827e91509a
Related: Jira:RHEL-34536
482 lines
21 KiB
Diff
482 lines
21 KiB
Diff
From ad622447efc5429a5dc3f84c722a81cc41658e7e Mon Sep 17 00:00:00 2001
|
|
From: Bastien Nocera <hadess@hadess.net>
|
|
Date: Mon, 5 Aug 2024 12:17:29 +0200
|
|
Subject: [PATCH 1/8] monitor: Work-around overflow_sink Case #01164573
|
|
|
|
Coverity thinks "len" can be negative, even though we check its value,
|
|
and exit the function if it is.
|
|
---
|
|
monitor/control.c | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/monitor/control.c b/monitor/control.c
|
|
index 62857b4b84de..40e8a3a90c05 100644
|
|
--- a/monitor/control.c
|
|
+++ b/monitor/control.c
|
|
@@ -1102,6 +1102,7 @@ static void client_callback(int fd, uint32_t events, void *user_data)
|
|
UINT16_MAX - data->offset > len)
|
|
return;
|
|
|
|
+ /* coverity[overflow] : FALSE */
|
|
data->offset += len;
|
|
|
|
while (data->offset >= MGMT_HDR_SIZE) {
|
|
--
|
|
2.45.2
|
|
|
|
|
|
From c2a1630f0e484c4330c565c56e9a26f8f1ae2664 Mon Sep 17 00:00:00 2001
|
|
From: Bastien Nocera <hadess@hadess.net>
|
|
Date: Tue, 30 Jul 2024 15:45:18 +0200
|
|
Subject: [PATCH 2/8] mesh/net: Work-around memory overallocation warning
|
|
|
|
Coverity doesn't realise that the "payload" struct was allocated past
|
|
its structure size, so quiet that warning.
|
|
|
|
Error: OVERRUN (CWE-119): [#def1] [important]
|
|
bluez-5.77/mesh/net.c:3276:2: cond_at_most: Checking "msg_len > 384" implies that "msg_len" may be up to 384 on the false branch.
|
|
bluez-5.77/mesh/net.c:3290:2: cond_at_most: Checking "msg_len <= 15" implies that "msg_len" may be up to 15 on the true branch.
|
|
bluez-5.77/mesh/net.c:3316:2: overrun-buffer-arg: Overrunning array "payload->buf" of 4 bytes by passing it to a function which accesses it at byte offset 14 using argument "msg_len" (which evaluates to 15). [Note: The source code implementation of the function has been overridden by a builtin model.]
|
|
3314| /* Setup OTA Network send */
|
|
3315| payload = mesh_sar_new(msg_len);
|
|
3316|-> memcpy(payload->buf, msg, msg_len);
|
|
3317| payload->len = msg_len;
|
|
3318| payload->src = src;
|
|
---
|
|
mesh/net.c | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/mesh/net.c b/mesh/net.c
|
|
index ef6a3133859a..ca2cda8ec948 100644
|
|
--- a/mesh/net.c
|
|
+++ b/mesh/net.c
|
|
@@ -3306,6 +3306,7 @@ bool mesh_net_app_send(struct mesh_net *net, bool frnd_cred, uint16_t src,
|
|
|
|
/* Setup OTA Network send */
|
|
payload = mesh_sar_new(msg_len);
|
|
+ /* coverity[overrun-buffer-arg] : FALSE */
|
|
memcpy(payload->buf, msg, msg_len);
|
|
payload->len = msg_len;
|
|
payload->src = src;
|
|
--
|
|
2.45.2
|
|
|
|
|
|
From 6494fc8665f89b70b8e9d80b829eabc71a22278f Mon Sep 17 00:00:00 2001
|
|
From: Bastien Nocera <hadess@hadess.net>
|
|
Date: Wed, 17 Jul 2024 12:51:56 +0200
|
|
Subject: [PATCH 3/8] shared/shell: Work-around SAT-45980 with wordexp()
|
|
|
|
Coverity sees a leak when one doesn't exist yet.
|
|
|
|
Error: RESOURCE_LEAK (CWE-772): [#def23] [important]
|
|
bluez-5.77/src/shared/shell.c:534:2: alloc_arg: "parse_args" allocates memory that is stored into "w.we_wordv".
