2022-05-31 23:04:17

by Gopal Tiwari

[permalink] [raw]
Subject: [Bluez 00/13] Fixing memory leak, leaked_handle and use_after

From: Gopal Tiwari <[email protected]>

Following fixes are reported by coverity tool.

Gopal Tiwari (13):
Fixing memory leak issue in gatt.c
Fixing memory leakage in appkey.c
Fixing memory leak in jlink.c
Fixing memory leak in sixaxis.c
Fixing leaked_handle in cltest.c
Fixing leaked_handle in create-image.c
Fixing leaked_handle in l2cap-tester.c
Fixing resource leak in mesh/mesh-db.c
Fixing leaked_handle in obex-client-tool.c
Fixing use after free in src/device.c
Fixing memory leak in pbap.c
Fixing possible use_after_free in meshctl.c
Fixing use_after_free in prov-db.c

client/gatt.c | 11 ++++++++---
mesh/appkey.c | 8 ++++++--
monitor/jlink.c | 5 ++++-
obexd/client/pbap.c | 5 +++--
plugins/sixaxis.c | 9 +++++++--
src/device.c | 1 +
tools/cltest.c | 1 +
tools/create-image.c | 7 +++----
tools/l2cap-tester.c | 1 +
tools/mesh-gatt/prov-db.c | 3 ++-
tools/mesh/mesh-db.c | 2 ++
tools/meshctl.c | 1 -
tools/obex-client-tool.c | 1 +
13 files changed, 39 insertions(+), 16 deletions(-)

--
2.26.2



2022-06-01 03:23:44

by Gopal Tiwari

[permalink] [raw]
Subject: [Bluez V2 12/13] Fixing possible use_after_free in meshctl.c

From: Gopal Tiwari <[email protected]>

Reported by coverity tool as follows :

bluez-5.64/tools/meshctl.c:1968: freed_arg: "g_free" frees "mesh_dir".

bluez-5.64/tools/meshctl.c:2018: double_free: Calling "g_free" frees
pointer "mesh_dir" which has already been freed.

Signed-off-by: Gopal Tiwari <[email protected]>
---
tools/meshctl.c | 1 -
1 file changed, 1 deletion(-)

diff --git a/tools/meshctl.c b/tools/meshctl.c
index 18e20c40d..38ffd35f3 100644
--- a/tools/meshctl.c
+++ b/tools/meshctl.c
@@ -2015,7 +2015,6 @@ int main(int argc, char *argv[])

fail:
bt_shell_cleanup();
- g_free(mesh_dir);

return EXIT_FAILURE;
}
--
2.26.2


2022-06-01 13:11:14

by Gopal Tiwari

[permalink] [raw]
Subject: [Bluez V2 04/13] Fixing memory leak in sixaxis.c

From: Gopal Tiwari <[email protected]>

While performing static tool analysis using coverity
found following reports for resouse leak

bluez-5.64/plugins/sixaxis.c:425: alloc_arg:
"get_pairing_type_for_device" allocates memory that is
stored into "sysfs_path".

bluez-5.64/plugins/sixaxis.c:428: leaked_storage: Variable "sysfs_path"
going out of scope leaks the storage it points to.

Fixing them.

Signed-off-by: Gopal Tiwari <[email protected]>
---
plugins/sixaxis.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/plugins/sixaxis.c b/plugins/sixaxis.c
index ddecbcccb..10cf15948 100644
--- a/plugins/sixaxis.c
+++ b/plugins/sixaxis.c
@@ -424,10 +424,15 @@ static void device_added(struct udev_device *udevice)

cp = get_pairing_type_for_device(udevice, &bus, &sysfs_path);
if (!cp || (cp->type != CABLE_PAIRING_SIXAXIS &&
- cp->type != CABLE_PAIRING_DS4))
+ cp->type != CABLE_PAIRING_DS4)) {
+ g_free(sysfs_path);
return;
- if (bus != BUS_USB)
+ }
+
+ if (bus != BUS_USB) {
+ g_free(sysfs_path);
return;
+ }

info("sixaxis: compatible device connected: %s (%04X:%04X %s)",
cp->name, cp->vid, cp->pid, sysfs_path);
--
2.26.2


2022-06-01 14:11:25

by Gopal Tiwari

[permalink] [raw]
Subject: [Bluez V2 09/13] Fixing leaked_handle in obex-client-tool.c

From: Gopal Tiwari <[email protected]>

While performing static tool analysis using coverity found following
reports for resouse leak

bluez-5.64/tools/obex-client-tool.c:315: leaked_handle: Handle variable
"sk" going out of scope leaks the handle.

