From ad622447efc5429a5dc3f84c722a81cc41658e7e Mon Sep 17 00:00:00 2001 From: Bastien Nocera Date: Mon, 5 Aug 2024 12:17:29 +0200 Subject: [PATCH 1/8] monitor: Work-around overflow_sink Case #01164573 Coverity thinks "len" can be negative, even though we check its value, and exit the function if it is. --- monitor/control.c | 1 + 1 file changed, 1 insertion(+) diff --git a/monitor/control.c b/monitor/control.c index 62857b4b84de..40e8a3a90c05 100644 --- a/monitor/control.c +++ b/monitor/control.c @@ -1102,6 +1102,7 @@ static void client_callback(int fd, uint32_t events, void *user_data) UINT16_MAX - data->offset > len) return; + /* coverity[overflow] : FALSE */ data->offset += len; while (data->offset >= MGMT_HDR_SIZE) { -- 2.45.2 From c2a1630f0e484c4330c565c56e9a26f8f1ae2664 Mon Sep 17 00:00:00 2001 From: Bastien Nocera Date: Tue, 30 Jul 2024 15:45:18 +0200 Subject: [PATCH 2/8] mesh/net: Work-around memory overallocation warning Coverity doesn't realise that the "payload" struct was allocated past its structure size, so quiet that warning. Error: OVERRUN (CWE-119): [#def1] [important] bluez-5.77/mesh/net.c:3276:2: cond_at_most: Checking "msg_len > 384" implies that "msg_len" may be up to 384 on the false branch. bluez-5.77/mesh/net.c:3290:2: cond_at_most: Checking "msg_len <= 15" implies that "msg_len" may be up to 15 on the true branch. bluez-5.77/mesh/net.c:3316:2: overrun-buffer-arg: Overrunning array "payload->buf" of 4 bytes by passing it to a function which accesses it at byte offset 14 using argument "msg_len" (which evaluates to 15). [Note: The source code implementation of the function has been overridden by a builtin model.] 3314| /* Setup OTA Network send */ 3315| payload = mesh_sar_new(msg_len); 3316|-> memcpy(payload->buf, msg, msg_len); 3317| payload->len = msg_len; 3318| payload->src = src; --- mesh/net.c | 1 + 1 file changed, 1 insertion(+) diff --git a/mesh/net.c b/mesh/net.c index ef6a3133859a..ca2cda8ec948 100644 --- a/mesh/net.c +++ b/mesh/net.c @@ -3306,6 +3306,7 @@ bool mesh_net_app_send(struct mesh_net *net, bool frnd_cred, uint16_t src, /* Setup OTA Network send */ payload = mesh_sar_new(msg_len); + /* coverity[overrun-buffer-arg] : FALSE */ memcpy(payload->buf, msg, msg_len); payload->len = msg_len; payload->src = src; -- 2.45.2 From 6494fc8665f89b70b8e9d80b829eabc71a22278f Mon Sep 17 00:00:00 2001 From: Bastien Nocera Date: Wed, 17 Jul 2024 12:51:56 +0200 Subject: [PATCH 3/8] shared/shell: Work-around SAT-45980 with wordexp() Coverity sees a leak when one doesn't exist yet. Error: RESOURCE_LEAK (CWE-772): [#def23] [important] bluez-5.77/src/shared/shell.c:534:2: alloc_arg: "parse_args" allocates memory that is stored into "w.we_wordv". bluez-5.77/src/shared/shell.c:558:3: leaked_storage: Variable "w" going out of scope leaks the storage "w.we_wordv" points to. 556| "Unable to parse optional command arguments: %s", opt); 557| free(opt); 558|-> return -EINVAL; 559| } 560| --- src/shared/shell.