|
|
bluez-5.77/src/shared/shell.c:558:3: leaked_storage: Variable "w" going out of scope leaks the storage "w.we_wordv" points to.
|
|
556| "Unable to parse optional command arguments: %s", opt);
|
|
557| free(opt);
|
|
558|-> return -EINVAL;
|
|
559| }
|
|
560|
|
|
---
|
|
src/shared/shell.c | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/src/shared/shell.c b/src/shared/shell.c
|
|
index 26c6a419af22..9d2b50b260f9 100644
|
|
--- a/src/shared/shell.c
|
|
+++ b/src/shared/shell.c
|
|
@@ -555,6 +555,7 @@ optional:
|
|
print_text(COLOR_HIGHLIGHT,
|
|
"Unable to parse optional command arguments: %s", opt);
|
|
free(opt);
|
|
+ /* coverity[leaked_storage : FALSE] */
|
|
return -EINVAL;
|
|
}
|
|
|
|
--
|
|
2.45.2
|
|
|
|
|
|
From 99c12a3e56129361ed50934054876126b1e55881 Mon Sep 17 00:00:00 2001
|
|
From: Bastien Nocera <hadess@hadess.net>
|
|
Date: Wed, 17 Jul 2024 11:28:17 +0200
|
|
Subject: [PATCH 4/8] sdp: Work-around #01163325 with single-linked list
|
|
|
|
Error: RESOURCE_LEAK (CWE-772): [#def2] [important]
|
|
bluez-5.77/lib/sdp.c:1896:4: alloc_fn: Storage is returned from allocation function "sdp_list_append".
|
|
bluez-5.77/lib/sdp.c:1896:4: var_assign: Assigning: "pds" = storage returned from "sdp_list_append(pds, curr->val.dataseq)".
|
|
bluez-5.77/lib/sdp.c:1896:4: identity_transfer: Passing "pds" as argument 1 to function "sdp_list_append", which returns that argument.
|
|
bluez-5.77/lib/sdp.c:1896:4: noescape: Resource "pds" is not freed or pointed-to in "sdp_list_append".
|
|
bluez-5.77/lib/sdp.c:1896:4: overwrite_var: Overwriting "pds" in "pds = sdp_list_append(pds, curr->val.dataseq)".
|
|
bluez-5.77/lib/sdp.c:1896:4: var_assign: Assigning: "pds" = storage returned from "sdp_list_append(pds, curr->val.dataseq)".
|
|
bluez-5.77/lib/sdp.c:1896:4: noescape: Resource "pds" is not freed or pointed-to in "sdp_list_append".
|
|
bluez-5.77/lib/sdp.c:1896:4: overwrite_var: Overwriting "pds" in "pds = sdp_list_append(pds, curr->val.dataseq)" leaks the storage that "pds" points to.
|
|
1894| goto failed;
|
|
1895| }
|
|
1896|-> pds = sdp_list_append(pds, curr->val.dataseq);
|
|
1897| }
|
|
1898|
|
|
|
|
Error: RESOURCE_LEAK (CWE-772): [#def3] [important]
|
|
bluez-5.77/lib/sdp.c:1899:3: alloc_fn: Storage is returned from allocation function "sdp_list_append".
|
|
bluez-5.77/lib/sdp.c:1899:3: var_assign: Assigning: "ap" = storage returned from "sdp_list_append(ap, pds)".
|
|
bluez-5.77/lib/sdp.c:1899:3: identity_transfer: Passing "ap" as argument 1 to function "sdp_list_append", which returns that argument.
|
|
bluez-5.77/lib/sdp.c:1899:3: noescape: Resource "ap" is not freed or pointed-to in "sdp_list_append".
|
|
bluez-5.77/lib/sdp.c:1899:3: overwrite_var: Overwriting "ap" in "ap = sdp_list_append(ap, pds)".
|
|
bluez-5.77/lib/sdp.c:1899:3: var_assign: Assigning: "ap" = storage returned from "sdp_list_append(ap, pds)".
|
|
bluez-5.77/lib/sdp.c:1899:3: noescape: Resource "ap" is not freed or pointed-to in "sdp_list_append".
|
|
bluez-5.77/lib/sdp.c:1899:3: overwrite_var: Overwriting "ap" in "ap = sdp_list_append(ap, pds)" leaks the storage that "ap" points to.
