2022-04-01 15:07:09

by Ildar Kamaletdinov

[permalink] [raw]
Subject: [PATCH BlueZ 1/6] monitor: Fix out-of-bound read in print_le_states

Accessing le_states_desc_table array with value 15 can cause
out-of-bound read because current size of array is 14.

Currently this cannot lead to any problems becase we do no have such
state in le_states_comb_table but this could be changed in future and
raise described problem.

Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
---
monitor/packet.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/monitor/packet.c b/monitor/packet.c
index b7431b57d..1f04063d3 100644
--- a/monitor/packet.c
+++ b/monitor/packet.c
@@ -2816,7 +2816,8 @@ static const struct {
static void print_le_states(const uint8_t *states_array)
{
uint64_t mask, states = 0;
- int i, n;
+ int i = 0;
+ size_t n = 0;

for (i = 0; i < 8; i++)
states |= ((uint64_t) states_array[i]) << (i * 8);
@@ -2828,12 +2829,12 @@ static void print_le_states(const uint8_t *states_array)
for (i = 0; le_states_comb_table[i].states; i++) {
uint64_t val = (((uint64_t) 1) << le_states_comb_table[i].bit);
const char *str[3] = { NULL, };
- int num = 0;
+ size_t num = 0;

if (!(states & val))
continue;

- for (n = 0; n < 16; n++) {
+ for (n = 0; n < ARRAY_SIZE(le_states_desc_table); n++) {
if (le_states_comb_table[i].states & (1 << n))
str[num++] = le_states_desc_table[n].str;
}
--
2.35.1


2022-04-02 10:23:09

by bluez.test.bot

[permalink] [raw]
Subject: RE: Fix bugs found by SVACE static analisys tool

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=628188

---Test result---

Test Summary:
CheckPatch PASS 8.20 seconds
GitLint PASS 5.62 seconds
Prep - Setup ELL PASS 39.64 seconds
Build - Prep PASS 0.69 seconds
Build - Configure PASS 7.87 seconds
Build - Make PASS 1330.57 seconds
Make Check PASS 11.64 seconds
Make Check w/Valgrind PASS 404.30 seconds
Make Distcheck PASS 209.94 seconds
Build w/ext ELL - Configure PASS 7.88 seconds
Build w/ext ELL - Make PASS 1278.53 seconds
Incremental Build with patchesPASS 8064.66 seconds



---
Regards,
Linux Bluetooth