From patchwork Fri Apr 1 07:46:34 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ildar Kamaletdinov X-Patchwork-Id: 556079 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D32E9C433FE for ; Fri, 1 Apr 2022 07:52:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344014AbiDAHyl (ORCPT ); Fri, 1 Apr 2022 03:54:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40480 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245562AbiDAHyj (ORCPT ); Fri, 1 Apr 2022 03:54:39 -0400 Received: from mxout02.lancloud.ru (mxout02.lancloud.ru [45.84.86.82]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AF2CF26240E for ; Fri, 1 Apr 2022 00:52:50 -0700 (PDT) Received: from LanCloud DKIM-Filter: OpenDKIM Filter v2.11.0 mxout02.lancloud.ru B479622C62A9 Received: from LanCloud Received: from LanCloud Received: from LanCloud From: Ildar Kamaletdinov To: CC: Ildar Kamaletdinov Subject: [PATCH BlueZ 1/7] monitor: Fix out-of-bound read in print_le_states Date: Fri, 1 Apr 2022 10:46:34 +0300 Message-ID: <20220401074640.3956695-2-i.kamaletdinov@omp.ru> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220401074640.3956695-1-i.kamaletdinov@omp.ru> References: <20220401074640.3956695-1-i.kamaletdinov@omp.ru> MIME-Version: 1.0 X-Originating-IP: [192.168.11.198] X-ClientProxiedBy: LFEXT02.lancloud.ru (fd00:f066::142) To LFEX1910.lancloud.ru (fd00:f066::80) Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Accessing le_states_desc_table array with value 15 can cause out-of-bound read because current size of array is 14. Currently this cannot lead to any problems becase we do no have such state in le_states_comb_table but this could be changed in future and raise described problem. Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. --- monitor/packet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/monitor/packet.c b/monitor/packet.c index b7431b57d..c61d6bd4b 100644 --- a/monitor/packet.c +++ b/monitor/packet.c @@ -2833,7 +2833,7 @@ static void print_le_states(const uint8_t *states_array) if (!(states & val)) continue; - for (n = 0; n < 16; n++) { + for (n = 0; n < ARRAY_SIZE(le_states_desc_table); n++) { if (le_states_comb_table[i].states & (1 << n)) str[num++] = le_states_desc_table[n].str; } From patchwork Fri Apr 1 07:46:35 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ildar Kamaletdinov X-Patchwork-Id: 556081 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D542AC433F5 for ; Fri, 1 Apr 2022 07:46:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343954AbiDAHsp (ORCPT ); Fri, 1 Apr 2022 03:48:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51156 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343946AbiDAHso (ORCPT ); Fri, 1 Apr 2022 03:48:44 -0400 Received: from mxout04.lancloud.ru (mxout04.lancloud.ru [45.84.86.114]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4E9C425F655 for ; Fri, 1 Apr 2022 00:46:51 -0700 (PDT) Received: from LanCloud DKIM-Filter: OpenDKIM Filter v2.11.0 mxout04.lancloud.ru 0E1C520C1DE4 Received: from LanCloud Received: from LanCloud Received: from LanCloud From: Ildar Kamaletdinov To: CC: Ildar Kamaletdinov Subject: [PATCH BlueZ 2/7] tools: Fix buffer overflow in hciattach_tialt.c Date: Fri, 1 Apr 2022 10:46:35 +0300 Message-ID: <20220401074640.3956695-3-i.kamaletdinov@omp.ru> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220401074640.3956695-1-i.kamaletdinov@omp.ru> References: <20220401074640.3956695-1-i.kamaletdinov@omp.ru> MIME-Version: 1.0 X-Originating-IP: [192.168.11.198] X-ClientProxiedBy: LFEXT02.lancloud.ru (fd00:f066::142) To LFEX1910.lancloud.ru (fd00:f066::80) Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Array 'c_brf_chip' of size 8 could be accessed by index > 7. We should limit array access like in previous check at line 221. Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. --- tools/hciattach_tialt.