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/shared/shell.c b/src/shared/shell.c index 26c6a419af22..9d2b50b260f9 100644 --- a/src/shared/shell.c +++ b/src/shared/shell.c @@ -555,6 +555,7 @@ optional: print_text(COLOR_HIGHLIGHT, "Unable to parse optional command arguments: %s", opt); free(opt); + /* coverity[leaked_storage : FALSE] */ return -EINVAL; } -- 2.45.2 From 99c12a3e56129361ed50934054876126b1e55881 Mon Sep 17 00:00:00 2001 From: Bastien Nocera Date: Wed, 17 Jul 2024 11:28:17 +0200 Subject: [PATCH 4/8] sdp: Work-around #01163325 with single-linked list Error: RESOURCE_LEAK (CWE-772): [#def2] [important] bluez-5.77/lib/sdp.c:1896:4: alloc_fn: Storage is returned from allocation function "sdp_list_append". bluez-5.77/lib/sdp.c:1896:4: var_assign: Assigning: "pds" = storage returned from "sdp_list_append(pds, curr->val.dataseq)". bluez-5.77/lib/sdp.c:1896:4: identity_transfer: Passing "pds" as argument 1 to function "sdp_list_append", which returns that argument. bluez-5.77/lib/sdp.c:1896:4: noescape: Resource "pds" is not freed or pointed-to in "sdp_list_append". bluez-5.77/lib/sdp.c:1896:4: overwrite_var: Overwriting "pds" in "pds = sdp_list_append(pds, curr->val.dataseq)". bluez-5.77/lib/sdp.c:1896:4: var_assign: Assigning: "pds" = storage returned from "sdp_list_append(pds, curr->val.dataseq)". bluez-5.77/lib/sdp.c:1896:4: noescape: Resource "pds" is not freed or pointed-to in "sdp_list_append". bluez-5.77/lib/sdp.c:1896:4: overwrite_var: Overwriting "pds" in "pds = sdp_list_append(pds, curr->val.dataseq)" leaks the storage that "pds" points to. 1894| goto failed; 1895| } 1896|-> pds = sdp_list_append(pds, curr->val.dataseq); 1897| } 1898| Error: RESOURCE_LEAK (CWE-772): [#def3] [important] bluez-5.77/lib/sdp.c:1899:3: alloc_fn: Storage is returned from allocation function "sdp_list_append". bluez-5.77/lib/sdp.c:1899:3: var_assign: Assigning: "ap" = storage returned from "sdp_list_append(ap, pds)". bluez-5.77/lib/sdp.c:1899:3: identity_transfer: Passing "ap" as argument 1 to function "sdp_list_append", which returns that argument. bluez-5.77/lib/sdp.c:1899:3: noescape: Resource "ap" is not freed or pointed-to in "sdp_list_append". bluez-5.77/lib/sdp.c:1899:3: overwrite_var: Overwriting "ap" in "ap = sdp_list_append(ap, pds)". bluez-5.77/lib/sdp.c:1899:3: var_assign: Assigning: "ap" = storage returned from "sdp_list_append(ap, pds)". bluez-5.77/lib/sdp.c:1899:3: noescape: Resource "ap" is not freed or pointed-to in "sdp_list_append". bluez-5.77/lib/sdp.c:1899:3: overwrite_var: Overwriting "ap" in "ap = sdp_list_append(ap, pds)" leaks the storage that "ap" points to. 1897| } 1898| 1899|-> ap = sdp_list_append(ap, pds); 1900| } 1901| Error: RESOURCE_LEAK (CWE-772): [#def17] [important] bluez-5.77/src/sdp-client.c:197:3: alloc_fn: Storage is returned from allocation function "sdp_list_append". bluez-5.77/src/sdp-client.c:197:3: var_assign: Assigning: "recs" = storage returned from "sdp_list_append(recs, rec)". bluez-5.77/src/sdp-client.c:197:3: identity_transfer: Passing "recs" as argument 1 to function "sdp_list_append", which returns that argument. bluez-5.77/src/sdp-client.c:197:3: noescape: Resource "recs" is not freed or pointed-to in "sdp_list_append". bluez-5.77/src/sdp-client.c:197:3: overwrite_var: Overwriting "recs" in "recs = sdp_list_append(recs, rec)". bluez-5.77/src/sdp-client.c:197:3: var_assign: Assigning: "recs" = storage returned from "sdp_list_append(recs, rec)". bluez-5.77/src/sdp-client.c:197:3: noescape: Resource "recs" is not freed or pointed-to in "sdp_list_append". bluez-5.77/src/sdp-client.c:197:3: overwrite_var: Overwriting "recs" in "recs = sdp_list_append(recs, rec)" leaks the storage that "recs" points to. 195| } 196| 197|-> recs = sdp_list_append(recs, rec); 198| } while (scanned < (ssize_t) size && bytesleft > 0); 199| --- lib/sdp.c | 2 ++ src/sdp-client.c | 1 + 2 files changed, 3 insertions(+) diff --git a/lib/sdp.c b/lib/sdp.c index 