Signed-off-by: Gopal Tiwari <[email protected]>
---
tools/obex-client-tool.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/tools/obex-client-tool.c b/tools/obex-client-tool.c
index ab9332896..cb0e41247 100644
--- a/tools/obex-client-tool.c
+++ b/tools/obex-client-tool.c
@@ -312,6 +312,7 @@ static GIOChannel *unix_connect(GObexTransportType transport)
if (connect(sk, (struct sockaddr *) &addr, sizeof(addr)) < 0) {
err = errno;
g_printerr("connect: %s (%d)\n", strerror(err), err);
+ close(sk);
return NULL;
}

--
2.26.2


2022-06-01 19:36:15

by Gopal Tiwari

[permalink] [raw]
Subject: [Bluez V2 03/13] Fixing memory leak in jlink.c

From: Gopal Tiwari <[email protected]>

While performing static tool analysis using coverity
found following reports for resouse leak

bluez-5.64/monitor/jlink.c:111: leaked_storage: Variable "so"
going out of scope leaks the storage it points to.

bluez-5.64/monitor/jlink.c:113: leaked_storage: Variable "so"
going out of scope leaks the storage it points to.

Fixing them.

Signed-off-by: Gopal Tiwari <[email protected]>
---
monitor/jlink.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/monitor/jlink.c b/monitor/jlink.c
index 9aaa4ebd8..f1d8ce660 100644
--- a/monitor/jlink.c
+++ b/monitor/jlink.c
@@ -107,9 +107,12 @@ int jlink_init(void)
!jlink.tif_select || !jlink.setspeed ||
!jlink.connect || !jlink.getsn ||
!jlink.emu_getproductname ||
- !jlink.rtterminal_control || !jlink.rtterminal_read)
+ !jlink.rtterminal_control || !jlink.rtterminal_read) {
+ dlclose(so);
return -EIO;
+ }

+ dlclose(so);
return 0;
}

--
2.26.2


2022-06-01 20:34:38

by Gopal Tiwari

[permalink] [raw]
Subject: [Bluez V2 01/13] Fixing memory leak issue in gatt.c

From: Gopal Tiwari <[email protected]>

While performing the static tool analysis using coverity tool
found following reports

Error: RESOURCE_LEAK (CWE-772):
bluez-5.64/client/gatt.c:1531: leaked_storage: Variable "service"
going out of scope leaks the storage it points to.

Error: RESOURCE_LEAK (CWE-772):
bluez-5.64/client/gatt.c:2626: leaked_storage: Variable "chrc"
going out of scope leaks the storage it points to.

Error: RESOURCE_LEAK (CWE-772):
bluez-5.64/client/gatt.c:2906: leaked_storage: Variable "desc"
going out of scope leaks the storage it points to.

Fixing them.

Signed-off-by: Gopal Tiwari <[email protected]>
---
client/gatt.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/client/gatt.c b/client/gatt.c
index 13872c794..4c1efaf75 100644
--- a/client/gatt.c
+++ b/client/gatt.c
@@ -1527,8 +1527,10 @@ void gatt_register_service(DBusConnection *conn, GDBusProxy *proxy,

if (argc > 2) {
service->handle = parse_handle(argv[2]);
- if (!service->handle)
+ if (!service->handle) {
+ service_free(service);
return bt_shell_noninteractive_quit(EXIT_FAILURE);
+ }
}

if (g_dbus_register_interface(conn, service->path,
@@ -2622,8 +2624,10 @@ void gatt_register_chrc(DBusConnection *conn, GDBusProxy *proxy,

if (argc > 3) {
chrc->handle = parse_handle(argv[3]);
- if (!chrc->handle)
+ if (!chrc->handle) {
+ chrc_free(chrc);
return bt_shell_noninteractive_quit(EXIT_FAILURE);
+ }
}

if (g_dbus_register_interface(conn, chrc->path, CHRC_INTERFACE,
@@ -2902,8 +2906,10 @@ void gatt_register_desc(DBusConnection *conn, GDBusProxy *proxy,

if (argc > 3) {
desc->handle = parse_handle(argv[3]);
- if (!desc->handle)
+ if (!desc->handle) {
+ desc_free(desc);
return bt_shell_noninteractive_quit(EXIT_FAILURE);
+ }
}

if (g_dbus_register_interface(conn, desc->path, DESC_INTERFACE,
--
2.26.2