[BlueZ,3/8] health: mcap: Ensure sent doesn't overflow

Message ID	20240805140840.1606239-4-hadess@hadess.net
State	New
Headers	show Received: from relay7-d.mail.gandi.net (relay7-d.mail.gandi.net [217.70.183.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EF70280631 for <linux-bluetooth@vger.kernel.org>; Mon, 5 Aug 2024 14:08:43 +0000 (UTC) From: Bastien Nocera <hadess@hadess.net> To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera <hadess@hadess.net> Subject: [BlueZ 3/8] health: mcap: Ensure sent doesn't overflow Date: Mon, 5 Aug 2024 16:06:41 +0200 Message-ID: <20240805140840.1606239-4-hadess@hadess.net> In-Reply-To: <20240805140840.1606239-1-hadess@hadess.net> References: <20240805140840.1606239-1-hadess@hadess.net> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	None \| expand [BlueZ,2/8] tools/isotest: Ensure ret doesn't overflow [BlueZ,3/8] health: mcap: Ensure sent doesn't overflow [BlueZ,5/8] mesh: Fix possible integer overflow [BlueZ,8/8] monitor: Check for possible integer underflow

Message ID

20240805140840.1606239-4-hadess@hadess.net

State

New

Headers

From: Bastien Nocera <hadess@hadess.net>
To: linux-bluetooth@vger.kernel.org
Cc: Bastien Nocera <hadess@hadess.net>
Subject: [BlueZ 3/8] health: mcap: Ensure sent doesn't overflow
Date: Mon,  5 Aug 2024 16:06:41 +0200
Message-ID: <20240805140840.1606239-4-hadess@hadess.net>
In-Reply-To: <20240805140840.1606239-1-hadess@hadess.net>
References: <20240805140840.1606239-1-hadess@hadess.net>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

None | expand

Commit Message

Bastien Nocera Aug. 5, 2024, 2:06 p.m. UTC

Error: INTEGER_OVERFLOW (CWE-190): [#def13] [important]
bluez-5.77/profiles/health/mcap.c:390:2: tainted_data_argument: The check "sent < size" contains the tainted expression "sent" which causes "size" to be considered tainted.
bluez-5.77/profiles/health/mcap.c:391:3: overflow: The expression "size - sent" is deemed overflowed because at least one of its arguments has overflowed.
bluez-5.77/profiles/health/mcap.c:391:3: overflow_sink: "size - sent", which might have underflowed, is passed to "write(sock, buf_b + sent, size - sent)".
389|
390|	while (sent < size) {
391|->		int n = write(sock, buf_b + sent, size - sent);
392|		if (n < 0)
393|			return -1;
---
 profiles/health/mcap.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/profiles/health/mcap.c b/profiles/health/mcap.c
index 2e4214a6984f..b3bf403e74d2 100644
--- a/profiles/health/mcap.c
+++ b/profiles/health/mcap.c
@@ -389,7 +389,7 @@  int mcap_send_data(int sock, const void *buf, uint32_t size)
 
 	while (sent < size) {
 		int n = write(sock, buf_b + sent, size - sent);
-		if (n < 0)
+		if (n < 0 || n > SSIZE_MAX - sent)
 			return -1;
 		sent += n;
 	}

[BlueZ,3/8] health: mcap: Ensure sent doesn't overflow

Commit Message

Patch