info: {rep_avail} X-KSE-AntiSpam-Info: {Tracking_from_domain_doesnt_match_to} X-KSE-AntiSpam-Info: {SMTP from is not routable} X-KSE-AntiSpam-Info: {Found in DNSBL: 81.22.207.138 in (user) b.barracudacentral.org} X-KSE-AntiSpam-Info: 81.22.207.138:7.1.2;inp1wst083.omp.ru:7.1.1;127.0.0.199:7.1.2;omp.ru:7.1.1;d41d8cd98f00b204e9800998ecf8427e.com:7.1.1 X-KSE-AntiSpam-Info: FromAlignment: s X-KSE-AntiSpam-Info: {fromrtbl complete} X-KSE-AntiSpam-Info: ApMailHostAddress: 81.22.207.138 X-KSE-AntiSpam-Info: {DNS response errors} X-KSE-AntiSpam-Info: Rate: 19 X-KSE-AntiSpam-Info: Status: not_detected X-KSE-AntiSpam-Info: Method: none X-KSE-AntiSpam-Info: Auth:dmarc=none header.from=omp.ru;spf=none smtp.mailfrom=omp.ru;dkim=none X-KSE-Antiphishing-Info: Clean X-KSE-Antiphishing-ScanningType: Heuristic X-KSE-Antiphishing-Method: None X-KSE-Antiphishing-Bases: 07/09/2024 11:49:00 X-KSE-Antivirus-Interceptor-Info: scan successful X-KSE-Antivirus-Info: Clean, bases: 7/9/2024 11:26:00 AM X-KSE-Attachment-Filter-Triggered-Rules: Clean X-KSE-Attachment-Filter-Triggered-Filters: Clean X-KSE-BulkMessagesFiltering-Scan-Result: InTheLimit Calculate the length of the first string and use it to create a pattern. The pattern will limit the maximum length of the string, which will prevent the buffer from overflowing. Found with the SVACE static analysis tool. --- src/settings.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/src/settings.c b/src/settings.c index b61e694f1..4eccf0b4e 100644 --- a/src/settings.c +++ b/src/settings.c @@ -187,13 +187,30 @@ static int load_service(struct gatt_db *db, char *handle, char *value) char type[MAX_LEN_UUID_STR], uuid_str[MAX_LEN_UUID_STR]; bt_uuid_t uuid; bool primary; + char pattern[16]; + char *colon_pos; + size_t len; if (sscanf(handle, "%04hx", &start) != 1) { DBG("Failed to parse handle: %s", handle); return -EIO; } - if (sscanf(value, "%[^:]:%04hx:%36s", type, &end, uuid_str) != 3) { + colon_pos = memchr(value, ':', MAX_LEN_UUID_STR); + if (!colon_pos) { + DBG("Failed to parse value: %s", value); + return -EIO; + } + + len = colon_pos - value; + if (!len) { + DBG("Failed to parse value: %s", value); + return -EIO; + } + + snprintf(pattern, sizeof(pattern), "%%%lds:%%04hx:%%36s", len); + + if (sscanf(value, pattern, type, &end, uuid_str) != 3) { DBG("Failed to parse value: %s", value); return -EIO; } From patchwork Tue Jul 9 12:00:31 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roman Smirnov X-Patchwork-Id: 13727744 Received: from mx01.omp.ru (mx01.omp.ru [90.154.21.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CF794156F45 for ; Tue, 9 Jul 2024 12:01:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=90.154.21.10 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720526492; cv=none; b=rGaX8hYigy+LAJR2U6s9RlgSNX1EmOVuMJQ9Z35sssmanPUY+Hw/7vKglWe+TwQ27wOt6tu7EFveUf6KpG4SgjBlwuWwHKFy/TMMHennbVqyTUCu8pGPbIqNtlVZYgtMe8985shPlK1SDdNBMt4l5qtKNuZswZw4p3Uw0sb3mKk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720526492; c=relaxed/simple; bh=jj0sCFH9IV8V2a3JAg79nc0POFH0ZjPwlbhUxzAuvr0=; h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=k29uNwP81+QVizxQpUUcv6ZQJ9Aa7ZoVrKilBNKizMkd6ok8QiPTDS1vb98mbFQWI6sC5QpWHqFjNlJZfrsIDfUlZkcVybrUMVbuUYgpbea5t7jxsvF7hsYhGJaaTd3KUgJxSbTsmEzkWkCnLAD6s1BZAXogp5Ryy+Sx6hoszS8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=omp.ru; spf=pass smtp.mailfrom=omp.ru; arc=none smtp.client-ip=90.154.21.10 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=omp.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=omp.ru Received: from inp1wst083.omp.ru (81.22.207.138) by msexch01.omp.ru (10.188.4.