[BlueZ,2/7] tools: Fix buffer overflow in hciattach_tialt.c

Message ID	20220401074640.3956695-3-i.kamaletdinov@omp.ru
State	New
Headers	show Return-Path: <linux-bluetooth-owner@kernel.org> From: Ildar Kamaletdinov <i.kamaletdinov@omp.ru> To: <linux-bluetooth@vger.kernel.org> CC: Ildar Kamaletdinov <i.kamaletdinov@omp.ru> Subject: [PATCH BlueZ 2/7] tools: Fix buffer overflow in hciattach_tialt.c Date: Fri, 1 Apr 2022 10:46:35 +0300 Message-ID: <20220401074640.3956695-3-i.kamaletdinov@omp.ru> In-Reply-To: <20220401074640.3956695-1-i.kamaletdinov@omp.ru> References: <20220401074640.3956695-1-i.kamaletdinov@omp.ru> MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII Precedence: bulk
Series	Fix bugs found by SVACE static analisys tool \| expand [BlueZ,0/7] Fix bugs found by SVACE static analisys tool [BlueZ,1/7] monitor: Fix out-of-bound read in print_le_states [BlueZ,2/7] tools: Fix buffer overflow in hciattach_tialt.c [BlueZ,3/7] tools: Fix signed interger overflow in btsnoop.c [BlueZ,4/7] tools: Prevent infinity loops in bluemoon.c [BlueZ,5/7] tools: Limit width of fields in sscanf [BlueZ,6/7] device: Limit width of fields in sscanf [BlueZ,7/7] gatt: Fix double free and freed memory dereference

Message ID

20220401074640.3956695-3-i.kamaletdinov@omp.ru

State

New

Headers

From: Ildar Kamaletdinov <i.kamaletdinov@omp.ru>
To: <linux-bluetooth@vger.kernel.org>
CC: Ildar Kamaletdinov <i.kamaletdinov@omp.ru>
Subject: [PATCH BlueZ 2/7] tools: Fix buffer overflow in hciattach_tialt.c
Date: Fri, 1 Apr 2022 10:46:35 +0300
Message-ID: <20220401074640.3956695-3-i.kamaletdinov@omp.ru>
In-Reply-To: <20220401074640.3956695-1-i.kamaletdinov@omp.ru>
References: <20220401074640.3956695-1-i.kamaletdinov@omp.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type: text/plain; charset=US-ASCII
Precedence: bulk

Series

Fix bugs found by SVACE static analisys tool | expand

Commit Message

Ildar Kamaletdinov April 1, 2022, 7:46 a.m. UTC

Array 'c_brf_chip' of size 8 could be accessed by index > 7. We should
limit array access like in previous check at line 221.

Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
---
 tools/hciattach_tialt.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tools/hciattach_tialt.c b/tools/hciattach_tialt.c
index 520b383a1..4f7fd42a3 100644
--- a/tools/hciattach_tialt.c
+++ b/tools/hciattach_tialt.c
@@ -221,7 +221,8 @@  int texasalt_init(int fd, int speed, struct termios *ti)
 				((brf_chip > 7) ? "unknown" : c_brf_chip[brf_chip]),
 				brf_chip);
 
-		sprintf(fw, "/etc/firmware/%s.bin", c_brf_chip[brf_chip]);
+		sprintf(fw, "/etc/firmware/%s.bin",
+			(brf_chip > 7) ? "unknown" : c_brf_chip[brf_chip]);
 		texas_load_firmware(fd, fw);
 
 		texas_change_speed(fd, speed);

[BlueZ,2/7] tools: Fix buffer overflow in hciattach_tialt.c

Commit Message

Patch