Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp1234425pxb;
        Fri, 1 Apr 2022 08:04:42 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyEpNcuU2G1CjYmr5dWMbT1jGJmFPFlNAtlJWE1HTk2KbE5KEi98oF9cjKlUoJXYtnbF0n/
X-Received: by 2002:aa7:de10:0:b0:418:d60d:aab8 with SMTP id h16-20020aa7de10000000b00418d60daab8mr21441260edv.322.1648825482701;
        Fri, 01 Apr 2022 08:04:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1648825482; cv=none;
        d=google.com; s=arc-20160816;
        b=lPSwQbf9By0pqdKE+/et3/72rmiSWOqO/7CctP7vPVcKKMueLffrvrRvUZcDX8d0hJ
         8TqUwdL6yzbnkwgq3yKJNFEEEeY2Uoxv/Qc7GtuCEThPkbSp0nrVJSxRbmCWJ1Sygtr2
         0GGOdJTa1oZCBb9xXDZbum569JhKVUryqGEfBkfis2ZZgiJVUsVzLbp64SR4wC+NNJ1s
         Hxz2EIbgnQVdq04c6ib3S0nfpmDQRcyEyZfk2uaXBIF+sTVCSZuNoL96VYAt5PxpcytE
         EruW0asaEJksQgoMxbA12q9bL7FYFE4jdy84GtES5+HNDjLyLQTUUf59MITYR+zqabph
         vgog==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-filter;
        bh=+ZLcD7CDXfdKC21zapFT/m5jAy9TtDDan8DgmfvbKeM=;
        b=D9u6LZZX7u6unCJx4B9bhioLXdaVTgRFd6T7N0Kjfu9NT583guQlg5OBKAd+nQEbVO
         3uojCsHuXMa8gf8BdFdGxPiZEocldhvtQjFmkaoqaB4jtEFJ7zeUEnVjDJul8cQGmQN9
         Raa7kv7UrU4ekS6Ct79nFp3a6qjcc7Aa5oPWpqHYA+Ed1Z2pBGOtMuTCjbtO9iOZrof3
         893xIgJ13N4MVN91gLkPyS0woqxJZlbr+go5YkhQLpKscT08d8SFAVqS9u7Gjz/JTsTC
         zD84tU55Bo8t4jCC3dB8Z+8RV3WqeSgdwk9xVtkxzuPUsMsFtIoRTm7QrAACy3+8lstq
         Bb5g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id q8-20020a056402518800b00419075664c3si1809404edd.273.2022.04.01.08.04.16;
        Fri, 01 Apr 2022 08:04:42 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1343535AbiDAKaB (ORCPT <rfc822;bopamo@gmail.com> + 99 others);
        Fri, 1 Apr 2022 06:30:01 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38826 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1343529AbiDAK34 (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Fri, 1 Apr 2022 06:29:56 -0400
Received: from mxout04.lancloud.ru (mxout04.lancloud.ru [45.84.86.114])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C0AE326E570
        for <linux-bluetooth@vger.kernel.org>; Fri,  1 Apr 2022 03:28:05 -0700 (PDT)
Received: from LanCloud
DKIM-Filter: OpenDKIM Filter v2.11.0 mxout04.lancloud.ru BCBAB20CAB68
Received: from LanCloud
Received: from LanCloud
Received: from LanCloud
From:   Ildar Kamaletdinov <i.kamaletdinov@omp.ru>
To:     <linux-bluetooth@vger.kernel.org>
CC:     Ildar Kamaletdinov <i.kamaletdinov@omp.ru>
Subject: [PATCH BlueZ 4/7] tools: Prevent infinity loops in bluemoon.c
Date:   Fri, 1 Apr 2022 13:27:54 +0300
Message-ID: <20220401102757.3960551-5-i.kamaletdinov@omp.ru>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220401102757.3960551-1-i.kamaletdinov@omp.ru>
References: <20220401102757.3960551-1-i.kamaletdinov@omp.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type:   text/plain; charset=US-ASCII
X-Originating-IP: [192.168.11.198]
X-ClientProxiedBy: LFEXT01.lancloud.ru (fd00:f066::141) To
 LFEX1910.lancloud.ru (fd00:f066::80)
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE,
        SPF_PASS,T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

In case FW size is too big we can face with infinity while() loops.
According to C99 standard SIZE_MAX could be as small as 65535.

So to prevent overflow of 'firmware_offset' we must limit maximum FW
size that could be processed by bluemoon.

Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
---
 tools/bluemoon.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/tools/bluemoon.c b/tools/bluemoon.c
index f50107a2a..729da36f6 100644
--- a/tools/bluemoon.c
+++ b/tools/bluemoon.c
@@ -492,6 +492,13 @@ static void request_firmware(const char *path)
 		return;
 	}
 
+	if (st.st_size > (SIZE_MAX - 4)) {
+		fprintf(stderr, "Firmware size is too big\n");
+		close(fd);
+		shutdown_device();
+		return;
+	}
+
 	firmware_data = malloc(st.st_size);
 	if (!firmware_data) {
 		fprintf(stderr, "Failed to allocate firmware buffer\n");
@@ -874,6 +881,12 @@ static void analyze_firmware(const char *path)
 		return;
 	}
 
+	if (st.st_size > (SIZE_MAX - 3)) {
+		fprintf(stderr, "Firmware size is too big\n");
+		close(fd);
+		return;
+	}
+
 	firmware_data = malloc(st.st_size);
 	if (!firmware_data) {
 		fprintf(stderr, "Failed to allocate firmware buffer\n");
-- 
2.35.1