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.1258.12; Tue, 9 Jul 2024 15:01:05 +0300 From: Roman Smirnov To: CC: Roman Smirnov Subject: [PATCH BlueZ v1 4/4] settings: limit the number of chars to be read in gatt_db_load() Date: Tue, 9 Jul 2024 15:00:31 +0300 Message-ID: <20240709120031.105038-5-r.smirnov@omp.ru> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240709120031.105038-1-r.smirnov@omp.ru> References: <20240709120031.105038-1-r.smirnov@omp.ru> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-ClientProxiedBy: msexch01.omp.ru (10.188.4.12) To msexch01.omp.ru (10.188.4.12) X-KSE-ServerInfo: msexch01.omp.ru, 9 X-KSE-AntiSpam-Interceptor-Info: scan successful X-KSE-AntiSpam-Version: 6.1.0, Database issued on: 07/09/2024 11:45:20 X-KSE-AntiSpam-Status: KAS_STATUS_NOT_DETECTED X-KSE-AntiSpam-Method: none X-KSE-AntiSpam-Rate: 19 X-KSE-AntiSpam-Info: Lua profiles 186390 [Jul 09 2024] X-KSE-AntiSpam-Info: Version: 6.1.0.4 X-KSE-AntiSpam-Info: Envelope from: r.smirnov@omp.ru X-KSE-AntiSpam-Info: LuaCore: 23 0.3.23 8881c50ebb08f9085352475be251cf18bb0fcfdd X-KSE-AntiSpam-Info: {rep_avail} X-KSE-AntiSpam-Info: {Tracking_from_domain_doesnt_match_to} X-KSE-AntiSpam-Info: {SMTP from is not routable} X-KSE-AntiSpam-Info: {Found in DNSBL: 81.22.207.138 in (user) b.barracudacentral.org} X-KSE-AntiSpam-Info: 81.22.207.138:7.1.2;inp1wst083.omp.ru:7.1.1;127.0.0.199:7.1.2;omp.ru:7.1.1;d41d8cd98f00b204e9800998ecf8427e.com:7.1.1 X-KSE-AntiSpam-Info: ApMailHostAddress: 81.22.207.138 X-KSE-AntiSpam-Info: {DNS response errors} X-KSE-AntiSpam-Info: Rate: 19 X-KSE-AntiSpam-Info: Status: not_detected X-KSE-AntiSpam-Info: Method: none X-KSE-AntiSpam-Info: Auth:dmarc=temperror header.from=omp.ru;spf=temperror smtp.mailfrom=omp.ru;dkim=none X-KSE-Antiphishing-Info: Clean X-KSE-Antiphishing-ScanningType: Heuristic X-KSE-Antiphishing-Method: None X-KSE-Antiphishing-Bases: 07/09/2024 11:49:00 X-KSE-Antivirus-Interceptor-Info: scan successful X-KSE-Antivirus-Info: Clean, bases: 7/9/2024 11:26:00 AM X-KSE-Attachment-Filter-Triggered-Rules: Clean X-KSE-Attachment-Filter-Triggered-Filters: Clean X-KSE-BulkMessagesFiltering-Scan-Result: InTheLimit It is necessary to limit the string length to prevent buffer overflow. Find the string length, write it to the pattern and use it for limiting. Found with the SVACE static analysis tool. --- src/settings.c | 39 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 37 insertions(+), 2 deletions(-) diff --git a/src/settings.c b/src/settings.c index 4eccf0b4e..dcfbc5601 100644 --- a/src/settings.c +++ b/src/settings.c @@ -243,13 +243,32 @@ static int gatt_db_load(struct gatt_db *db, GKeyFile *key_file, char **keys) struct gatt_db_attribute *current_service; char **handle, *value, type[MAX_LEN_UUID_STR]; int ret; + char pattern[6]; + char *colon_pos; + size_t len; /* first load service definitions */ for (handle = keys; *handle; handle++) { value = g_key_file_get_string(key_file, "Attributes", *handle, NULL); + if (!value) + return -EIO; + + colon_pos = memchr(value, ':', MAX_LEN_UUID_STR); + if (!colon_pos) { + g_free(value); + return -EIO; + } + + len = colon_pos - value; + if (!len) { + g_free(value); + return -EIO; + } - if (!value || sscanf(value, "%[^:]:", type) != 1) { + snprintf(pattern, sizeof(pattern), "%%%lds:", len); + + if (sscanf(value, pattern, type) != 1) { g_free(value); return -EIO; } @@ -271,8 +290,24 @@ static int gatt_db_load(struct gatt_db *db, GKeyFile *key_file, char **keys) for (handle = keys; *handle; handle++) { value = g_key_file_get_string(key_file, "Attributes", *handle, NULL); + if (!value) + return -EIO; + + colon_pos = memchr(value, ':', MAX_LEN_UUID_STR); + if (!colon_pos) { + g_free(value); + return -EIO; + } + + len = colon_pos - value; + if (!len) { + g_free(value); + return -EIO; + } + + snprintf(pattern, sizeof(pattern), "%%%lds:", len); - if (!value || sscanf(value, "%[^:]:", type) != 1) { + if (sscanf(value, pattern, type) != 1) { g_free(value); return -EIO; }