Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp1018993pxb; Fri, 1 Apr 2022 02:16:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxDwPn6zE1hmVhz/ujbsTuEv1wp7I9+L1Aw8MIsCXe1HII2SpqlDtUg8TB87lA5e8QkR01+ X-Received: by 2002:a17:90a:470a:b0:1c9:a9b4:f88c with SMTP id h10-20020a17090a470a00b001c9a9b4f88cmr10753234pjg.185.1648804613252; Fri, 01 Apr 2022 02:16:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648804613; cv=none; d=google.com; s=arc-20160816; b=tmrC0iDDNw6eZq9P6JIR3CDnZk6em9hZxzzX0U6x7Vtze+NgVpzGZ3jnjYHyo4uLsl 0RGL5phLxXpUi3EbONCrebJRBNTr6xbs098RAxHLPcDKyYQUXIJtO5r9R5Ive+6Fs3xh 06iRtJTJj/tVA4HdSNGvkyNFAydAILHO8bGDkLIu+grMjcNSxH/1HArU/D0mQszXy3Bc NlaYJEN+dNDgRR91TAL/AN0vHxZgBSQOdPkZ5D8TTwGbEzCxjJZOL6moemzxYx/5IyUW t2kr0vBzzvAP6Mwp4XzEdt59p7m0jxkYAO8AaTGPSeBG1cnAggE23vc79YPr83fNlon0 cNyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-filter; bh=jb72BEavQsjLNKETZbuoVy5yZ1soiAI67r8U022Mtyg=; b=q3AqnIEkcyAweAR7Z3aigbFdr/tNmd/ydO4CPMGfApOG5tJEy9vNL70q3x30Rlld16 f0Pf/9g58wvIKn4YyGvV0Qbt3VRJWx+/PQupKHRx04CAtkxtWWrAIZa9VYHby8uZHFUY UqOpqE8X20MOlI6R0tcMGGrNc00+pqRRUqJvYuKFD9Tl7mHlfTSO9FjtEohAgp0wCTYj gcnjOdIW0ekZLFZenyiUs0gSlmLpwHiGnZTB8LjyExmNHsSQcm7WfdcF6K5u1mEaE1vA +XhRPnRslgMCiRNi57Tho/WJ8/iYY/xBLMYWPtRXb0ZN9ILYnSgnzuUxwCHYYE82fC2i bQcA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id bc9-20020a656d89000000b003828506c183si1958833pgb.579.2022.04.01.02.16.22; Fri, 01 Apr 2022 02:16:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344012AbiDAHyk (ORCPT + 99 others); Fri, 1 Apr 2022 03:54:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40482 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244056AbiDAHyj (ORCPT ); Fri, 1 Apr 2022 03:54:39 -0400 Received: from mxout02.lancloud.ru (mxout02.lancloud.ru [45.84.86.82]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AF45126240F for ; Fri, 1 Apr 2022 00:52:50 -0700 (PDT) Received: from LanCloud DKIM-Filter: OpenDKIM Filter v2.11.0 mxout02.lancloud.ru 97C1F22C6A20 Received: from LanCloud Received: from LanCloud Received: from LanCloud From: Ildar Kamaletdinov To: CC: Ildar Kamaletdinov Subject: [PATCH BlueZ 4/7] tools: Prevent infinity loops in bluemoon.c Date: Fri, 1 Apr 2022 10:46:37 +0300 Message-ID: <20220401074640.3956695-5-i.kamaletdinov@omp.ru> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220401074640.3956695-1-i.kamaletdinov@omp.ru> References: <20220401074640.3956695-1-i.kamaletdinov@omp.ru> MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [192.168.11.198] X-ClientProxiedBy: LFEXT02.lancloud.ru (fd00:f066::142) To LFEX1910.lancloud.ru (fd00:f066::80) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org In case FW size is too big we can face with infinity while() loops. According to C99 standart SIZE_MAX could be as small as 65535. So to prevent overflow of 'firmware_offset' we must limit maximum FW size that could be processed by bluemoon. Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. --- tools/bluemoon.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/tools/bluemoon.c b/tools/bluemoon.c index f50107a2a..729da36f6 100644 --- a/tools/bluemoon.c +++ b/tools/bluemoon.c @@ -492,6 +492,13 @@ static void request_firmware(const char *path) return; } + if (st.st_size > (SIZE_MAX - 4)) { + fprintf(stderr, "Firmware size is too big\n"); + close(fd); + shutdown_device(); + return; + } + firmware_data = malloc(st.st_size); if (!firmware_data) { fprintf(stderr, "Failed to allocate firmware buffer\n"); @@ -874,6 +881,12 @@ static void analyze_firmware(const char *path) return; } + if (st.st_size > (SIZE_MAX - 3)) { + fprintf(stderr, "Firmware size is too big\n"); + close(fd); + return; + } + firmware_data = malloc(st.st_size); if (!firmware_data) { fprintf(stderr, "Failed to allocate firmware buffer\n"); -- 2.34.0