[3/9] mesh: Avoid accessing array out-of-bounds

Message ID	20240702084900.773620-4-hadess@hadess.net
State	Superseded
Headers	show Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EB51C14A62D for <linux-bluetooth@vger.kernel.org>; Tue, 2 Jul 2024 08:49:09 +0000 (UTC) From: Bastien Nocera <hadess@hadess.net> To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera <hadess@hadess.net> Subject: [PATCH 3/9] mesh: Avoid accessing array out-of-bounds Date: Tue, 2 Jul 2024 10:47:18 +0200 Message-ID: <20240702084900.773620-4-hadess@hadess.net> In-Reply-To: <20240702084900.773620-1-hadess@hadess.net> References: <20240702084900.773620-1-hadess@hadess.net> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Fix a number of static analysis issues #4 \| expand [0/9] Fix a number of static analysis issues #4 [1/9] main: Simplify parse_config_string() [2/9] avdtp: Fix manipulating struct as an array [3/9] mesh: Avoid accessing array out-of-bounds [4/9] obexd: Fix possible memleak [5/9] obexd: Fix memory leak in entry struct [6/9] obexd: Fix leak in backup_object struct [7/9] health/mcap: Fix memory leak in mcl struct [8/9] sdp: Fix memory leak in sdp_data_alloc*() [9/9] sdp: Check memory allocation in sdp_copy_seq()

Message ID

20240702084900.773620-4-hadess@hadess.net

State

Superseded

Headers

From: Bastien Nocera <hadess@hadess.net>
To: linux-bluetooth@vger.kernel.org
Cc: Bastien Nocera <hadess@hadess.net>
Subject: [PATCH 3/9] mesh: Avoid accessing array out-of-bounds
Date: Tue,  2 Jul 2024 10:47:18 +0200
Message-ID: <20240702084900.773620-4-hadess@hadess.net>
In-Reply-To: <20240702084900.773620-1-hadess@hadess.net>
References: <20240702084900.773620-1-hadess@hadess.net>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Fix a number of static analysis issues #4 | expand

Commit Message

Bastien Nocera July 2, 2024, 8:47 a.m. UTC

We would boundary check the expected_pdu_size array based on the value
of type, but would still access it out-of-bounds for the debug message.
Split off the invalid type check into its own message to avoid this.

Error: OVERRUN (CWE-119): [#def23] [important]
bluez-5.76/mesh/prov-initiator.c:676:2: cond_at_least: Checking "type >= 10UL" implies that "type" is at least 10 on the true branch.
bluez-5.76/mesh/prov-initiator.c:678:3: overrun-local: Overrunning array "expected_pdu_size" of 10 2-byte elements at element index 10 (byte offset 21) using index "type" (which evaluates to 10).
676|	if (type >= L_ARRAY_SIZE(expected_pdu_size) ||
677|					len != expected_pdu_size[type]) {
678|->		l_error("Expected PDU size %d, Got %d (type: %2.2x)",
679|			expected_pdu_size[type], len, type);
680|		fail_code[1] = PROV_ERR_INVALID_FORMAT;
---
 mesh/prov-initiator.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/mesh/prov-initiator.c b/mesh/prov-initiator.c
index 653f3ae3e1c2..e353d23865ef 100644
--- a/mesh/prov-initiator.c
+++ b/mesh/prov-initiator.c
@@ -673,8 +673,13 @@  static void int_prov_rx(void *user_data, const void *dptr, uint16_t len)
 		goto failure;
 	}
 
-	if (type >= L_ARRAY_SIZE(expected_pdu_size) ||
-					len != expected_pdu_size[type]) {
+	if (type >= L_ARRAY_SIZE(expected_pdu_size)) {
+		l_error("Invalid PDU type %2.2x", type);
+		fail_code[1] = PROV_ERR_INVALID_FORMAT;
+		goto failure;
+	}
+
+	if (len != expected_pdu_size[type]) {
 		l_error("Expected PDU size %d, Got %d (type: %2.2x)",
 			expected_pdu_size[type], len, type);
 		fail_code[1] = PROV_ERR_INVALID_FORMAT;

[3/9] mesh: Avoid accessing array out-of-bounds

Commit Message

Patch