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tools/hciattach_tialt.c b/tools/hciattach_tialt.c index 520b383a1..4f7fd42a3 100644 --- a/tools/hciattach_tialt.c +++ b/tools/hciattach_tialt.c @@ -221,7 +221,8 @@ int texasalt_init(int fd, int speed, struct termios *ti) ((brf_chip > 7) ? "unknown" : c_brf_chip[brf_chip]), brf_chip); - sprintf(fw, "/etc/firmware/%s.bin", c_brf_chip[brf_chip]); + sprintf(fw, "/etc/firmware/%s.bin", + (brf_chip > 7) ? "unknown" : c_brf_chip[brf_chip]); texas_load_firmware(fd, fw); texas_change_speed(fd, speed); From patchwork Fri Apr 1 07:46:36 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ildar Kamaletdinov X-Patchwork-Id: 555640 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 53093C433F5 for ; Fri, 1 Apr 2022 07:52:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344003AbiDAHyk (ORCPT ); Fri, 1 Apr 2022 03:54:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40478 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243482AbiDAHyj (ORCPT ); Fri, 1 Apr 2022 03:54:39 -0400 Received: from mxout02.lancloud.ru (mxout02.lancloud.ru [45.84.86.82]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AF14F26240B for ; Fri, 1 Apr 2022 00:52:50 -0700 (PDT) Received: from LanCloud DKIM-Filter: OpenDKIM Filter v2.11.0 mxout02.lancloud.ru 4A8962297C51 Received: from LanCloud Received: from LanCloud Received: from LanCloud From: Ildar Kamaletdinov To: CC: Ildar Kamaletdinov Subject: [PATCH BlueZ 3/7] tools: Fix signed interger overflow in btsnoop.c Date: Fri, 1 Apr 2022 10:46:36 +0300 Message-ID: <20220401074640.3956695-4-i.kamaletdinov@omp.ru> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220401074640.3956695-1-i.kamaletdinov@omp.ru> References: <20220401074640.3956695-1-i.kamaletdinov@omp.ru> MIME-Version: 1.0 X-Originating-IP: [192.168.11.198] X-ClientProxiedBy: LFEXT02.lancloud.ru (fd00:f066::142) To LFEX1910.lancloud.ru (fd00:f066::80) Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org If malformed packet is proceed with zero 'size' field we will face with wrong behaviour of write() call. Value 'toread - 1' gives wrong sign for value 'written' (-1) in write() call. To prevent this we should check that 'toread' is not equal to zero. Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. --- tools/btsnoop.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/btsnoop.c b/tools/btsnoop.c index 738027dfc..a0d6cf356 100644 --- a/tools/btsnoop.c +++ b/tools/btsnoop.c @@ -193,7 +193,7 @@ next_packet: flags = be32toh(input_pkt[select_input].flags); len = read(input_fd[select_input], buf, toread); - if (len < 0 || len != (ssize_t) toread) { + if (toread == 0 || len < 0 || len != (ssize_t) toread) { close(input_fd[select_input]); input_fd[select_input] = -1; goto next_packet; From patchwork Fri Apr 1 07:46:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ildar Kamaletdinov X-Patchwork-Id: 556080 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 77224C433EF for ; Fri, 1 Apr 2022 07:52:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344013AbiDAHyl (ORCPT ); Fri, 1 Apr 2022 03:54:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40482 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244056AbiDAHyj (ORCPT ); Fri, 1 Apr 2022 03:54:39 -0400 Received: from mxout02.lancloud.ru (mxout02.lancloud.ru [45.84.86.82]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AF45126240F for ; Fri, 1 Apr 2022 00:52:50 -0700 (PDT) Received: from LanCloud DKIM-Filter: OpenDKIM Filter v2.11.0 mxout02.lancloud.ru 97C1F22C6A20 Received: from LanCloud Received: from LanCloud Received: from LanCloud From: Ildar Kamaletdinov To: CC: Ildar Kamaletdinov Subject: [PATCH BlueZ 4/7] tools: Prevent infinity loops in bluemoon.c Date: Fri, 1 Apr 2022 10:46:37 +0300 Message-ID: <20220401074640.3956695-5-i.kamaletdinov@omp.ru> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220401074640.3956695-1-i.kamaletdinov@omp.ru> References: <20220401074640.3956695-1-i.kamaletdinov@omp.ru> MIME-Version: 1.0 X-Originating-IP: [192.168.11.198] X-ClientProxiedBy: LFEXT02.lancloud.ru (fd00:f066::142) To LFEX1910.lancloud.ru (fd00:f066::80) Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org In case FW size is too big we can face with infinity while() loops. According to C99 standart SIZE_MAX could be as small as 65535. So to prevent overflow of 'firmware_offset' we must limit maximum FW size that could be processed by bluemoon. Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. --- tools/bluemoon.