From patchwork Thu May 16 09:03:05 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 797328 Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 32938142E94 for ; Thu, 16 May 2024 09:03:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.197 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850230; cv=none; b=C5JE6EucNTatLTbNQDnREZ1HpmcbEh56Iw3MV1pCu3Rtv/K2ksNIrh8SS9o+Vgb0J6H5mgAyFwblEwU6Ta+wm5vVLJk1pPW53E4TmdT6hrXNUihIF1ansu1J12P2SZgEsG5kDE0wzg4nCilh50T22YP/1+erjvxU5XnZh9eOYQ4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850230; c=relaxed/simple; bh=gH4GoI2T/j0yiZYxFEnxRxCV+ZsffcBK9aBmxKu8sJk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=khfXItFMgJYcp43u0rMwiGOEPjbFjhuWw0wKpCxcTiZl/FeEcGa2s1vcWtPOiM/t4kCOeWHQPno55xAfWOF0F3/FfVbeaTaJuZO8R+W5RMk2o2qviZ4gimKzw3Uiz1WBaWLVdO1IwBLibE2LYukJwSWHF/h+9w1XvK3beLpSDxY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.197 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 466171C000D; Thu, 16 May 2024 09:03:41 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 01/15] main: Simplify variable assignment Date: Thu, 16 May 2024 11:03:05 +0200 Message-ID: <20240516090340.61417-2-hadess@hadess.net> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240516090340.61417-1-hadess@hadess.net> References: <20240516090340.61417-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: RESOURCE_LEAK (CWE-772): [#def39] [important] bluez-5.75/src/main.c:425:2: alloc_fn: Storage is returned from allocation function "g_key_file_get_string". bluez-5.75/src/main.c:425:2: var_assign: Assigning: "tmp" = storage returned from "g_key_file_get_string(config, group, key, &err)". bluez-5.75/src/main.c:433:2: noescape: Assuming resource "tmp" is not freed or pointed-to as ellipsis argument to "btd_debug". bluez-5.75/src/main.c:440:2: leaked_storage: Variable "tmp" going out of scope leaks the storage it points to. 438| } 439| 440|-> return true; 441| } 442| --- src/main.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/src/main.c b/src/main.c index ac840d684f6d..f6369a20d879 100644 --- a/src/main.c +++ b/src/main.c @@ -420,9 +420,10 @@ static bool parse_config_string(GKeyFile *config, const char *group, const char *key, char **val) { GError *err = NULL; - char *tmp; - tmp = g_key_file_get_string(config, group, key, &err); + g_return_val_if_fail(val, false); + + *val = g_key_file_get_string(config, group, key, &err); if (err) { if (err->code != G_KEY_FILE_ERROR_KEY_NOT_FOUND) DBG("%s", err->message); @@ -430,12 +431,7 @@ static bool parse_config_string(GKeyFile *config, const char *group, return false; } - DBG("%s.%s = %s", group, key, tmp); - - if (val) { - g_free(*val); - *val = tmp; - } + DBG("%s.%s = %s", group, key, *val); return true; } @@ -1005,7 +1001,12 @@ static void parse_secure_conns(GKeyFile *config) static void parse_general(GKeyFile *config) { - parse_config_string(config, "General", "Name", &btd_opts.name); + char *str = NULL; + + if (parse_config_string(config, "General", "Name", &str)) { + g_free(btd_opts.name); + btd_opts.name = str; + } parse_config_hex(config, "General", "Class", &btd_opts.class); parse_config_u32(config, "General", "DiscoverableTimeout", &btd_opts.discovto, From patchwork Thu May 16 09:03:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 797515 Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 329AF142E98 for ; Thu, 16 May 2024 09:03:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.197 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850230; cv=none; b=p9HJhzI/Cj++6qXlB+VGfs+azpsTUgq+eIWYToLWhp5qD2HHdbDHFaUuFZ7dsysmkDh/1WnOKvTfC4GFhj2IMYzJ06K9zAaYzzZ/DRo9OppcnOZBhx471sDQCJ6glWu1bjJXwvK8aPKtuKnhx/UXTR6iuSO7mqMLMUZ0Pa3ZIrQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850230; c=relaxed/simple; bh=775yw1FtGK63PePq+QzcMwFpusP36M4cfJGURqF/dsY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=YScOLhPNtL8USKb3CkNmXVUV/EqZwITfR7Y1jaLdeAXkbCrGIZdsnf4BkcnyWWQWI2jBItNJBj7uh8MRnf9MrvcCsY4asoQY0y7a0klNOhGHPynW/FnAv4NHVSfQQugSh18pokyiw3DqiXw2LgwoCA2yUHmRpUEnyM1ntQ2jTFc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.197 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 90A491C0009; Thu, 16 May 2024 09:03:41 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 02/15] shared/ecc: Fix uninitialised variable usage Date: Thu, 16 May 2024 11:03:06 +0200 Message-ID: <20240516090340.61417-3-hadess@hadess.net> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240516090340.61417-1-hadess@hadess.net> References: <20240516090340.61417-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: UNINIT (CWE-457): [#def41] [important] bluez-5.75/src/shared/ecc.c:869:2: var_decl: Declaring variable "pk" without initializer. bluez-5.75/src/shared/ecc.c:885:34: uninit_use_in_call: Using uninitialized element of array "pk.x" when calling "ecc_point_is_zero". 883| 884| ecc_point_mult(&pk, &curve_g, priv, NULL, vli_num_bits(priv)); 885|-> } while (ecc_point_is_zero(&pk)); 886| 887| ecc_native2bytes(priv, private_key); Error: UNINIT (CWE-457): [#def42] [important] bluez-5.75/src/shared/ecc.c:869:2: var_decl: Declaring variable "pk" without initializer. bluez-5.75/src/shared/ecc.c:885:34: uninit_use_in_call: Using uninitialized element of array "pk.x" when calling "ecc_point_is_zero". bluez-5.75/src/shared/ecc.c:885:34: uninit_use_in_call: Using uninitialized element of array "pk.y" when calling "ecc_point_is_zero". 