Received: by 2002:ab2:6816:0:b0:1f9:5764:f03e with SMTP id t22csp151877lqo;
        Thu, 16 May 2024 02:04:34 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCWIAxEamFMEpYbMATZn/qdaUSDaSb1BtyFjkIqc4l2/vxTofpwcZNcMoNWI4AKdqfwW9xRGX4CayFLGvcuCWO8NUvXp0WU9BjTJhSg0PQ==
X-Google-Smtp-Source: AGHT+IGWTgQkOxjAiw8Bm/L064VN5ZVTCwCD0HOdsVLFWok7EdjzeeKvRj7agUcRLJlvywadRE5K
X-Received: by 2002:a05:6214:5909:b0:6a0:5a42:9626 with SMTP id 6a1803df08f44-6a1681a15e5mr211935546d6.31.1715850274433;
        Thu, 16 May 2024 02:04:34 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1715850274; cv=pass;
        d=google.com; s=arc-20160816;
        b=MCRnU+BDV+M6cYf9L0IEf/aTflbt6Sqt4PYkR5qvvCnBAwv+G9xD1JDejts27ioL4W
         5gtfZDTop2hVbESV7hDYQaMpdtaoWEmYjG7ewa7eQ/7g0ELVb8mx1YsaP8KG2v2uoyq0
         SMid40xlF2hPPBvq5Oy9js8lbRQV0NSwu41VY425KaRtF/e7p5o6dRO65zX4UQxmHPvL
         7QfBIyjXJiNuEDvaA/mzsC0IqWQd00GbZTZoTgoxJbeELkusSo711s/xWOQGL8yg9p1G
         JceFcgQd4sOGuzz3E6CQdEpJTHn2u+lt7rgNBy2DLGMxHGiCWC9VjFLABKrxxe1o6LxH
         D2aw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from;
        bh=7YWC7prkrtBYBEkx/XmoHdVEzyB5UCD9zhFK5VQlcAo=;
        fh=uo5u2TQK/HQlhydMwGLjBAnuDwaLxndJ/cgWTjIagS8=;
        b=EC2QHU5u/pVDGvDtBSpiUwECbfuzw6fsBxju3RZoRBwHtpERh2B3eUuVF4cTf02OPj
         iuCbj9WospV5Maz/v7QBIDwu+0CxC7jeZMceNX23SvFMbD7poGrf1CGijdly5FnJRuTk
         G1sdsgaN9UasjQ9LOM61e/1+KUvBUcSPLO1h2VMjUmS6Je/kpReo3U+tCm1rXgAsCC7R
         QNtPSYXVaLW0qADjc7xsze2N7NeG9wIvV2rgd6U5lKQ9wratP1KhGrRt17okM4sTPCsU
         Wkj49KojCrb+feslS5hEfNwn94G0vhxfls+bO7KZUWeuQAq3v8pkm3PIKVauKSWeVQO1
         DgSw==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=hadess.net);
       spf=pass (google.com: domain of linux-bluetooth+bounces-4698-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-4698-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-bluetooth+bounces-4698-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id 6a1803df08f44-6a35c82ec52si19828646d6.405.2024.05.16.02.04.34
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 16 May 2024 02:04:34 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-bluetooth+bounces-4698-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=hadess.net);
       spf=pass (google.com: domain of linux-bluetooth+bounces-4698-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-4698-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 2B3BF1C21766
	for <linux.lists.archive@gmail.com>; Thu, 16 May 2024 09:04:34 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 88C10143878;
	Thu, 16 May 2024 09:03:53 +0000 (UTC)
X-Original-To: linux-bluetooth@vger.kernel.org
Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net [217.70.183.197])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id A8DBB14375A
	for <linux-bluetooth@vger.kernel.org>; Thu, 16 May 2024 09:03:51 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.197
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1715850233; cv=none; b=GiUE3WuLiphumcVpN6Fng7vwPDqPNGKNiakQL+UcLwCQryjPsOlQtMGHSibDB6lVJrYtmj0sid1NJozrChTtnDMSm3k22UhaAMNIbbdLFJZ18exm6aJ0hMYCEWF4Dd6XprwiGJoaUibzZhWodTAJFaXfsrNTFSdrDVHAAJ3WQw0=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1715850233; c=relaxed/simple;
	bh=QV8iOXArHBSYhkapCBUq3kge/lWMrwIohrKFkyrnxNY=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version; b=fsi1UXLgDAp+VGwcwpt3HIBHtYLTnYV7X1vfaumvF5269WDCbS0YesgH6dLcVUYQLpebEPW1Pz/Nzb9/BISaUFfP9FCd308g8B/LsY9lQMQwpA7nUzx08Kc4FGUtfxu8c359fwm5J9yCNuxznfTwb/zjzXVvpizPtIxAsOD1tP8=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.197
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net
Received: by mail.gandi.net (Postfix) with ESMTPSA id 785721C0018;
	Thu, 16 May 2024 09:03:45 +0000 (UTC)
From: Bastien Nocera <hadess@hadess.net>
To: linux-bluetooth@vger.kernel.org
Cc: Bastien Nocera <hadess@hadess.net>
Subject: [BlueZ 15/15] android/handsfree: Check sprintf retval
Date: Thu, 16 May 2024 11:03:19 +0200
Message-ID: <20240516090340.61417-16-hadess@hadess.net>
X-Mailer: git-send-email 2.44.0
In-Reply-To: <20240516090340.61417-1-hadess@hadess.net>
References: <20240516090340.61417-1-hadess@hadess.net>
Precedence: bulk
X-Mailing-List: linux-bluetooth@vger.kernel.org
List-Id: <linux-bluetooth.vger.kernel.org>
List-Subscribe: <mailto:linux-bluetooth+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-bluetooth+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-GND-Sasl: hadess@hadess.net