8a15ad803db1..99efbc19c299 100644 --- a/lib/sdp.c +++ b/lib/sdp.c @@ -1893,9 +1893,11 @@ static int sdp_get_proto_descs(uint16_t attr_id, const sdp_record_t *rec, sdp_list_free(pds, NULL); goto failed; } + /* coverity[overwrite_var] : FALSE */ pds = sdp_list_append(pds, curr->val.dataseq); } + /* coverity[overwrite_var] : FALSE */ ap = sdp_list_append(ap, pds); } diff --git a/src/sdp-client.c b/src/sdp-client.c index 71d3d9e95044..2f043cb7f010 100644 --- a/src/sdp-client.c +++ b/src/sdp-client.c @@ -194,6 +194,7 @@ static void search_completed_cb(uint8_t type, uint16_t status, continue; } + /* coverity[overwrite_var] : FALSE */ recs = sdp_list_append(recs, rec); } while (scanned < (ssize_t) size && bytesleft > 0); -- 2.45.2 From 6fcbf34a02133628a1a8afeabb093270ca89dbb8 Mon Sep 17 00:00:00 2001 From: Bastien Nocera Date: Thu, 18 Jul 2024 15:05:07 +0200 Subject: [PATCH 5/8] mesh: Quiet imprecise "overrun-buffer-val" #01163326 Error: OVERRUN (CWE-119): [#def1] [important] bluez-5.77/mesh/friend.c:326:2: overrun-buffer-val: Overrunning array "msg" of 5 bytes by passing it to a function which accesses it at byte offset 12. 324| l_put_be16(neg->lp_addr, msg + 1); 325| l_put_be16(neg->lp_cnt, msg + 3); 326|-> mesh_net_transport_send(neg->net, 0, 0, 327| mesh_net_get_iv_index(neg->net), DEFAULT_TTL, 328| 0, 0, neg->old_friend, Error: OVERRUN (CWE-119): [#def2] [important] bluez-5.77/mesh/net.c:276:2: overrun-buffer-val: Overrunning array "msg" of 4 bytes by passing it to a function which accesses it at byte offset 12. 274| n += 2; 275| 276|-> mesh_net_transport_send(net, 0, 0, mesh_net_get_iv_index(net), 277| pub->ttl, 0, 0, pub->dst, msg, n); 278| } Error: OVERRUN (CWE-119): [#def3] [important] bluez-5.77/mesh/net.c:1463:3: overrun-buffer-val: Overrunning array "msg" of 7 bytes by passing it to a function which accesses it at byte offset 12. 1461| mesh_net_next_seq_num(net), 0, dst, msg); 1462| } else { 1463|-> mesh_net_transport_send(net, 0, 0, 1464| mesh_net_get_iv_index(net), DEFAULT_TTL, 1465| 0, 0, dst, msg, sizeof(msg)); Error: OVERRUN (CWE-119): [#def4] [important] bluez-5.77/mesh/net.c:1498:2: overrun-buffer-val: Overrunning array "msg" of 7 bytes by passing it to a function which accesses it at byte offset 12. 1496| } 1497| 1498|-> mesh_net_transport_send(net, 0, sar->net_idx, 1499| mesh_net_get_iv_index(net), DEFAULT_TTL, 1500| 0, src, dst, msg, Error: OVERRUN (CWE-119): [#def6] [important] bluez-5.77/mesh/net.c:2053:3: overrun-buffer-val: Overrunning array "sar_in->buf" of 4 bytes by passing it to a function which accesses it at byte offset 11. 2051| send_net_ack(net, sar_in, expected); 2052| 2053|-> msg_rxed(net, frnd, iv_index, ttl, seq, net_idx, 2054| sar_in->remote, dst, key_aid, true, szmic, 2055| sar_in->seqZero, sar_in->buf, sar_in->len); --- mesh/friend.c | 1 + mesh/net.c | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/mesh/friend.c b/mesh/friend.c index 5b73da68916f..bb8f62e9f57f 100644 --- a/mesh/friend.c +++ b/mesh/friend.c @@ -323,6 +323,7 @@ static void clear_retry(struct l_timeout *timeout, void *user_data) l_put_be16(neg->lp_addr, msg + 1); l_put_be16(neg->lp_cnt, msg + 3); + /* coverity[overrun-buffer-val] : FALSE */ mesh_net_transport_send(neg->net, 0, 0, mesh_net_get_iv_index(neg->net), DEFAULT_TTL, 0, 0, neg->old_friend, diff --git a/mesh/net.c b/mesh/net.c index ca2cda8ec948..9d6c2ae5142f 100644 --- a/mesh/net.c +++ b/mesh/net.c @@ -273,6 +273,7 @@ static void send_hb_publication(void *data) l_put_be16(net->features, msg + n); n += 2; + /* coverity[overrun-buffer-val] : FALSE */ mesh_net_transport_send(net, 0, 0, mesh_net_get_iv_index(net), pub->ttl, 0, 0, pub->dst, msg, n); } @@ -1460,6 +1461,7 @@ static void send_frnd_ack(struct mesh_net *net, uint16_t src, uint16_t dst, friend_ack_rxed(net, mesh_net_get_iv_index(net), mesh_net_next_seq_num(net), 0, dst, msg); } else { + /* coverity[overrun-buffer-val] : FALSE */ mesh_net_transport_send(net, 0, 0, mesh_net_get_iv_index(net), DEFAULT_TTL, 0, 0, dst, msg, sizeof(msg)); @@ -1495,6 +1497,7 @@ static void send_net_ack(struct mesh_net *net, struct mesh_sar *sar, return; } + /* coverity[overrun-buffer-val] : FALSE */ mesh_net_transport_send(net, 0, sar->net_idx, mesh_net_get_iv_index(net), DEFAULT_TTL, 0, src, dst, msg, @@ -2050,6 +2053,7 @@ static bool seg_rxed(struct mesh_net *net, bool frnd, uint32_t iv_index, /* Got it all */ send_net_ack(net, sar_in, expected); + /* coverity[overrun-buffer-val] : FALSE */ msg_rxed(net, frnd, iv_index, ttl, seq, net_idx, sar_in->remote, dst, key_aid, true, szmic, sar_in->seqZero, sar_in->buf, sar_in->len); -- 2.45.2 From 91066706378840f28146e51702e3ed8c1780dcd9 Mon Sep 17 00:00:00 2001 From: Bastien Nocera Date: Thu, 18 Jul 2024 15:37:58 +0200 Subject: [PATCH 6/8] mesh: Quiet imprecise "overrun-buffer-val" #01163327 Those errors are incorrect, as just before the flagged function calls, the packet is modified to flag for a "segmented" packet, which is handled differently, so nothing is accessed past the array size. Error: OVERRUN (CWE-119): [#def5] [important] bluez-5.77/mesh/net.c:1769:3: cond_at_least: Checking "size > 15" implies that "size" is at least 16 on the true branch. bluez-5.77/mesh/net.c:1776:3: overrun-call: Overrunning callee's array of size 15 by passing argument "size" (which evaluates to 16) in call to "friend_packet_queue". 1774| } 1775| 1776|-> if (friend_packet_queue(net, iv_index, false, frnd_ttl, 1777| seq, src, dst, 1778| hdr, data, size)) Error: OVERRUN (CWE-119): [#def2] [important] bluez-5.77/mesh/net.c:2016:3: cond_at_least: Checking "segN" implies that "segN" is at least 1 on the true branch. bluez-5.77/mesh/net.c:2016:3: assignment: Assigning: "len" = "segN ? (segN + 1) * 12 : 15". The value of "len" is now at least 24. bluez-5.77/mesh/net.c:2028:3: assignment: Assigning: "sar_in->len" = "len". The value of "sar_in->len" is now at least 24. bluez-5.77/mesh/net.c:2058:3: overrun-call: Overrunning callee's array of size 15 by passing argument "sar_in->len" (which evaluates to 24) in call to "msg_rxed". 2056| 2057| /* coverity[overrun-buffer-val] : FALSE */ 2058|-> msg_rxed(net, frnd, iv_index, ttl, seq, net_idx, 2059| sar_in->remote, dst, key_aid, true, szmic, 2060| sar_in->seqZero, sar_in->buf, sar_in->len); Error: OVERRUN (CWE-119): [#def4] [important] bluez-5.77/mesh/net.c:3266:2: cond_at_most: Checking "msg_len > 384" implies that "msg_len" may be up to 384 on the false branch. bluez-5.77/mesh/net.c:3280:2: cond_between: Checking "msg_len <= 15" implies that "msg_len" is between 16 and 384 (inclusive) on the false branch. bluez-5.77/mesh/net.c:3284:2: overrun-call: Overrunning callee's array of size 15 by passing argument "msg_len" (which evaluates to 384) in call to "msg_rxed". 3282| 3283| /* First enqueue to any Friends and internal models */ 3284|-> result = msg_rxed(net, false, iv_index, ttl, seq, net_idx, src, dst, 3285| key_aid, segmented, szmic, seq & SEQ_ZERO_MASK, 3286| msg, msg_len); --- mesh/net.