In tools/btmgmt.c and tools/hex2hcd.c few sscanf does not limit width
of fields. This could lead to static overflow and stack corruption.
Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
---
tools/btmgmt.c | 2 +-
tools/hex2hcd.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/btmgmt.c b/tools/btmgmt.c
index 42ef9acef..8f63f12ba 100644
--- a/tools/btmgmt.c
+++ b/tools/btmgmt.c
@@ -5164,7 +5164,7 @@ static bool str2pattern(struct mgmt_adv_pattern *pattern, const char *str)
char pattern_str[62] = { 0 };
char tmp;
- if (sscanf(str, "%2hhx%n:%2hhx%n:%s", &pattern->ad_type, &type_len,
+ if (sscanf(str, "%2hhx%n:%2hhx%n:%61s", &pattern->ad_type, &type_len,
&pattern->offset, &offset_end_pos, pattern_str) != 3)
return false;
diff --git a/tools/hex2hcd.c b/tools/hex2hcd.c
index 674d62744..e6dca5a81 100644
--- a/tools/hex2hcd.c
+++ b/tools/hex2hcd.c
@@ -248,7 +248,7 @@ static void ver_parse_file(const char *pathname)
memset(ver, 0, sizeof(*ver));
- if (sscanf(pathname, "%[A-Z0-9]_%3c.%3c.%3c.%4c.%4c.hex",
+ if (sscanf(pathname, "%19[A-Z0-9]_%3c.%3c.%3c.%4c.%4c.hex",
ver->name, ver->major, ver->minor,
ver->build, dummy1, dummy2) != 6) {
printf("\t/* failed to parse %s */\n", pathname);
--
2.35.1