Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp1783816pxb;
        Sat, 2 Apr 2022 03:28:18 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwWVctkRx88MNiYMFAM9Bym4rmD2zmI8e3FEuCBjBf8X57tM3ox4q4S1oYTWz7W979eTcYt
X-Received: by 2002:a17:90a:3e4e:b0:1c6:586a:4d6a with SMTP id t14-20020a17090a3e4e00b001c6586a4d6amr16395150pjm.214.1648895298609;
        Sat, 02 Apr 2022 03:28:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1648895298; cv=none;
        d=google.com; s=arc-20160816;
        b=bCm5ZSShhiKdls4O1B4G9TJtNaS9gOTxdV/0BEj4cydiBAmClGILaivFskjzai+r7b
         a6ctCLVlZZRg4hzrB8GlsE2ALOkM3buP0fqLSIeHxc2lQp2GKbCV5MaZYfr4whAW3gr4
         v8mWQmkCqKz8W3V3eTgjqmTAgchIgJKoX1Jyg5iiEyv1pBBk3vtYtni49ckwIbCFJKjS
         Quo9kP9wG3OlfFQYXntuOEioFPfhTysp5ho+zOSNHd1p2GgVfHwaN4uuxtxqNPZEnRMA
         pT5CwP1/YGmwr9ErmG9WAHzfJaStHfbCv1TKJhwCYCwFSymxTUpEsPE+E+xBkWvMK71J
         zKLA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-filter;
        bh=+ZLcD7CDXfdKC21zapFT/m5jAy9TtDDan8DgmfvbKeM=;
        b=us40qae1U0MIroZb8+9IDRflt881EkYYdpaeWCmXDTYy3wnRWpMGwjgkzMGNQzajRn
         gWAplUDyWXb+OfqKuNpZeni7egZFXYlRXkN+vu6tAVKEwOzAKt7fB4tqRRU1Ad98symG
         agibxgbUJ4f9xuRo5grrkIfmFBG4yVSciT9gFYOoOobJO8hTIE/o8iyFWPYSdrvSMIn+
         0dwgCyiS2OWYUK7q6roFCwbZ7cF2LWkpVUPVhJRCHBzkz9x35EwcRH6auq8SLkvI4Zfu
         seTHrJafATBOHbp5rNkBHfSzcM+Cm/u0luUiRwhLWODR2SrPSJgrKn01xr1dY6bRqAPi
         TuPg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id w15-20020a170902a70f00b0015445f2c18esi4088675plq.444.2022.04.02.03.28.04;
        Sat, 02 Apr 2022 03:28:18 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1345373AbiDALQO (ORCPT <rfc822;bopamo@gmail.com> + 99 others);
        Fri, 1 Apr 2022 07:16:14 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52636 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1345374AbiDALQL (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Fri, 1 Apr 2022 07:16:11 -0400
Received: from mxout04.lancloud.ru (mxout04.lancloud.ru [45.84.86.114])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B704812E16C
        for <linux-bluetooth@vger.kernel.org>; Fri,  1 Apr 2022 04:14:16 -0700 (PDT)
Received: from LanCloud
DKIM-Filter: OpenDKIM Filter v2.11.0 mxout04.lancloud.ru 2237A20CBB89
Received: from LanCloud
Received: from LanCloud
Received: from LanCloud
From:   Ildar Kamaletdinov <i.kamaletdinov@omp.ru>
To:     <linux-bluetooth@vger.kernel.org>
CC:     Ildar Kamaletdinov <i.kamaletdinov@omp.ru>
Subject: [PATCH BlueZ 4/7] tools: Prevent infinity loops in bluemoon.c
Date:   Fri, 1 Apr 2022 14:14:05 +0300
Message-ID: <20220401111408.3961844-5-i.kamaletdinov@omp.ru>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220401111408.3961844-1-i.kamaletdinov@omp.ru>
References: <20220401111408.3961844-1-i.kamaletdinov@omp.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type:   text/plain; charset=US-ASCII
X-Originating-IP: [192.168.11.198]
X-ClientProxiedBy: LFEXT01.lancloud.ru (fd00:f066::141) To
 LFEX1910.lancloud.ru (fd00:f066::80)
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE,
        SPF_PASS,T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

In case FW size is too big we can face with infinity while() loops.
According to C99 standard SIZE_MAX could be as small as 65535.

So to prevent overflow of 'firmware_offset' we must limit maximum FW
size that could be processed by bluemoon.

Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
---
 tools/bluemoon.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/tools/bluemoon.c b/tools/bluemoon.c
index f50107a2a..729da36f6 100644
--- a/tools/bluemoon.c
+++ b/tools/bluemoon.c
@@ -492,6 +492,13 @@ static void request_firmware(const char *path)
 		return;
 	}
 
+	if (st.st_size > (SIZE_MAX - 4)) {
+		fprintf(stderr, "Firmware size is too big\n");
+		close(fd);
+		shutdown_device();
+		return;
+	}
+
 	firmware_data = malloc(st.st_size);
 	if (!firmware_data) {
 		fprintf(stderr, "Failed to allocate firmware buffer\n");
@@ -874,6 +881,12 @@ static void analyze_firmware(const char *path)
 		return;
 	}
 
+	if (st.st_size > (SIZE_MAX - 3)) {
+		fprintf(stderr, "Firmware size is too big\n");
+		close(fd);
+		return;
+	}
+
 	firmware_data = malloc(st.st_size);
 	if (!firmware_data) {
 		fprintf(stderr, "Failed to allocate firmware buffer\n");
-- 
2.35.1