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mesh/net.c b/mesh/net.c index 9d6c2ae5142f..30dcdb2fe517 100644 --- a/mesh/net.c +++ b/mesh/net.c @@ -1776,6 +1776,7 @@ static bool msg_rxed(struct mesh_net *net, bool frnd, uint32_t iv_index, hdr |= SEG_MAX(true, size) << SEGN_HDR_SHIFT; } + /* coverity[overrun-call] : FALSE */ if (friend_packet_queue(net, iv_index, false, frnd_ttl, seq, src, dst, hdr, data, size)) @@ -2054,6 +2055,7 @@ static bool seg_rxed(struct mesh_net *net, bool frnd, uint32_t iv_index, send_net_ack(net, sar_in, expected); /* coverity[overrun-buffer-val] : FALSE */ + /* coverity[overrun-call] : FALSE */ msg_rxed(net, frnd, iv_index, ttl, seq, net_idx, sar_in->remote, dst, key_aid, true, szmic, sar_in->seqZero, sar_in->buf, sar_in->len); @@ -3289,6 +3291,7 @@ bool mesh_net_app_send(struct mesh_net *net, bool frnd_cred, uint16_t src, segmented |= !!(seg_max); /* First enqueue to any Friends and internal models */ + /* coverity[overrun-call] : FALSE */ result = msg_rxed(net, false, iv_index, ttl, seq, net_idx, src, dst, key_aid, segmented, szmic, seq & SEQ_ZERO_MASK, msg, msg_len); -- 2.45.2 From 1a1239f998ca15dd233e2adaa2ce12f4ae97e5d1 Mon Sep 17 00:00:00 2001 From: Bastien Nocera Date: Fri, 19 Jul 2024 15:06:24 +0200 Subject: [PATCH 7/8] shared/gatt-db: Work-around overrun-buffer-arg case #01163328 Despite the checks added, Coverity still thinks that uuid_to_le() can return more than 16 (for UUID128 / 8), so quiet those. Error: OVERRUN (CWE-119): [#def6] [important] bluez-5.77/src/shared/gatt-db.c:612:2: assignment: Assigning: "len" = "uuid_to_le(uuid, value)". The value of "len" is now between 0 and 31 (inclusive). bluez-5.77/src/shared/gatt-db.c:614:2: overrun-buffer-arg: Overrunning array "value" of 16 bytes by passing it to a function which accesses it at byte offset 30 using argument "len" (which evaluates to 31). 612| len = uuid_to_le(uuid, value); 613| 614|-> service->attributes[0] = new_attribute(service, handle, type, value, 615| len); 616| if (!service->attributes[0]) { Error: OVERRUN (CWE-119): [#def7] [important] bluez-5.77/src/shared/gatt-db.c:947:2: assignment: Assigning: "len" = "0". bluez-5.77/src/shared/gatt-db.c:971:2: assignment: Assigning: "len" += "1UL". The value of "len" is now 1. bluez-5.77/src/shared/gatt-db.c:975:2: assignment: Assigning: "len" += "2UL". The value of "len" is now 3. bluez-5.77/src/shared/gatt-db.c:976:2: assignment: Assigning: "len" += "uuid_to_le(uuid, &value[3])". The value of "len" is now between 3 and 34 (inclusive). bluez-5.77/src/shared/gatt-db.c:978:2: overrun-buffer-arg: Overrunning array "value" of 19 bytes by passing it to a function which accesses it at byte offset 33 using argument "len" (which evaluates to 34). 976| len += uuid_to_le(uuid, &value[3]); 977| 978|-> service->attributes[i] = new_attribute(service, handle, 979| &characteristic_uuid, 980| value, len); Error: OVERRUN (CWE-119): [#def8] [important] bluez-5.77/src/shared/gatt-db.c:947:2: assignment: Assigning: "len" = "0". bluez-5.77/src/shared/gatt-db.c:971:2: assignment: Assigning: "len" += "1UL". The value of "len" is now 1. bluez-5.77/src/shared/gatt-db.c:975:2: assignment: Assigning: "len" += "2UL". The value of "len" is now 3. bluez-5.77/src/shared/gatt-db.c:976:2: assignment: Assigning: "len" += "uuid_to_le(uuid, &value[3])". The value of "len" is now between 3 and 34 (inclusive). bluez-5.77/src/shared/gatt-db.c:1005:2: overrun-buffer-arg: Overrunning array "value" of 19 bytes by passing it to a function which accesses it at byte offset 33 using argument "len" (which evaluates to 34). 