883| 884| ecc_point_mult(&pk, &curve_g, priv, NULL, vli_num_bits(priv)); 885|-> } while (ecc_point_is_zero(&pk)); 886| 887| ecc_native2bytes(priv, private_key); Error: UNINIT (CWE-457): [#def43] [important] bluez-5.75/src/shared/ecc.c:869:2: var_decl: Declaring variable "pk" without initializer. bluez-5.75/src/shared/ecc.c:889:2: uninit_use_in_call: Using uninitialized value "*pk.y" when calling "ecc_native2bytes". 887| ecc_native2bytes(priv, private_key); 888| ecc_native2bytes(pk.x, public_key); 889|-> ecc_native2bytes(pk.y, &public_key[32]); 890| 891| return true; --- src/shared/ecc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/shared/ecc.c b/src/shared/ecc.c index adaae2082e1f..02bccbd430f6 100644 --- a/src/shared/ecc.c +++ b/src/shared/ecc.c @@ -870,6 +870,8 @@ bool ecc_make_key(uint8_t public_key[64], uint8_t private_key[32]) uint64_t priv[NUM_ECC_DIGITS]; unsigned int tries = 0; + memset(&pk, 0, sizeof(pk)); + do { if (!get_random_number(priv) || (tries++ >= MAX_TRIES)) return false; From patchwork Thu May 16 09:03:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 797514 Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3286A142E8C for ; Thu, 16 May 2024 09:03:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.197 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850230; cv=none; b=TK55/zsPmrwuhHqd045TKIBBp81u93eDrECUgnILHNIqm7V2in0b3eucSiYWB7X8/p+F+pE7QgCE14n6rGfhibSYZYrcnMMy+Puhng3aKnMlDbQhEFeRfoNZ4EU7XoG4W2y7mxj/c6k5oKD7iPomVG9KeSuSUlth651uIGo2S6I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850230; c=relaxed/simple; bh=nJD3hKR3Np3JLEdiyiWo5d5x/H0q+Tf7XAmtKd6Lob8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=jr8mI/wUbTCgO8YrU80E/RsTDDYQTdUT4ZM/veGx2OrqWl2/pv18fE9RrKRFzaAFxaFmasbdEpSZRQaJfsaOoMw9JXGTrMOy/0espVgnnbWRewettQHnZ0SHb8kCVCqL6hl8dharjaD6TS6jjHTtIr4ChfIXoPrX7ERAiYip+Do= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.197 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id DB7611C000F; Thu, 16 May 2024 09:03:41 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 03/15] shared/gatt-client: Fix uninitialised variable usage Date: Thu, 16 May 2024 11:03:07 +0200 Message-ID: <20240516090340.61417-4-hadess@hadess.net> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240516090340.61417-1-hadess@hadess.net> References: <20240516090340.61417-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: UNINIT (CWE-457): [#def44] [important] bluez-5.75/src/shared/gatt-client.c:1669:2: var_decl: Declaring variable "value" without initializer. bluez-5.75/src/shared/gatt-client.c:1686:2: uninit_use_in_call: Using uninitialized value "value" when calling "bt_gatt_client_write_value". 1684| } 1685| 1686|-> att_id = bt_gatt_client_write_value(notify_data->client, 1687| notify_data->chrc->ccc_handle, 1688| (void *)&value, sizeof(value), --- src/shared/gatt-client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/shared/gatt-client.c b/src/shared/gatt-client.c index dcf6f0211a67..8e4ae7e5e230 100644 --- a/src/shared/gatt-client.c +++ b/src/shared/gatt-client.c @@ -1666,7 +1666,7 @@ static bool notify_data_write_ccc(struct notify_data *notify_data, bool enable, bt_gatt_client_callback_t callback) { unsigned int att_id; - uint16_t value; + uint16_t value = 0x0000; uint16_t properties = notify_data->chrc->properties; assert(notify_data->chrc->ccc_handle); From patchwork Thu May 16 09:03:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 797511 Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 327CD142912 for ; Thu, 16 May 2024 09:03:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.197 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850231; cv=none; b=KyXekzDzHAPQJEvVbbGJZhXmmd4wBXjxoeTHYqwyKBGnG1gLgg06U7KJLON2trWd18NYV6wEdWf/agDsrXWMukf/sk+YfCqgMJTmXINg7kY3JNwPLyponaFtwld4j0W+6SNnn2fwct8OUUGmRCenU+84Mrh4ThQrdi49D06KGB8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850231; c=relaxed/simple; bh=KoK9Uxs4odh+a3x9TyxMTRK8Zm7JWwsNCXZajcs4rZM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=iVMwm9OcHHIqjTrKnD/0NQB+zyDfo9nTNq2kiBqxdJiJtkLuJS4N2WHqnaY0tIKee4RSyRNJEdlHJz1UUvLBnbly04HDkrai9GWQRllOQxQh5IbqhDsFmxi3Y9Dyfuqxcka7uAYgTBnO/RvMrlZOSfzntJHetx+6c0sXLF6JciY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.197 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 2F63F1C0014; Thu, 16 May 2024 09:03:42 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 04/15] tools/mesh-cfgclient: Fix uninitialised variable usage Date: Thu, 16 May 2024 11:03:08 +0200 Message-ID: <20240516090340.61417-5-hadess@hadess.net> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240516090340.61417-1-hadess@hadess.net> References: <20240516090340.61417-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: UNINIT (CWE-457): [#def64] [important] bluez-5.75/tools/mesh-cfgclient.c:1992:2: var_decl: Declaring variable "result" without initializer. bluez-5.75/tools/mesh-cfgclient.c:2041:3: uninit_use: Using uninitialized value "result". Field "result.last_seen" is uninitialized. 2039| l_queue_length(devices) + 1); 2040| dev = l_malloc(sizeof(struct unprov_device)); 2041|-> *dev = result; 2042| 2043| } else if (dev->rssi < result.rssi) Error: UNINIT (CWE-457): [#def65] [important] bluez-5.75/tools/mesh-cfgclient.c:1992:2: var_decl: Declaring variable "result" without initializer. bluez-5.75/tools/mesh-cfgclient.c:2044:3: uninit_use: Using uninitialized value "result". Field "result.last_seen" is uninitialized. 2042| 2043| } else if (dev->rssi < result.rssi) 2044|-> *dev = result; 2045| 2046| dev->last_seen = time(NULL); --- tools/mesh-cfgclient.