Smatch Warning:
net/bluetooth/mgmt_util.c:375 mgmt_mesh_add() error: __memcpy()
'mesh_tx->param' too small (48 vs 50)
Analysis:
'mesh_tx->param' is array of size 48. This is the destination.
u8 param[sizeof(struct mgmt_cp_mesh_send) + 29]; // 19 + 29 = 48.
But in the caller 'mesh_send' we reject only when len > 50.
len > (MGMT_MESH_SEND_SIZE + 31) // 19 + 31 = 50.
Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
Signed-off-by: Harshit Mogalapalli <[email protected]>
---
This is based on static analysis, I am unsure if we should put
an upper bound to len(48) instead.
This limit on length changed between v4 and v5 patches of Commit:
("Bluetooth: Implement support for Mesh") in function mesh_send()
v4: https://lore.kernel.org/all/[email protected]/
v5: https://lore.kernel.org/all/[email protected]/
---
net/bluetooth/mgmt_util.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/mgmt_util.h b/net/bluetooth/mgmt_util.h
index 6a8b7e84293d..bdf978605d5a 100644
--- a/net/bluetooth/mgmt_util.h
+++ b/net/bluetooth/mgmt_util.h
@@ -27,7 +27,7 @@ struct mgmt_mesh_tx {
struct sock *sk;
u8 handle;
u8 instance;
- u8 param[sizeof(struct mgmt_cp_mesh_send) + 29];
+ u8 param[sizeof(struct mgmt_cp_mesh_send) + 31];
};
struct mgmt_pending_cmd {
--
2.38.1
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=703836
---Test result---
Test Summary:
CheckPatch PASS 0.56 seconds
GitLint PASS 0.27 seconds
SubjectPrefix PASS 0.09 seconds
BuildKernel PASS 31.00 seconds
CheckAllWarning PASS 34.14 seconds
CheckSparse PASS 39.21 seconds
BuildKernel32 PASS 29.85 seconds
TestRunnerSetup PASS 424.74 seconds
TestRunner_l2cap-tester PASS 15.64 seconds
TestRunner_iso-tester PASS 16.09 seconds
TestRunner_bnep-tester PASS 5.29 seconds
TestRunner_mgmt-tester PASS 103.67 seconds
TestRunner_rfcomm-tester PASS 9.11 seconds
TestRunner_sco-tester PASS 8.58 seconds
TestRunner_ioctl-tester PASS 9.71 seconds
TestRunner_mesh-tester PASS 6.62 seconds
TestRunner_smp-tester PASS 8.43 seconds
TestRunner_userchan-tester PASS 5.54 seconds
IncrementalBuild PASS 28.30 seconds
---
Regards,
Linux Bluetooth
Signed-off: [email protected]
On Mon, 2022-12-12 at 05:08 -0800, Harshit Mogalapalli wrote:
> Smatch Warning:
> net/bluetooth/mgmt_util.c:375 mgmt_mesh_add() error: __memcpy()
> 'mesh_tx->param' too small (48 vs 50)
>
> Analysis:
>
> 'mesh_tx->param' is array of size 48. This is the destination.
> u8 param[sizeof(struct mgmt_cp_mesh_send) + 29]; // 19 + 29 = 48.
>
> But in the caller 'mesh_send' we reject only when len > 50.
> len > (MGMT_MESH_SEND_SIZE + 31) // 19 + 31 = 50.
>
> Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
> Signed-off-by: Harshit Mogalapalli <[email protected]>
> ---
> This is based on static analysis, I am unsure if we should put
> an upper bound to len(48) instead.
>
> This limit on length changed between v4 and v5 patches of Commit:
> ("Bluetooth: Implement support for Mesh") in function mesh_send()
>
> v4:
> https://lore.kernel.org/all/[email protected]/
> v5:
> https://lore.kernel.org/all/[email protected]/
> ---
> net/bluetooth/mgmt_util.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/bluetooth/mgmt_util.h b/net/bluetooth/mgmt_util.h
> index 6a8b7e84293d..bdf978605d5a 100644
> --- a/net/bluetooth/mgmt_util.h
> +++ b/net/bluetooth/mgmt_util.h
> @@ -27,7 +27,7 @@ struct mgmt_mesh_tx {
> struct sock *sk;
> u8 handle;
> u8 instance;
> - u8 param[sizeof(struct mgmt_cp_mesh_send) + 29];
> + u8 param[sizeof(struct mgmt_cp_mesh_send) + 31];
> };
>
> struct mgmt_pending_cmd {
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <[email protected]>:
On Mon, 12 Dec 2022 05:08:28 -0800 you wrote:
> Smatch Warning:
> net/bluetooth/mgmt_util.c:375 mgmt_mesh_add() error: __memcpy()
> 'mesh_tx->param' too small (48 vs 50)
>
> Analysis:
>
> 'mesh_tx->param' is array of size 48. This is the destination.
> u8 param[sizeof(struct mgmt_cp_mesh_send) + 29]; // 19 + 29 = 48.
>
> [...]
Here is the summary with links:
- Bluetooth: Fix a buffer overflow in mgmt_mesh_add()
https://git.kernel.org/bluetooth/bluetooth-next/c/becee9f3220c
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html