Error: SNYK_CODE_WARNING (CWE-125): [#def62] [important]
bluez-5.75/android/handsfree.c:1247:15: error[cpp/NegativeIndex]: The value from sprintf, a standard library function that can return a negative value is used as an index. A negative array index can lead to reading or writing outside the bounds of the array. Ensure the value of the index used is within bounds before use.
1245|			buf = g_malloc(len);
1246|
1247|->			ptr = buf + sprintf(buf, "+CIND:");
1248|
1249|			for (i = 0; i < IND_COUNT; i++) {
---
 android/handsfree.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/android/handsfree.c b/android/handsfree.c
index 2365356c2cf7..7b803fae5263 100644
--- a/android/handsfree.c
+++ b/android/handsfree.c
@@ -1243,15 +1243,22 @@ static void at_cmd_cind(struct hfp_context *result, enum hfp_gw_cmd_type type,
 		}
 
 		buf = g_malloc(len);
-
-		ptr = buf + sprintf(buf, "+CIND:");
+		if (sprintf(buf, "+CIND:") != strlen("+CIND:")) {
+			g_free(buf);
+			break;
+		}
+		ptr = buf + strlen("+CIND:");
 
 		for (i = 0; i < IND_COUNT; i++) {
-			ptr += sprintf(ptr, "(\"%s\",(%d%c%d)),",
+			int printed;
+			printed = sprintf(ptr, "(\"%s\",(%d%c%d)),",
 					dev->inds[i].name,
 					dev->inds[i].min,
 					dev->inds[i].max == 1 ? ',' : '-',
 					dev->inds[i].max);
+			if (printed < 0)
+				goto fail;
+			ptr += printed;
 		}
 
 		ptr--;
@@ -1273,6 +1280,7 @@ static void at_cmd_cind(struct hfp_context *result, enum hfp_gw_cmd_type type,
 		break;
 	}
 
+fail:
 	hfp_gw_send_result(dev->gw, HFP_RESULT_ERROR);
 
 	if (dev->state != HAL_EV_HANDSFREE_CONN_STATE_SLC_CONNECTED)
-- 
2.44.0