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tools/mesh-cfgclient.c b/tools/mesh-cfgclient.c index 6d2d34409fe3..e39f145c6241 100644 --- a/tools/mesh-cfgclient.c +++ b/tools/mesh-cfgclient.c @@ -2021,6 +2021,7 @@ static struct l_dbus_message *scan_result_call(struct l_dbus *dbus, result.server = server; result.rssi = rssi; result.id = 0; + result.last_seen = time(NULL); if (n > 16 && n <= 18) result.oob_info = l_get_be16(prov_data + 16); @@ -2043,8 +2044,6 @@ static struct l_dbus_message *scan_result_call(struct l_dbus *dbus, } else if (dev->rssi < result.rssi) *dev = result; - dev->last_seen = time(NULL); - l_queue_insert(devices, dev, sort_rssi, NULL); done: From patchwork Thu May 16 09:03:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 797326 Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 328EE142E91 for ; Thu, 16 May 2024 09:03:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.197 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850230; cv=none; b=CYrfVvJqU132dSRl0D0ZKeIEM6weNLRWNywx0AA/3QOhuobyMBpzbXA+2v3Em+RzPOdgoiGc5esE/YdwTik/oCKx6ZvtQ2p8Zl9XjmX7ElQ0OQvNST7Uq7jLj2lqLBY4My5h9BGIJdF9hcUbLj4YJ3ILoxrJEgb1pbk8dv3Zr0E= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850230; c=relaxed/simple; bh=G0YIdC2Ro9VnFebL+xvd7S9Fy6i8yWt/cOQX3ft3yIg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=VVNp0II0ksUomc99Bzl+bAYuH85aenwgOqDszJbTBn/OHB5rnvahoWXwit7WoRZ68VRLRSz0vGUmS4skMyVauz0RiUs9AZ05UDJXV6yypmV75Ah+A3iQaVU965r2Ctl1rc79rykJV6oadGHOpYTfPUTsdPpH8rdLOsvVK07T9/U= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.197 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 7262B1C0015; Thu, 16 May 2024 09:03:42 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 05/15] test-runner: Remove unused envp Date: Thu, 16 May 2024 11:03:09 +0200 Message-ID: <20240516090340.61417-6-hadess@hadess.net> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240516090340.61417-1-hadess@hadess.net> References: <20240516090340.61417-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: UNINIT (CWE-457): [#def70] [important] bluez-5.75/tools/test-runner.c:644:2: var_decl: Declaring variable "envp" without initializer. bluez-5.75/tools/test-runner.c:682:3: uninit_use_in_call: Using uninitialized value "*envp" when calling "execve". 680| 681| if (pid == 0) { 682|-> execve(argv[0], argv, envp); 683| exit(EXIT_SUCCESS); 684| } Error: UNINIT (CWE-457): [#def71] [important] bluez-5.75/tools/test-runner.c:701:2: var_decl: Declaring variable "envp" without initializer. bluez-5.75/tools/test-runner.c:739:3: uninit_use_in_call: Using uninitialized value "*envp" when calling "execve". 737| 738| if (pid == 0) { 739|-> execve(argv[0], argv, envp); 740| exit(EXIT_SUCCESS); 741| } --- tools/test-runner.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/test-runner.c b/tools/test-runner.c index 5bdcf42fcd7a..134e26f9c691 100644 --- a/tools/test-runner.c +++ b/tools/test-runner.c @@ -641,7 +641,7 @@ static const char *monitor_table[] = { static pid_t start_btmon(const char *home) { const char *monitor = NULL; - char *argv[3], *envp[2]; + char *argv[3]; pid_t pid; int i; @@ -679,7 +679,7 @@ static pid_t start_btmon(const char *home) } if (pid == 0) { - execve(argv[0], argv, envp); + execv(argv[0], argv); exit(EXIT_SUCCESS); } From patchwork Thu May 16 09:03:10 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 797329 Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 329ED142E9A for ; Thu, 16 May 2024 09:03:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.197 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850230; cv=none; b=Dsawoq4XmXCsi8QIqyXMy5MinxB2dDJaKEIAVjlEBsD92KJnuZC2moWuAWYw8Dg9Ejs/SRzxE+MWTDQL4dGpBW37F2WR7qgL4vCjqRbfyGph1BxfAGKgiAf1pL4WE174D9/7Wt54JHewStbxdkSXEuSAbIeyf0RZoUdLh4AaO+I= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850230; c=relaxed/simple; bh=NBJkrCOhf1LhOUZCleZrx2xtGxd/DhKz9plgXoUn2q0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=rnO/3wvdp6uIYo3GRuGbAQjyPG2n+ouY0JLFdvpl1UY4q1rd8q++ob2E5NFse8QbwXJKi3dtu1WS+GhHx2SSiKjxZOkIBoBje+biF9kL5KRuTzbcNZl3dwEG/kAWrpI4cBmlRZzzG/745VmX5I4/Eq0QtCNWQCOQ/0xEaoYePqQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.197 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id BBE441C0016; Thu, 16 May 2024 09:03:42 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 06/15] test-runner: Fix uninitialised variable usage Date: Thu, 16 May 2024 11:03:10 +0200 Message-ID: <20240516090340.61417-7-hadess@hadess.net> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240516090340.61417-1-hadess@hadess.net> References: <20240516090340.61417-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: UNINIT (CWE-457): [#def72] [important] bluez-5.75/tools/test-runner.c:856:2: var_decl: Declaring variable "argv" without initializer. bluez-5.75/tools/test-runner.c:945:2: uninit_use: Using uninitialized value "argv[0]". 943| envp[pos] = NULL; 944| 945|-> printf("Running command %s\n", cmdname ? cmdname : argv[0]); 946| 947| pid = fork(); --- tools/test-runner.