1003| /* Update handle of characteristic value_handle if it has changed */ 1004| put_le16(value_handle, &value[1]); 1005|-> if (memcmp((*chrc)->value, value, len)) 1006| memcpy((*chrc)->value, value, len); 1007| Error: OVERRUN (CWE-119): [#def9] [important] bluez-5.77/src/shared/gatt-db.c:947:2: assignment: Assigning: "len" = "0". bluez-5.77/src/shared/gatt-db.c:971:2: assignment: Assigning: "len" += "1UL". The value of "len" is now 1. bluez-5.77/src/shared/gatt-db.c:975:2: assignment: Assigning: "len" += "2UL". The value of "len" is now 3. bluez-5.77/src/shared/gatt-db.c:976:2: assignment: Assigning: "len" += "uuid_to_le(uuid, &value[3])". The value of "len" is now between 3 and 34 (inclusive). bluez-5.77/src/shared/gatt-db.c:1006:3: overrun-buffer-arg: Overrunning array "value" of 19 bytes by passing it to a function which accesses it at byte offset 33 using argument "len" (which evaluates to 34). [Note: The source code implementation of the function has been overridden by a builtin model.] 1004| put_le16(value_handle, &value[1]); 1005| if (memcmp((*chrc)->value, value, len)) 1006|-> memcpy((*chrc)->value, value, len); 1007| 1008| set_attribute_data(service->attributes[i], read_func, write_func, --- src/shared/gatt-db.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/shared/gatt-db.c b/src/shared/gatt-db.c index cd0eba6bf1d0..9045a53c6dfe 100644 --- a/src/shared/gatt-db.c +++ b/src/shared/gatt-db.c @@ -616,6 +616,7 @@ static struct gatt_db_service *gatt_db_service_create(const bt_uuid_t *uuid, len = uuid_to_le(uuid, value); + /* coverity[overrun-buffer-arg] : FALSE */ service->attributes[0] = new_attribute(service, handle, type, value, len); if (!service->attributes[0]) { @@ -980,6 +981,7 @@ service_insert_characteristic(struct gatt_db_service *service, len += sizeof(uint16_t); len += uuid_to_le(uuid, &value[3]); + /* coverity[overrun-buffer-arg] : FALSE */ service->attributes[i] = new_attribute(service, handle, &characteristic_uuid, value, len); @@ -1007,8 +1009,11 @@ service_insert_characteristic(struct gatt_db_service *service, /* Update handle of characteristic value_handle if it has changed */ put_le16(value_handle, &value[1]); - if (memcmp((*chrc)->value, value, len)) + /* coverity[overrun-buffer-arg] : FALSE */ + if (memcmp((*chrc)->value, value, len)) { + /* coverity[overrun-buffer-arg] : FALSE */ memcpy((*chrc)->value, value, len); + } set_attribute_data(service->attributes[i], read_func, write_func, permissions, user_data); -- 2.45.2 From cddd78cb6d2a780b352e27ea5e7e44378f8a8ef4 Mon Sep 17 00:00:00 2001 From: Bastien Nocera Date: Tue, 30 Jul 2024 15:27:49 +0200 Subject: [PATCH 8/8] shared/btsnoop: Work-around underflow case #01163329 It should be impossible to have toread underflow, as we check that it has a value of at least 1 when decremented, and that we check for it have a non-zero value before using it. --- src/shared/btsnoop.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/shared/btsnoop.c b/src/shared/btsnoop.c index bb0bccf0dd01..12f960ec353d 100644 --- a/src/shared/btsnoop.c +++ b/src/shared/btsnoop.c @@ -553,6 +553,7 @@ bool btsnoop_read_hci(struct btsnoop *btsnoop, struct timeval *tv, btsnoop->aborted = true; return false; } + /* coverity[underflow] : FALSE */ toread--; *index = 0; -- 2.45.2