[BlueZ,2/9] mgmt-tester: Fix buffer overrun

Message ID	20240530150057.444585-3-hadess@hadess.net
State	New
Headers	show Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2DC2D1E532 for <linux-bluetooth@vger.kernel.org>; Thu, 30 May 2024 15:00:59 +0000 (UTC) From: Bastien Nocera <hadess@hadess.net> To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera <hadess@hadess.net> Subject: [BlueZ 2/9] mgmt-tester: Fix buffer overrun Date: Thu, 30 May 2024 16:57:56 +0200 Message-ID: <20240530150057.444585-3-hadess@hadess.net> In-Reply-To: <20240530150057.444585-1-hadess@hadess.net> References: <20240530150057.444585-1-hadess@hadess.net> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Fix a number of static analysis issues #3 \| expand [BlueZ,0/9] Fix a number of static analysis issues #3 [BlueZ,1/9] rctest: Fix possible overrun [BlueZ,2/9] mgmt-tester: Fix buffer overrun [BlueZ,3/9] l2test: Add missing error checking [BlueZ,4/9] rfkill: Avoid using a signed int for an unsigned variable [BlueZ,5/9] shared/mainloop: Fix integer overflow [BlueZ,6/9] sdp: Fix ineffective error guard [BlueZ,7/9] obexd: Fix buffer overrun [BlueZ,8/9] bap: Fix more memory leaks on error [BlueZ,9/9] avdtp: Fix manipulating struct as an array

Message ID

20240530150057.444585-3-hadess@hadess.net

State

New

Headers

From: Bastien Nocera <hadess@hadess.net>
To: linux-bluetooth@vger.kernel.org
Cc: Bastien Nocera <hadess@hadess.net>
Subject: [BlueZ 2/9] mgmt-tester: Fix buffer overrun
Date: Thu, 30 May 2024 16:57:56 +0200
Message-ID: <20240530150057.444585-3-hadess@hadess.net>
In-Reply-To: <20240530150057.444585-1-hadess@hadess.net>
References: <20240530150057.444585-1-hadess@hadess.net>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Fix a number of static analysis issues #3 | expand

Commit Message

Bastien Nocera May 30, 2024, 2:57 p.m. UTC

Error: OVERRUN (CWE-119): [#def56] [important]
bluez-5.76/tools/mgmt-tester.c:12667:2: identity_transfer: Passing "512UL" as argument 3 to function "vhci_read_devcd", which returns that argument.
bluez-5.76/tools/mgmt-tester.c:12667:2: assignment: Assigning: "read" = "vhci_read_devcd(vhci, buf, 512UL)". The value of "read" is now 512.
bluez-5.76/tools/mgmt-tester.c:12674:2: overrun-local: Overrunning array "buf" of 513 bytes at byte offset 513 using index "read + 1" (which evaluates to 513).
12672|		}
12673|		/* Make sure buf is nul-terminated */
12674|->	buf[read + 1] = '\0';
12675|
12676|		/* Verify if all devcoredump header fields are present */

Fixes: 49d06560692f ("mgmt-tester: Fix non-nul-terminated string")
---
 tools/mgmt-tester.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/mgmt-tester.c b/tools/mgmt-tester.c
index 8076ec105ebb..1d5c82ae0745 100644
--- a/tools/mgmt-tester.c
+++ b/tools/mgmt-tester.c
@@ -12671,7 +12671,7 @@  static void verify_devcd(void *user_data)
 		return;
 	}
 	/* Make sure buf is nul-terminated */
-	buf[read + 1] = '\0';
+	buf[read] = '\0';
 
 	/* Verify if all devcoredump header fields are present */
 	line = strtok_r(buf, delim, &saveptr);

[BlueZ,2/9] mgmt-tester: Fix buffer overrun

Commit Message

Patch