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tools/test-runner.c b/tools/test-runner.c index 134e26f9c691..ff5e19825801 100644 --- a/tools/test-runner.c +++ b/tools/test-runner.c @@ -912,6 +912,11 @@ static void run_command(char *cmdname, char *home) audio_pid[0] = audio_pid[1] = -1; start_next: + if (!run_auto && !cmdname) { + fprintf(stderr, "Missing command argument\n"); + return; + } + if (run_auto) { if (chdir(home + 5) < 0) { perror("Failed to change home test directory"); From patchwork Thu May 16 09:03:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 797327 Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3296F142E96 for ; Thu, 16 May 2024 09:03:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.197 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850230; cv=none; b=fnkgHbozWfbknAzGALYNzuctnxWKlYHDc1XQ7OllS+3j+naUfWTshJTSsxMr8aoYa2nezg77dtGSnjv72k8gFYYWXboOWU0VTpWvQZpJ7llaGmUZaLI0P//mC9sQJGVsEDlmGzYbAfGBt3oV9nkakLQ9oZnx28kNcus54dthfY8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850230; c=relaxed/simple; bh=qgt4Ntngs7YG4F+yMa9fB5zhvbuMNsssLDX4d2JLqrc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=miY7wlnTf1X/JV/wSP6OFkkyJ8Qvv1IZsasnqWIuoEf6Xhto7n05f3CCjJqmoo1uRbiPKU/kNmic/es5XY2frxTQEPnKQs1BU1stqsT0HERuDBvHQQfl7B7mrz2x0iL2apPgGUd/noisY4rjyE9Qk5vVuE7RoPVD4S2aDKLQi8k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.197 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 0D7F71C0017; Thu, 16 May 2024 09:03:42 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 07/15] test-runner: Fix uninitialised variable usage Date: Thu, 16 May 2024 11:03:11 +0200 Message-ID: <20240516090340.61417-8-hadess@hadess.net> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240516090340.61417-1-hadess@hadess.net> References: <20240516090340.61417-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: UNINIT (CWE-457): [#def64] [important] bluez-5.75/tools/test-runner.c:701:2: var_decl: Declaring variable "envp" without initializer. bluez-5.75/tools/test-runner.c:739:3: uninit_use_in_call: Using uninitialized value "*envp" when calling "execve". 737| 738| if (pid == 0) { 739|-> execve(argv[0], argv, envp); 740| exit(EXIT_SUCCESS); 741| } --- tools/test-runner.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/test-runner.c b/tools/test-runner.c index ff5e19825801..908327255ad7 100644 --- a/tools/test-runner.c +++ b/tools/test-runner.c @@ -698,7 +698,7 @@ static const char *btvirt_table[] = { static pid_t start_btvirt(const char *home) { const char *btvirt = NULL; - char *argv[3], *envp[2]; + char *argv[3]; pid_t pid; int i; @@ -736,7 +736,7 @@ static pid_t start_btvirt(const char *home) } if (pid == 0) { - execve(argv[0], argv, envp); + execv(argv[0], argv); exit(EXIT_SUCCESS); } From patchwork Thu May 16 09:03:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 797513 Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3281F142E75 for ; Thu, 16 May 2024 09:03:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.197 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850230; cv=none; b=WqQBotSvja3wgLf7aS5n1E6afyNYFcnIb+2ApZNM4EjONyQ/pIAhLdp6IAU+2Fnd6MUFTlwLK7yEjTtsnOBaOq3WbP2Se3mm3fAjarh4ub5qO2toZvgjxcT2dvabC7Ty3r6vOd2cAV1Y8HC7s7Q2T/FNb98CoSGX9Ok3s5FntQY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850230; c=relaxed/simple; bh=PqHPX83R97G7eIq/784Jd02Ywg3ig3f/+g+FHUYlLxA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=nhH1oBodjXN1orTrxPTclqz7fFb0TLVN6xLSDuQDqBXf/kxPT9B7TaWE3WmviAYsYS7xD/8z+yMXNFN7tTcUVbjI1iMWuseXUh0Y/N9WqHcxmStmuT3QTE2nluHvzmk0NMQHEDHBVOS4AQA6moo0JKwlxHrO0/0Y39CWe7LrL0o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.197 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 56B001C000A; Thu, 16 May 2024 09:03:43 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 08/15] shared/bap: Fix possible use-after-free Date: Thu, 16 May 2024 11:03:12 +0200 Message-ID: <20240516090340.61417-9-hadess@hadess.net> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240516090340.61417-1-hadess@hadess.net> References: <20240516090340.61417-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net stream_set_state() might call bap_stream_detach() if the stream is in the process of being detached, causing a use-after-free. Return false from stream_set_state() if the stream is unsafe to manipulate (ie. was in the process of being detached and freed). Error: USE_AFTER_FREE (CWE-416): [#def37] [important] bluez-5.75/src/shared/bap.c:2490:2: freed_arg: "stream_set_state" frees "stream". bluez-5.75/src/shared/bap.c:2493:2: deref_after_free: Dereferencing freed pointer "stream". 2491| 2492| /* Sink can autonomously for to Streaming state if io already exits */ 2493|-> if (stream->io && stream->ep->dir == BT_BAP_SINK) 2494| stream_set_state(stream, BT_BAP_STREAM_STATE_STREAMING); 2495| --- src/shared/bap.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/shared/bap.c b/src/shared/bap.c index 1316d7c73d02..0026bc8dc989 100644 --- a/src/shared/bap.c +++ b/src/shared/bap.c @@ -1298,7 +1298,8 @@ static void bap_stream_state_changed(struct bt_bap_stream *stream) } } -static void stream_set_state(struct bt_bap_stream *stream, uint8_t state) +/* Return false if the stream is being detached */ +static bool stream_set_state(struct bt_bap_stream *stream, uint8_t state) { struct bt_bap *bap = stream->bap; @@ -1308,13 +1309,14 @@ static void stream_set_state(struct bt_bap_stream *stream, uint8_t state) bap = bt_bap_ref_safe(bap); if (!bap) { bap_stream_detach(stream); - return; + return false; } if (stream->ops && stream->ops->set_state) stream->ops->set_state(stream, state); bt_bap_unref(bap); + return true; } static void ep_config_cb(struct bt_bap_stream *stream, int err) @@ -2487,7 +2489,8 @@ static uint8_t stream_enable(struct bt_bap_stream *stream, struct iovec *meta, util_iov_free(stream->meta, 1); stream->meta = util_iov_dup(meta, 1); - stream_set_state(stream, BT_BAP_STREAM_STATE_ENABLING); + if (!stream_set_state(stream, BT_BAP_STREAM_STATE_ENABLING)) + return 1; /* Sink can autonomously for to Streaming state if io already exits */ if (stream->io && stream->ep->dir == BT_BAP_SINK) From patchwork Thu May 16 09:03:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 797325 Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 328A3142E8E for ; Thu, 16 May 2024 09:03:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.197 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850231; cv=none; b=IAVUyVpnWF381rs5UpEig/LPTOFoRaiZSfbOPrS03mrkQKWFqG4FEOhu4qQtMT0HGaZoR2l963051oQlEU0ckznrBq2xtLnC6K4GBLAYJdbHW/SAFp7HyJnTEqtHVuXLTwy4onOYPgqqmlzOTp+x/r9HJaUBMGy/hR/SxMIc/mY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850231; c=relaxed/simple; bh=+Phm/GPIQ/Kb58wh0VebLZB5wfxtrZf3uXZjO+mnDKQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=mu0WH/iw0XOExKBuLbuj+ccXx8gNYMz4O4nqIX/08PQc6XUxvGB8pHL0wc4jmxNQFnpZlXlXDq1vWq9JWLGh7AkB/IQf0p6K9anvAjakrYjhtF+fPe24wOskuKdZFD2mm5PaGqSTLT9p++sS8EX98o8WVoJO/MdFfg+vEfrzdF4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.197 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id A2FA91C0019; Thu, 16 May 2024 09:03:43 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 09/15] isotest: Fix bad free Date: Thu, 16 May 2024 11:03:13 +0200 Message-ID: <20240516090340.61417-10-hadess@hadess.net> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240516090340.61417-1-hadess@hadess.net> References: <20240516090340.61417-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: BAD_FREE (CWE-763): [#def58] [important] bluez-5.75/tools/isotest.c:1461:5: address: Taking offset from "strchr(filename, 44)". bluez-5.75/tools/isotest.c:1461:5: assign: Assigning: "filename" = "strchr(filename, 44) + 1". bluez-5.75/tools/isotest.c:1536:2: incorrect_free: "free" frees incorrect pointer "filename". 1534| 1535| done: 1536|-> free(filename); 1537| 1538| syslog(LOG_INFO, "Exit"); --- tools/isotest.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tools/isotest.c b/tools/isotest.c index 58293133a304..fc1c26b23c3b 100644 --- a/tools/isotest.c +++ b/tools/isotest.c @@ -1457,8 +1457,11 @@ int main(int argc, char *argv[]) switch (mode) { case SEND: send_mode(filename, argv[optind + i], i, repeat); - if (filename && strchr(filename, ',')) - filename = strchr(filename, ',') + 1; + if (filename && strchr(filename, ',')) { + char *tmp = filename; + filename = strdup(strchr(filename, ',') + 1); + free(tmp); + } break; case RECONNECT: From patchwork Thu May 16 09:03:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 797510 Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8061D142912 for ; Thu, 16 May 2024 09:03:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.197 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850233; cv=none; b=llrqvyt0gyDAGsY9E1x/nT7bQOLPXq8/qW4xgMnNVhtLWTgrLomcW0i7KukS8zyuLmb93EUD8JQaYpgbMCZWoMIPCaSD3ACf4e0qJpIKmcjEtHT0zyaTPh0CSGlac5OmN1lgEwHPTPRgbjqz97DG2eiPx+oZ1n/0MVedDKYc9AA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850233; c=relaxed/simple; bh=d1o3XOd5RyFGZH2VnJi5Sb7N85gZFU73tOOQkeoxsig=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=PObvqe3yBwEf7GwfmTXPnoNAIUWkaEQoMYKFFLYEPzql7UU+tp+AyiW+jIMcOnJhY8u5tohLiHy3ua7e4g/bBGfFdCLogjiWH7ZqfSJ+puZbwvMCmr3hx2DuzYpdT4Rst2ht8dpzgR54vdWv+1L1OBtP9ZlFcmt9vpJXdrZFSIY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.197 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id F13FA1C0012; Thu, 16 May 2024 09:03:43 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 10/15] test-runner: Fix fd leak on failure Date: Thu, 16 May 2024 11:03:14 +0200 Message-ID: <20240516090340.61417-11-hadess@hadess.net> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240516090340.61417-1-hadess@hadess.net> References: <20240516090340.61417-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: RESOURCE_LEAK (CWE-772): [#def65] [important] bluez-5.75/tools/test-runner.c:877:3: open_fn: Returning handle opened by "attach_proto". bluez-5.75/tools/test-runner.c:877:3: var_assign: Assigning: "serial_fd" = handle returned from "attach_proto(node, 0U, basic_flags, extra_flags)". bluez-5.75/tools/test-runner.c:955:3: leaked_handle: Handle variable "serial_fd" going out of scope leaks the handle. 953| if (pid < 0) { 954| perror("Failed to fork new process"); 955|-> return; 956| } 957| --- tools/test-runner.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tools/test-runner.c b/tools/test-runner.c index 908327255ad7..de0f2260480c 100644 --- a/tools/test-runner.c +++ b/tools/test-runner.c @@ -952,6 +952,8 @@ start_next: pid = fork(); if (pid < 0) { perror("Failed to fork new process"); + if (serial_fd >= 0) + close(serial_fd); return; } From patchwork Thu May 16 09:03:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 797322 Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A84D3143758 for ; Thu, 16 May 2024 09:03:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.197 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850234; cv=none; b=Z0FCagpti9Bz3w3EKJXeHR1DZthRHbTs4EFYSyRbRmGeErfmHicf96YTRoZXq9uF7r7Bh4GDBtwh+Ts4DbE+qRw93nvjk1bH4Y1XfPOQPFupJt0VwIBEq3mxbtDIwAirP16m1Xp2GiRN3nZrJIhfOUb+ffQngRLnQT0EVVeWcDs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850234; c=relaxed/simple; bh=6z2Ai1Je6gdzEgUhoN0CkfwGrcsjJ2hvvIPwUXANVB8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=XoRd3ILQzWfI0uA69QTEG8HdLzGsbDCvIKxhHbNgs48NkJNaaAayiQLJgA/KXuxSqREz9SCeM9JcWatJyYfiiMBZFsDMRo7DSVj7gaSb2AUrqwXfdv7nEcIxXXGELbTVF0paGfY2c5uVqLnPlusjPvlzYb3R4kLvvYXkCR1Uk0s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.197 