|
|
1897| }
|
|
1898|
|
|
1899|-> ap = sdp_list_append(ap, pds);
|
|
1900| }
|
|
1901|
|
|
|
|
Error: RESOURCE_LEAK (CWE-772): [#def17] [important]
|
|
bluez-5.77/src/sdp-client.c:197:3: alloc_fn: Storage is returned from allocation function "sdp_list_append".
|
|
bluez-5.77/src/sdp-client.c:197:3: var_assign: Assigning: "recs" = storage returned from "sdp_list_append(recs, rec)".
|
|
bluez-5.77/src/sdp-client.c:197:3: identity_transfer: Passing "recs" as argument 1 to function "sdp_list_append", which returns that argument.
|
|
bluez-5.77/src/sdp-client.c:197:3: noescape: Resource "recs" is not freed or pointed-to in "sdp_list_append".
|
|
bluez-5.77/src/sdp-client.c:197:3: overwrite_var: Overwriting "recs" in "recs = sdp_list_append(recs, rec)".
|
|
bluez-5.77/src/sdp-client.c:197:3: var_assign: Assigning: "recs" = storage returned from "sdp_list_append(recs, rec)".
|
|
bluez-5.77/src/sdp-client.c:197:3: noescape: Resource "recs" is not freed or pointed-to in "sdp_list_append".
|
|
bluez-5.77/src/sdp-client.c:197:3: overwrite_var: Overwriting "recs" in "recs = sdp_list_append(recs, rec)" leaks the storage that "recs" points to.
|
|
195| }
|
|
196|
|
|
197|-> recs = sdp_list_append(recs, rec);
|
|
198| } while (scanned < (ssize_t) size && bytesleft > 0);
|
|
199|
|
|
---
|
|
lib/sdp.c | 2 ++
|
|
src/sdp-client.c | 1 +
|
|
2 files changed, 3 insertions(+)
|
|
|
|
diff --git a/lib/sdp.c b/lib/sdp.c
|
|
index 8a15ad803db1..99efbc19c299 100644
|
|
--- a/lib/sdp.c
|
|
+++ b/lib/sdp.c
|
|
@@ -1893,9 +1893,11 @@ static int sdp_get_proto_descs(uint16_t attr_id, const sdp_record_t *rec,
|
|
sdp_list_free(pds, NULL);
|
|
goto failed;
|
|
}
|
|
+ /* coverity[overwrite_var] : FALSE */
|
|
pds = sdp_list_append(pds, curr->val.dataseq);
|
|
}
|
|
|
|
+ /* coverity[overwrite_var] : FALSE */
|
|
ap = sdp_list_append(ap, pds);
|
|
}
|
|
|
|
diff --git a/src/sdp-client.c b/src/sdp-client.c
|
|
index 71d3d9e95044..2f043cb7f010 100644
|
|
--- a/src/sdp-client.c
|
|
+++ b/src/sdp-client.c
|
|
@@ -194,6 +194,7 @@ static void search_completed_cb(uint8_t type, uint16_t status,
|
|
continue;
|
|
}
|
|
|
|
+ /* coverity[overwrite_var] : FALSE */
|
|
recs = sdp_list_append(recs, rec);
|
|
} while (scanned < (ssize_t) size && bytesleft > 0);
|
|
|
|
--
|
|
2.45.2
|
|
|
|
|
|
From 6fcbf34a02133628a1a8afeabb093270ca89dbb8 Mon Sep 17 00:00:00 2001
|
|
From: Bastien Nocera <hadess@hadess.net>
|
|
Date: Thu, 18 Jul 2024 15:05:07 +0200
|
|
Subject: [PATCH 5/8] mesh: Quiet imprecise "overrun-buffer-val" #01163326
|
|
|
|
Error: OVERRUN (CWE-119): [#def1] [important]
|
|
bluez-5.77/mesh/friend.c:326:2: overrun-buffer-val: Overrunning array "msg" of 5 bytes by passing it to a function which accesses it at byte offset 12.
|
|
324| l_put_be16(neg->lp_addr, msg + 1);
|
|
325| l_put_be16(neg->lp_cnt, msg + 3);
|
|
326|-> mesh_net_transport_send(neg->net, 0, 0,
|
|
327| mesh_net_get_iv_index(neg->net), DEFAULT_TTL,
|
|
328| 0, 0, neg->old_friend,
|
|
|
|
Error: OVERRUN (CWE-119): [#def2] [important]
|
|
bluez-5.77/mesh/net.c:276:2: overrun-buffer-val: Overrunning array "msg" of 4 bytes by passing it to a function which accesses it at byte offset 12.
