diff mbox series

[BlueZ,v2,3/4] settings: limit string size in load_service()

Message ID 20240709143503.12142-4-r.smirnov@omp.ru
State New
Headers show
Series fix errors found by SVACE static analyzer #3 | expand

Commit Message

Roman Smirnov July 9, 2024, 2:35 p.m. UTC 
It is necessary to prevent buffer overflow by limiting
the maximum string length.

Found with the SVACE static analysis tool.
---
 V1 -> V2: use "%36s[^:]" instead of calculating the string length
 src/settings.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/src/settings.c b/src/settings.c
index b61e694f1..643a083db 100644
--- a/src/settings.c
+++ b/src/settings.c
@@ -193,7 +193,7 @@  static int load_service(struct gatt_db *db, char *handle, char *value)
 		return -EIO;
 	}
 
-	if (sscanf(value, "%[^:]:%04hx:%36s", type, &end, uuid_str) != 3) {
+	if (sscanf(value, "%36[^:]:%04hx:%36s", type, &end, uuid_str) != 3) {
 		DBG("Failed to parse value: %s", value);
 		return -EIO;
 	}