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 49C3A1C0002; Thu, 16 May 2024 09:03:44 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 11/15] isotest: Fix string size expectations Date: Thu, 16 May 2024 11:03:15 +0200 Message-ID: <20240516090340.61417-12-hadess@hadess.net> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240516090340.61417-1-hadess@hadess.net> References: <20240516090340.61417-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Verify that the peer is a valid bdaddr (and so has the correct length) before using it. Error: STRING_SIZE (CWE-120): [#def54] [important] bluez-5.75/tools/isotest.c:1198:26: string_size_argv: "argv" contains strings with unknown size. bluez-5.75/tools/isotest.c:1459:4: string_size: Passing string "argv[optind + i]" of unknown size to "send_mode", which expects a string of a particular size. Error: STRING_SIZE (CWE-120): [#def55] [important] bluez-5.75/tools/isotest.c:1198:26: string_size_argv: "argv" contains strings with unknown size. bluez-5.75/tools/isotest.c:1476:4: var_assign_var: Assigning: "peer" = "argv[optind + i]". Both are now tainted. bluez-5.75/tools/isotest.c:1484:5: string_size: Passing string "peer" of unknown size to "bcast_do_connect_mbis", which expects a string of a particular size. Error: STRING_SIZE (CWE-120): [#def56] [important] bluez-5.75/tools/isotest.c:1198:26: string_size_argv: "argv" contains strings with unknown size. bluez-5.75/tools/isotest.c:1476:4: var_assign_var: Assigning: "peer" = "argv[optind + i]". Both are now tainted. bluez-5.75/tools/isotest.c:1514:5: string_size: Passing string "argv[optind + i]" of unknown size to "do_connect", which expects a string of a particular size. --- tools/isotest.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/tools/isotest.c b/tools/isotest.c index fc1c26b23c3b..f98f25497b85 100644 --- a/tools/isotest.c +++ b/tools/isotest.c @@ -1456,7 +1456,12 @@ int main(int argc, char *argv[]) switch (mode) { case SEND: - send_mode(filename, argv[optind + i], i, repeat); + peer = argv[optind + i]; + if (bachk(peer) < 0) { + fprintf(stderr, "Invalid peer address '%s'\n", peer); + exit(1); + } + send_mode(filename, peer, i, repeat); if (filename && strchr(filename, ',')) { char *tmp = filename; filename = strdup(strchr(filename, ',') + 1); @@ -1474,6 +1479,10 @@ int main(int argc, char *argv[]) case CONNECT: peer = argv[optind + i]; + if (bachk(peer) < 0) { + fprintf(stderr, "Invalid peer address '%s'\n", peer); + exit(1); + } mgmt_set_experimental(); @@ -1511,7 +1520,7 @@ int main(int argc, char *argv[]) free(sk_arr); } else { - sk = do_connect(argv[optind + i]); + sk = do_connect(peer); if (sk < 0) exit(1); From patchwork Thu May 16 09:03:16 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 797324 Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 94653143757 for ; Thu, 16 May 2024 09:03:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.197 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850233; cv=none; b=HH8HtTnP6kVf4waw86e0w+sGT92XdxYzklfRqIjAgraZJlWukMsH+SoG0VKrkuGNu+OjPIVfBR4LX9fQTZk8kM/uGL046oyu52DWp1V5+3GomtVYoZ38z0mBUIaO+eRekw+AdfL2Hd2A92JrnfdrfPYCZaMCrOpr+CNxu4HXPrU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850233; c=relaxed/simple; bh=wBKaBDtRcPjNoMraWYoXvslQgUVGW3mNUPea6jugRso=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=n0qwA3kg0B5Qtk3glesYChZXyQDZxvGntVCrMYkXOUKobRBmsSPEi8mQ1mb0BJu6IHj3OJmqm8pFbjEsVl5iiu2Ap/4jV9Ah9BO3ifKTULpKCTCnCX7WtcrpsfKtXcnbb4DeKUWaRuTSEGWFV9i362/VqCnsP+ZtZOVRUm1zzFw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.197 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 8D9A71C001B; Thu, 16 May 2024 09:03:44 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 12/15] mgmt-tester: Fix non-nul-terminated string Date: Thu, 16 May 2024 11:03:16 +0200 Message-ID: <20240516090340.61417-13-hadess@hadess.net> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240516090340.61417-1-hadess@hadess.net> References: <20240516090340.61417-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: STRING_NULL (CWE-170): [#def59] [important] bluez-5.75/tools/mgmt-tester.c:12670:2: string_null_source: Function "vhci_read_devcd" does not terminate string "buf". bluez-5.75/tools/mgmt-tester.c:12677:2: string_null: Passing unterminated string "buf" to "strtok_r", which expects a null-terminated string. 12675| 12676| /* Verify if all devcoredump header fields are present */ 12677|-> line = strtok_r(buf, delim, &saveptr); 12678| while (strlen(test->expect_dump_data[i])) { 12679| if (!line || strcmp(line, test->expect_dump_data[i])) { --- tools/mgmt-tester.