|
|
274| n += 2;
|
|
275|
|
|
276|-> mesh_net_transport_send(net, 0, 0, mesh_net_get_iv_index(net),
|
|
277| pub->ttl, 0, 0, pub->dst, msg, n);
|
|
278| }
|
|
|
|
Error: OVERRUN (CWE-119): [#def3] [important]
|
|
bluez-5.77/mesh/net.c:1463:3: overrun-buffer-val: Overrunning array "msg" of 7 bytes by passing it to a function which accesses it at byte offset 12.
|
|
1461| mesh_net_next_seq_num(net), 0, dst, msg);
|
|
1462| } else {
|
|
1463|-> mesh_net_transport_send(net, 0, 0,
|
|
1464| mesh_net_get_iv_index(net), DEFAULT_TTL,
|
|
1465| 0, 0, dst, msg, sizeof(msg));
|
|
|
|
Error: OVERRUN (CWE-119): [#def4] [important]
|
|
bluez-5.77/mesh/net.c:1498:2: overrun-buffer-val: Overrunning array "msg" of 7 bytes by passing it to a function which accesses it at byte offset 12.
|
|
1496| }
|
|
1497|
|
|
1498|-> mesh_net_transport_send(net, 0, sar->net_idx,
|
|
1499| mesh_net_get_iv_index(net), DEFAULT_TTL,
|
|
1500| 0, src, dst, msg,
|
|
|
|
Error: OVERRUN (CWE-119): [#def6] [important]
|
|
bluez-5.77/mesh/net.c:2053:3: overrun-buffer-val: Overrunning array "sar_in->buf" of 4 bytes by passing it to a function which accesses it at byte offset 11.
|
|
2051| send_net_ack(net, sar_in, expected);
|
|
2052|
|
|
2053|-> msg_rxed(net, frnd, iv_index, ttl, seq, net_idx,
|
|
2054| sar_in->remote, dst, key_aid, true, szmic,
|
|
2055| sar_in->seqZero, sar_in->buf, sar_in->len);
|
|
---
|
|
mesh/friend.c | 1 +
|
|
mesh/net.c | 4 ++++
|
|
2 files changed, 5 insertions(+)
|
|
|
|
diff --git a/mesh/friend.c b/mesh/friend.c
|
|
index 5b73da68916f..bb8f62e9f57f 100644
|
|
--- a/mesh/friend.c
|
|
+++ b/mesh/friend.c
|
|
@@ -323,6 +323,7 @@ static void clear_retry(struct l_timeout *timeout, void *user_data)
|
|
|
|
l_put_be16(neg->lp_addr, msg + 1);
|
|
l_put_be16(neg->lp_cnt, msg + 3);
|
|
+ /* coverity[overrun-buffer-val] : FALSE */
|
|
mesh_net_transport_send(neg->net, 0, 0,
|
|
mesh_net_get_iv_index(neg->net), DEFAULT_TTL,
|
|
0, 0, neg->old_friend,
|
|
diff --git a/mesh/net.c b/mesh/net.c
|
|
index ca2cda8ec948..9d6c2ae5142f 100644
|
|
--- a/mesh/net.c
|
|
+++ b/mesh/net.c
|
|
@@ -273,6 +273,7 @@ static void send_hb_publication(void *data)
|
|
l_put_be16(net->features, msg + n);
|
|
n += 2;
|
|
|
|
+ /* coverity[overrun-buffer-val] : FALSE */
|
|
mesh_net_transport_send(net, 0, 0, mesh_net_get_iv_index(net),
|
|
pub->ttl, 0, 0, pub->dst, msg, n);
|
|
}
|
|
@@ -1460,6 +1461,7 @@ static void send_frnd_ack(struct mesh_net *net, uint16_t src, uint16_t dst,
|
|
friend_ack_rxed(net, mesh_net_get_iv_index(net),
|
|
mesh_net_next_seq_num(net), 0, dst, msg);
|
|
} else {
|
|
+ /* coverity[overrun-buffer-val] : FALSE */
|
|
mesh_net_transport_send(net, 0, 0,
|
|
mesh_net_get_iv_index(net), DEFAULT_TTL,
|
|
0, 0, dst, msg, sizeof(msg));
|
|
@@ -1495,6 +1497,7 @@ static void send_net_ack(struct mesh_net *net, struct mesh_sar *sar,
|
|