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/tools/bluemoon.c b/tools/bluemoon.c index f50107a2a..729da36f6 100644 --- a/tools/bluemoon.c +++ b/tools/bluemoon.c @@ -492,6 +492,13 @@ static void request_firmware(const char *path) return; } + if (st.st_size > (SIZE_MAX - 4)) { + fprintf(stderr, "Firmware size is too big\n"); + close(fd); + shutdown_device(); + return; + } + firmware_data = malloc(st.st_size); if (!firmware_data) { fprintf(stderr, "Failed to allocate firmware buffer\n"); @@ -874,6 +881,12 @@ static void analyze_firmware(const char *path) return; } + if (st.st_size > (SIZE_MAX - 3)) { + fprintf(stderr, "Firmware size is too big\n"); + close(fd); + return; + } + firmware_data = malloc(st.st_size); if (!firmware_data) { fprintf(stderr, "Failed to allocate firmware buffer\n"); From patchwork Fri Apr 1 07:46:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ildar Kamaletdinov X-Patchwork-Id: 555641 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E7365C433FE for ; Fri, 1 Apr 2022 07:46:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343950AbiDAHsp (ORCPT ); Fri, 1 Apr 2022 03:48:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51160 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343944AbiDAHso (ORCPT ); Fri, 1 Apr 2022 03:48:44 -0400 Received: from mxout03.lancloud.ru (mxout03.lancloud.ru [45.84.86.113]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D43BF25F659 for ; Fri, 1 Apr 2022 00:46:52 -0700 (PDT) Received: from LanCloud DKIM-Filter: OpenDKIM Filter v2.11.0 mxout03.lancloud.ru E200120A6FA9 Received: from LanCloud Received: from LanCloud Received: from LanCloud From: Ildar Kamaletdinov To: CC: Ildar Kamaletdinov Subject: [PATCH BlueZ 5/7] tools: Limit width of fields in sscanf Date: Fri, 1 Apr 2022 10:46:38 +0300 Message-ID: <20220401074640.3956695-6-i.kamaletdinov@omp.ru> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220401074640.3956695-1-i.kamaletdinov@omp.ru> References: <20220401074640.3956695-1-i.kamaletdinov@omp.ru> MIME-Version: 1.0 X-Originating-IP: [192.168.11.198] X-ClientProxiedBy: LFEXT02.lancloud.ru (fd00:f066::142) To LFEX1910.lancloud.ru (fd00:f066::80) Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org In tools/btmgmt.c and tools/hex2hcd.c few sscanf does not limit width of fields. This could lead to static overflow and stack corruption. Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. --- tools/btmgmt.c | 2 +- tools/hex2hcd.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/btmgmt.c b/tools/btmgmt.c index 42ef9acef..8f63f12ba 100644 --- a/tools/btmgmt.c +++ b/tools/btmgmt.c @@ -5164,7 +5164,7 @@ static bool str2pattern(struct mgmt_adv_pattern *pattern, const char *str) char pattern_str[62] = { 0 }; char tmp; - if (sscanf(str, "%2hhx%n:%2hhx%n:%s", &pattern->ad_type, &type_len, + if (sscanf(str, "%2hhx%n:%2hhx%n:%61s", &pattern->ad_type, &type_len, &pattern->offset, &offset_end_pos, pattern_str) != 3) return false; diff --git a/tools/hex2hcd.c b/tools/hex2hcd.c index 674d62744..e6dca5a81 100644 --- a/tools/hex2hcd.c +++ b/tools/hex2hcd.c @@ -248,7 +248,7 @@ static void ver_parse_file(const char *pathname) memset(ver, 0, sizeof(*ver)); - if (sscanf(pathname, "%[A-Z0-9]_%3c.%3c.%3c.%4c.%4c.hex", + if (sscanf(pathname, "%19[A-Z0-9]_%3c.%3c.%3c.%4c.%4c.hex", ver->name, ver->major, ver->minor, ver->build, dummy1, dummy2) != 6) { printf("\t/* failed to parse %s */\n", pathname); From patchwork Fri Apr 1 07:46:39 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ildar Kamaletdinov X-Patchwork-Id: 555638 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F995C4332F for ; Fri, 1 Apr 2022 07:52:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344028AbiDAHym (ORCPT ); Fri, 1 Apr 2022 03:54:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40492 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243482AbiDAHyk (ORCPT ); Fri, 1 Apr 2022 03:54:40 -0400 Received: from mxout01.lancloud.ru (mxout01.lancloud.ru [45.84.86.81]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 574E9262410 for ; Fri, 1 Apr 2022 00:52:51 -0700 (PDT) Received: from LanCloud DKIM-Filter: OpenDKIM Filter v2.11.0 mxout01.lancloud.ru 2DEFB20AE68B Received: from LanCloud Received: from LanCloud Received: from LanCloud From: Ildar Kamaletdinov To: CC: Ildar Kamaletdinov Subject: [PATCH BlueZ 6/7] device: Limit width of fields in sscanf Date: Fri, 1 Apr 2022 10:46:39 +0300 Message-ID: <20220401074640.3956695-7-i.kamaletdinov@omp.ru> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220401074640.3956695-1-i.kamaletdinov@omp.ru> References: <20220401074640.3956695-1-i.kamaletdinov@omp.ru> MIME-Version: 1.0 X-Originating-IP: [192.168.11.198] X-ClientProxiedBy: LFEXT02.lancloud.ru (fd00:f066::142) To LFEX1910.lancloud.ru (fd00:f066::80) Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org In src/device.c few sscanf does not limit width of uuid field. This could lead to static overflow and stack corruption. Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. --- src/device.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/device.c b/src/device.c index 381faf91c..9077f07f7 100644 --- a/src/device.c +++ b/src/device.c @@ -3790,8 +3790,8 @@ static int load_desc(char *handle, char *value, return -EIO; /* Check if there is any value stored, otherwise it is just the UUID */ - if (sscanf(value, "%04hx:%s", &val, uuid_str) != 2) { - if (sscanf(value, "%s", uuid_str) != 1) + if (sscanf(value, "%04hx:%36s", &val, uuid_str) != 2) { + if (sscanf(value, "%36s", uuid_str) != 1) return -EIO; val = 0; } @@ -3840,9 +3840,9 @@ static int load_chrc(char *handle, char *value, return -EIO; /* Check if there is any value stored */ - if (sscanf(value, GATT_CHARAC_UUID_STR ":%04hx:%02hx:%32s:%s", + if (sscanf(value, GATT_CHARAC_UUID_STR ":%04hx:%02hx:%32s:%36s", &value_handle, &properties, val_str, uuid_str) != 4) { - if (sscanf(value, GATT_CHARAC_UUID_STR ":%04hx:%02hx:%s", + if (sscanf(value, GATT_CHARAC_UUID_STR ":%04hx:%02hx:%36s", &value_handle, &properties, uuid_str) != 3) return -EIO; val_len = 0; @@ -3884,7 +3884,7 @@ static int load_incl(struct gatt_db *db, char *handle, char *value, if (sscanf(handle, "%04hx", &start) != 1) return -EIO; - if (sscanf(value, GATT_INCLUDE_UUID_STR ":%04hx:%04hx:%s", &start, &end, + if (sscanf(value, GATT_INCLUDE_UUID_STR ":%04hx:%04hx:%36s", &start, &end, uuid_str) != 3) return -EIO; @@ -3918,7 +3918,7 @@ static int load_service(struct gatt_db *db, char *handle, char *value) if (sscanf(handle, "%04hx", &start) != 1) return -EIO; - if (sscanf(value, "%[^:]:%04hx:%s", type, &end, uuid_str) != 3) + if (sscanf(value, "%[^:]:%04hx:%36s", type, &end, uuid_str) != 3) return -EIO; if (g_str_equal(type, GATT_PRIM_SVC_UUID_STR)) From patchwork Fri Apr 1 07:46:40 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ildar Kamaletdinov X-Patchwork-Id: 556082 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 311B7C433EF for ; Fri, 1 Apr 2022 07:46:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343949AbiDAHso (ORCPT ); Fri, 1 Apr 2022 03:48:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51162 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343943AbiDAHso (ORCPT ); Fri, 1 Apr 2022 03:48:44 -0400 Received: from mxout03.lancloud.ru (mxout03.lancloud.ru [45.84.86.113]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EBD5025F65A for ; Fri, 1 Apr 2022 00:46:52 -0700 (PDT) Received: from LanCloud DKIM-Filter: OpenDKIM Filter v2.11.0 mxout03.lancloud.ru 7403E20A7B7F Received: from LanCloud Received: from LanCloud Received: from LanCloud From: Ildar Kamaletdinov To: CC: Ildar Kamaletdinov Subject: [PATCH BlueZ 7/7] gatt: Fix double free and freed memory dereference Date: Fri, 1 Apr 2022 10:46:40 +0300 Message-ID: <20220401074640.3956695-8-i.kamaletdinov@omp.ru> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220401074640.3956695-1-i.kamaletdinov@omp.ru> References: <20220401074640.3956695-1-i.kamaletdinov@omp.ru> MIME-Version: 1.0 X-Originating-IP: [192.168.11.198] X-ClientProxiedBy: LFEXT02.lancloud.ru (fd00:f066::142) To LFEX1910.lancloud.ru (fd00:f066::80) Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org In condition where device no longer exist or not paired when sending notification it is possible to to occure double free and dereference of already freed memory. To avoid this we need to recheck the state of device after sending notification. Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. --- src/gatt-database.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/gatt-database.c b/src/gatt-database.c index d6c94058c..d32f616a9 100644 --- a/src/gatt-database.c +++ b/src/gatt-database.c @@ -3877,6 +3877,10 @@ void btd_gatt_database_server_connected(struct btd_gatt_database *database, send_notification_to_device(state, state->pending); + state = find_device_state(database, &bdaddr, bdaddr_type); + if (!state || !state->pending) + return; + free(state->pending->value); free(state->pending); state->pending = NULL;