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tools/mgmt-tester.c b/tools/mgmt-tester.c index 8a4fbc2eb6a6..8076ec105ebb 100644 --- a/tools/mgmt-tester.c +++ b/tools/mgmt-tester.c @@ -12656,18 +12656,22 @@ static void verify_devcd(void *user_data) struct test_data *data = tester_get_data(); const struct generic_data *test = data->test_data; struct vhci *vhci = hciemu_get_vhci(data->hciemu); - char buf[MAX_COREDUMP_BUF_LEN] = {0}; + char buf[MAX_COREDUMP_BUF_LEN + 1] = {0}; + int read; char delim[] = "\n"; char *line; char *saveptr; int i = 0; /* Read the generated devcoredump file */ - if (vhci_read_devcd(vhci, buf, sizeof(buf)) <= 0) { + read = vhci_read_devcd(vhci, buf, MAX_COREDUMP_BUF_LEN); + if (read <= 0) { tester_warn("Unable to read devcoredump"); tester_test_failed(); return; } + /* Make sure buf is nul-terminated */ + buf[read + 1] = '\0'; /* Verify if all devcoredump header fields are present */ line = strtok_r(buf, delim, &saveptr); From patchwork Thu May 16 09:03:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 797509 Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 94618143723 for ; Thu, 16 May 2024 09:03:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.197 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850233; cv=none; b=uMFjekW/rypUxXIDes9sQMTPT71ELJAvyM58xKsXCSRKA0c8sVawj23o8CyKmhd6y7s6t7BOc+cQRjG41guGq/DRa7CFNGFBzwHQjWifDSJGgpK53HqWIunO9i0FMNxmvAcywZ72/YGfBmEMMlbkEjWFvFEBVnoSFLejuw6ncd0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850233; c=relaxed/simple; bh=Jk9CuUK1Vq4XCmvzya9AeYL6PQDfubXCa0q6QxXAV2s=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=G6vV914t1tAstgTJK+S7KWuYvsWJKkOOZNxa53p99NajrkCIpfD2hNf2ho+ZqG++YtlTSZjQNMRQymhXTFvuVG+kMv5BXpQI7Nb58VmmkKbs4ssYGuSgYVrGvGvn2OKsGCnhjmS3V2U381ejQAEYSuzXowMNLrYrHny+SG7GYPE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.197 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id D63DB1C001A; Thu, 16 May 2024 09:03:44 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 13/15] gdbus: Check sprintf retval Date: Thu, 16 May 2024 11:03:17 +0200 Message-ID: <20240516090340.61417-14-hadess@hadess.net> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240516090340.61417-1-hadess@hadess.net> References: <20240516090340.61417-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: SNYK_CODE_WARNING (CWE-125): [#def63] [important] bluez-5.75/gdbus/watch.c:131:11: error[cpp/NegativeIndex]: The value from snprintf, a standard library function that can return a negative value is used as an index. A negative array index can lead to reading or writing outside the bounds of the array. Ensure the value of the index used is within bounds before use. 129| int offset; 130| 131|-> offset = snprintf(rule, size, "type='signal'"); 132| sender = data->name ? : data->owner; 133| --- gdbus/watch.c | 46 ++++++++++++++++++++++++++++++++++------------ 1 file changed, 34 insertions(+), 12 deletions(-) diff --git a/gdbus/watch.c b/gdbus/watch.c index 25f367613a52..22f77ea72861 100644 --- a/gdbus/watch.c +++ b/gdbus/watch.c @@ -123,29 +123,51 @@ static struct filter_data *filter_data_find(DBusConnection *connection) return NULL; } -static void format_rule(struct filter_data *data, char *rule, size_t size) +static gboolean format_rule(struct filter_data *data, char *rule, size_t size) { const char *sender; - int offset; + int offset, ret; offset = snprintf(rule, size, "type='signal'"); + if (offset < 0) + return FALSE; sender = data->name ? : data->owner; - if (sender) - offset += snprintf(rule + offset, size - offset, + if (sender) { + ret = snprintf(rule + offset, size - offset, ",sender='%s'", sender); - if (data->path) - offset += snprintf(rule + offset, size - offset, + if (ret < 0) + return FALSE; + offset += ret; + } + if (data->path) { + ret = snprintf(rule + offset, size - offset, ",path='%s'", data->path); - if (data->interface) - offset += snprintf(rule + offset, size - offset, + if (ret < 0) + return FALSE; + offset += ret; + } + if (data->interface) { + ret = snprintf(rule + offset, size - offset, ",interface='%s'", data->interface); - if (data->member) - offset += snprintf(rule + offset, size - offset, + if (ret < 0) + return FALSE; + offset += ret; + } + if (data->member) { + ret = snprintf(rule + offset, size - offset, ",member='%s'", data->member); - if (data->argument) - snprintf(rule + offset, size - offset, + if (ret < 0) + return FALSE; + offset += ret; + } + if (data->argument) { + ret = snprintf(rule + offset, size - offset, ",arg0='%s'", data->argument); + if (ret < 0) + return FALSE; + } + return TRUE; } static gboolean add_match(struct filter_data *data, From patchwork Thu May 16 09:03:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 797508 Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A8518143759 for ; Thu, 16 May 2024 09:03:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.197 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850234; cv=none; b=BBJABcQJ5HzcLh49cvA11ipDvYcLFNq2hUg/Wj5yUmYkjj3aSODI6y3Z+1YbHXPoWqGFlFOmak5NSsui5wguzaJfldb9gRpfNd9oJvCQII9KzU9BuRGuJB3B1mN0PovzKWlRvTwj3bITnfB11XBx9RVB1BeUCkB0byuGuLnCohM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850234; c=relaxed/simple; bh=rOEszmPbnYyS77rY0Dsii53mLdACyh6/1Nz812y6sT4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=mBvlcW0FL78q42dCgcTwy4an0SThVURZBHgEA7DiSMG2D6NuJAZ27J0Q12N37sZSStkkMTPcxvk/hUNFicYSW59CaWyvSBa5qGgFTlvA02kJzjuGT18zXQG2utxudzvmkEACn25XhTtX+dGWeY37BfbtAaecgm+A6fgGJvhMR0A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.197 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 2B8571C001E; Thu, 16 May 2024 09:03:45 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 14/15] shared/bap: Fix memory leak in error path Date: Thu, 16 May 2024 11:03:18 +0200 Message-ID: <20240516090340.61417-15-hadess@hadess.net> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240516090340.61417-1-hadess@hadess.net> References: <20240516090340.61417-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: RESOURCE_LEAK (CWE-772): [#def38] [important] bluez-5.75/src/shared/bap.c:6066:27: alloc_fn: Storage is returned from allocation function "util_malloc". bluez-5.75/src/shared/bap.c:6066:27: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)". bluez-5.75/src/shared/bap.c:6066:27: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.] bluez-5.75/src/shared/bap.c:6066:27: leaked_storage: Variable "__p" going out of scope leaks the storage it points to. bluez-5.75/src/shared/bap.c:6066:2: var_assign: Assigning: "base_iov" = "({...; __p;})". bluez-5.75/src/shared/bap.c:6070:2: noescape: Resource "base_iov" is not freed or pointed-to in "util_iov_push_le24". bluez-5.75/src/shared/bap.c:6071:3: leaked_storage: Variable "base_iov" going out of scope leaks the storage it points to. 6069| 6070| if (!util_iov_push_le24(base_iov, base->pres_delay)) 6071|-> return NULL; 6072| 6073| if (!util_iov_push_u8(base_iov, Error: RESOURCE_LEAK (CWE-772): [#def39] [important] bluez-5.75/src/shared/bap.c:6066:27: alloc_fn: Storage is returned from allocation function "util_malloc". bluez-5.75/src/shared/bap.c:6066:27: var_assign: Assigning: "__p" = storage returned from "util_malloc(__n * __s)". bluez-5.75/src/shared/bap.c:6066:27: noescape: Resource "__p" is not freed or pointed-to in "memset". [Note: The source code implementation of the function has been overridden by a builtin model.] bluez-5.75/src/shared/bap.c:6066:27: leaked_storage: Variable "__p" going out of scope leaks the storage it points to. bluez-5.75/src/shared/bap.c:6066:2: var_assign: Assigning: "base_iov" = "({...; __p;})". bluez-5.75/src/shared/bap.c:6070:2: noescape: Resource "base_iov" is not freed or pointed-to in "util_iov_push_le24". bluez-5.75/src/shared/bap.c:6073:2: noescape: Resource "base_iov" is not freed or pointed-to in "util_iov_push_u8". bluez-5.75/src/shared/bap.c:6075:3: leaked_storage: Variable "base_iov" going out of scope leaks the storage it points to. 6073| if (!util_iov_push_u8(base_iov, 6074| queue_length(base->subgroups))) 6075|-> return NULL; 6076| 6077| queue_foreach(base->subgroups, generate_subgroup_base, --- src/shared/bap.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/shared/bap.c b/src/shared/bap.c index 0026bc8dc989..48b6d7f4ea85 100644 --- a/src/shared/bap.c +++ b/src/shared/bap.c @@ -6067,12 +6067,18 @@ static struct iovec *generate_base(struct bt_base *base) base_iov->iov_base = util_malloc(BASE_MAX_LENGTH); - if (!util_iov_push_le24(base_iov, base->pres_delay)) + if (!util_iov_push_le24(base_iov, base->pres_delay)) { + free(base_iov->iov_base); + free(base_iov); return NULL; + } if (!util_iov_push_u8(base_iov, - queue_length(base->subgroups))) + queue_length(base->subgroups))) { + free(base_iov->iov_base); + free(base_iov); return NULL; + } queue_foreach(base->subgroups, generate_subgroup_base, base_iov); From patchwork Thu May 16 09:03:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 797323 Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A8DBB14375A for ; Thu, 16 May 2024 09:03:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.197 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850233; cv=none; b=GiUE3WuLiphumcVpN6Fng7vwPDqPNGKNiakQL+UcLwCQryjPsOlQtMGHSibDB6lVJrYtmj0sid1NJozrChTtnDMSm3k22UhaAMNIbbdLFJZ18exm6aJ0hMYCEWF4Dd6XprwiGJoaUibzZhWodTAJFaXfsrNTFSdrDVHAAJ3WQw0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715850233; c=relaxed/simple; bh=QV8iOXArHBSYhkapCBUq3kge/lWMrwIohrKFkyrnxNY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=fsi1UXLgDAp+VGwcwpt3HIBHtYLTnYV7X1vfaumvF5269WDCbS0YesgH6dLcVUYQLpebEPW1Pz/Nzb9/BISaUFfP9FCd308g8B/LsY9lQMQwpA7nUzx08Kc4FGUtfxu8c359fwm5J9yCNuxznfTwb/zjzXVvpizPtIxAsOD1tP8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.197 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 785721C0018; Thu, 16 May 2024 09:03:45 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ 15/15] android/handsfree: Check sprintf retval Date: Thu, 16 May 2024 11:03:19 +0200 Message-ID: <20240516090340.61417-16-hadess@hadess.net> X-Mailer: git-send-email 2.44.0 In-Reply-To: <20240516090340.61417-1-hadess@hadess.net> References: <20240516090340.61417-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: SNYK_CODE_WARNING (CWE-125): [#def62] [important] bluez-5.75/android/handsfree.c:1247:15: error[cpp/NegativeIndex]: The value from sprintf, a standard library function that can return a negative value is used as an index. A negative array index can lead to reading or writing outside the bounds of the array. Ensure the value of the index used is within bounds before use. 1245| buf = g_malloc(len); 1246| 1247|-> ptr = buf + sprintf(buf, "+CIND:"); 1248| 1249| for (i = 0; i < IND_COUNT; i++) { --- android/handsfree.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/android/handsfree.c b/android/handsfree.c index 2365356c2cf7..7b803fae5263 100644 --- a/android/handsfree.c +++ b/android/handsfree.c @@ -1243,15 +1243,22 @@ static void at_cmd_cind(struct hfp_context *result, enum hfp_gw_cmd_type type, } buf = g_malloc(len); - - ptr = buf + sprintf(buf, "+CIND:"); + if (sprintf(buf, "+CIND:") != strlen("+CIND:")) { + g_free(buf); + break; + } + ptr = buf + strlen("+CIND:"); for (i = 0; i < IND_COUNT; i++) { - ptr += sprintf(ptr, "(\"%s\",(%d%c%d)),", + int printed; + printed = sprintf(ptr, "(\"%s\",(%d%c%d)),", dev->inds[i].name, dev->inds[i].min, dev->inds[i].max == 1 ? ',' : '-', dev->inds[i].max); + if (printed < 0) + goto fail; + ptr += printed; } ptr--; @@ -1273,6 +1280,7 @@ static void at_cmd_cind(struct hfp_context *result, enum hfp_gw_cmd_type type, break; } +fail: hfp_gw_send_result(dev->gw, HFP_RESULT_ERROR); if (dev->state != HAL_EV_HANDSFREE_CONN_STATE_SLC_CONNECTED)