return;
|
|
}
|
|
|
|
+ /* coverity[overrun-buffer-val] : FALSE */
|
|
mesh_net_transport_send(net, 0, sar->net_idx,
|
|
mesh_net_get_iv_index(net), DEFAULT_TTL,
|
|
0, src, dst, msg,
|
|
@@ -2050,6 +2053,7 @@ static bool seg_rxed(struct mesh_net *net, bool frnd, uint32_t iv_index,
|
|
/* Got it all */
|
|
send_net_ack(net, sar_in, expected);
|
|
|
|
+ /* coverity[overrun-buffer-val] : FALSE */
|
|
msg_rxed(net, frnd, iv_index, ttl, seq, net_idx,
|
|
sar_in->remote, dst, key_aid, true, szmic,
|
|
sar_in->seqZero, sar_in->buf, sar_in->len);
|
|
--
|
|
2.45.2
|
|
|
|
|
|
From 91066706378840f28146e51702e3ed8c1780dcd9 Mon Sep 17 00:00:00 2001
|
|
From: Bastien Nocera <hadess@hadess.net>
|
|
Date: Thu, 18 Jul 2024 15:37:58 +0200
|
|
Subject: [PATCH 6/8] mesh: Quiet imprecise "overrun-buffer-val" #01163327
|
|
|
|
Those errors are incorrect, as just before the flagged function calls,
|
|
the packet is modified to flag for a "segmented" packet, which is
|
|
handled differently, so nothing is accessed past the array size.
|
|
|
|
Error: OVERRUN (CWE-119): [#def5] [important]
|
|
bluez-5.77/mesh/net.c:1769:3: cond_at_least: Checking "size > 15" implies that "size" is at least 16 on the true branch.
|
|
bluez-5.77/mesh/net.c:1776:3: overrun-call: Overrunning callee's array of size 15 by passing argument "size" (which evaluates to 16) in call to "friend_packet_queue".
|
|
1774| }
|
|
1775|
|
|
1776|-> if (friend_packet_queue(net, iv_index, false, frnd_ttl,
|
|
1777| seq, src, dst,
|
|
1778| hdr, data, size))
|
|
|
|
Error: OVERRUN (CWE-119): [#def2] [important]
|
|
bluez-5.77/mesh/net.c:2016:3: cond_at_least: Checking "segN" implies that "segN" is at least 1 on the true branch.
|
|
bluez-5.77/mesh/net.c:2016:3: assignment: Assigning: "len" = "segN ? (segN + 1) * 12 : 15". The value of "len" is now at least 24.
|
|
bluez-5.77/mesh/net.c:2028:3: assignment: Assigning: "sar_in->len" = "len". The value of "sar_in->len" is now at least 24.
|
|
bluez-5.77/mesh/net.c:2058:3: overrun-call: Overrunning callee's array of size 15 by passing argument "sar_in->len" (which evaluates to 24) in call to "msg_rxed".
|
|
2056|
|
|
2057| /* coverity[overrun-buffer-val] : FALSE */
|
|
2058|-> msg_rxed(net, frnd, iv_index, ttl, seq, net_idx,
|
|
2059| sar_in->remote, dst, key_aid, true, szmic,
|
|
2060| sar_in->seqZero, sar_in->buf, sar_in->len);
|
|
|
|
Error: OVERRUN (CWE-119): [#def4] [important]
|
|
bluez-5.77/mesh/net.c:3266:2: cond_at_most: Checking "msg_len > 384" implies that "msg_len" may be up to 384 on the false branch.
|
|
bluez-5.77/mesh/net.c:3280:2: cond_between: Checking "msg_len <= 15" implies that "msg_len" is between 16 and 384 (inclusive) on the false branch.
|
|
bluez-5.77/mesh/net.c:3284:2: overrun-call: Overrunning callee's array of size 15 by passing argument "msg_len" (which evaluates to 384) in call to "msg_rxed".
