diff mbox series

[BlueZ,v2,09/11] mesh: Fix integer overflow due to cast operation

Message ID 20240705085935.1255725-10-hadess@hadess.net
State New
Headers show
Series Fix a number of static analysis issues #5 | expand

Commit Message

Bastien Nocera July 5, 2024, 8:57 a.m. UTC
Error: INTEGER_OVERFLOW (CWE-190): [#def15] [important]
bluez-5.76/mesh/pb-adv.c:174:4: cast_overflow: Truncation due to cast operation on "size - consumed" from 32 to 8 bits.
bluez-5.76/mesh/pb-adv.c:174:4: overflow_assign: "seg_size" is assigned from "size - consumed".
bluez-5.76/mesh/pb-adv.c:177:3: overflow_sink: "seg_size", which might have overflowed, is passed to "memcpy(buf + 7, data + consumed, seg_size)". [Note: The source code implementation of the function has been overridden by a builtin model.]
175|
176|		buf[6] = (i << 2) | 0x02;
177|->		memcpy(buf + 7, data + consumed, seg_size);
178|
179|		pb_adv_send(session, MESH_IO_TX_COUNT_UNLIMITED, 500,

Error: INTEGER_OVERFLOW (CWE-190): [#def16] [important]
bluez-5.76/mesh/pb-adv.c:179:3: cast_overflow: Truncation due to cast operation on "seg_size + 7" from 32 to 16 bits.
bluez-5.76/mesh/pb-adv.c:179:3: overflow_sink: "seg_size + 7", which might have overflowed, is passed to "pb_adv_send(session, 0, 500, buf, seg_size + 7)".
177|		memcpy(buf + 7, data + consumed, seg_size);
178|
179|->		pb_adv_send(session, MESH_IO_TX_COUNT_UNLIMITED, 500,
180|							buf, seg_size + 7);
---
 mesh/pb-adv.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/mesh/pb-adv.c b/mesh/pb-adv.c
index 385d81d65731..7a1dd87dc210 100644
--- a/mesh/pb-adv.c
+++ b/mesh/pb-adv.c
@@ -166,7 +166,7 @@  static void send_adv_segs(struct pb_adv_session *session, const uint8_t *data,
 	consumed = init_size;
 
 	for (i = 1; i <= max_seg; i++) {
-		uint8_t seg_size; /* Amount of payload data being sent */
+		size_t seg_size; /* Amount of payload data being sent */
 
 		if (size - consumed > PB_ADV_MTU - 1)
 			seg_size = PB_ADV_MTU - 1;