|
|
3282|
|
|
3283| /* First enqueue to any Friends and internal models */
|
|
3284|-> result = msg_rxed(net, false, iv_index, ttl, seq, net_idx, src, dst,
|
|
3285| key_aid, segmented, szmic, seq & SEQ_ZERO_MASK,
|
|
3286| msg, msg_len);
|
|
---
|
|
mesh/net.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/mesh/net.c b/mesh/net.c
|
|
index 9d6c2ae5142f..30dcdb2fe517 100644
|
|
--- a/mesh/net.c
|
|
+++ b/mesh/net.c
|
|
@@ -1776,6 +1776,7 @@ static bool msg_rxed(struct mesh_net *net, bool frnd, uint32_t iv_index,
|
|
hdr |= SEG_MAX(true, size) << SEGN_HDR_SHIFT;
|
|
}
|
|
|
|
+ /* coverity[overrun-call] : FALSE */
|
|
if (friend_packet_queue(net, iv_index, false, frnd_ttl,
|
|
seq, src, dst,
|
|
hdr, data, size))
|
|
@@ -2054,6 +2055,7 @@ static bool seg_rxed(struct mesh_net *net, bool frnd, uint32_t iv_index,
|
|
send_net_ack(net, sar_in, expected);
|
|
|
|
/* coverity[overrun-buffer-val] : FALSE */
|
|
+ /* coverity[overrun-call] : FALSE */
|
|
msg_rxed(net, frnd, iv_index, ttl, seq, net_idx,
|
|
sar_in->remote, dst, key_aid, true, szmic,
|
|
sar_in->seqZero, sar_in->buf, sar_in->len);
|
|
@@ -3289,6 +3291,7 @@ bool mesh_net_app_send(struct mesh_net *net, bool frnd_cred, uint16_t src,
|
|
segmented |= !!(seg_max);
|
|
|
|
/* First enqueue to any Friends and internal models */
|
|
+ /* coverity[overrun-call] : FALSE */
|
|
result = msg_rxed(net, false, iv_index, ttl, seq, net_idx, src, dst,
|
|
key_aid, segmented, szmic, seq & SEQ_ZERO_MASK,
|
|
msg, msg_len);
|
|
--
|
|
2.45.2
|
|
|
|
|
|
From 1a1239f998ca15dd233e2adaa2ce12f4ae97e5d1 Mon Sep 17 00:00:00 2001
|
|
From: Bastien Nocera <hadess@hadess.net>
|
|
Date: Fri, 19 Jul 2024 15:06:24 +0200
|
|
Subject: [PATCH 7/8] shared/gatt-db: Work-around overrun-buffer-arg case
|
|
#01163328
|
|
|
|
Despite the checks added, Coverity still thinks that uuid_to_le() can
|
|
return more than 16 (for UUID128 / 8), so quiet those.
|
|
|
|
Error: OVERRUN (CWE-119): [#def6] [important]
|
|
bluez-5.77/src/shared/gatt-db.c:612:2: assignment: Assigning: "len" = "uuid_to_le(uuid, value)". The value of "len" is now between 0 and 31 (inclusive).
|
|
bluez-5.77/src/shared/gatt-db.c:614:2: overrun-buffer-arg: Overrunning array "value" of 16 bytes by passing it to a function which accesses it at byte offset 30 using argument "len" (which evaluates to 31).
|
|
612| len = uuid_to_le(uuid, value);
|
|
613|
|
|
614|-> service->attributes[0] = new_attribute(service, handle, type, value,
|
|
615| len);
|
|
616| if (!service->attributes[0]) {
|
|
|
|
Error: OVERRUN (CWE-119): [#def7] [important]
|
|
bluez-5.77/src/shared/gatt-db.c:947:2: assignment: Assigning: "len" = "0".
|
|
bluez-5.77/src/shared/gatt-db.c:971:2: assignment: Assigning: "len" += "1UL". The value of "len" is now 1.
|
|
bluez-5.77/src/shared/gatt-db.c:975:2: assignment: Assigning: "len" += "2UL". The value of "len" is now 3.
|
|
bluez-5.77/src/shared/gatt-db.c:976:2: assignment: Assigning: "len" += "uuid_to_le(uuid, &value[3])". The value of "len" is now between 3 and 34 (inclusive).
|
|
bluez-5.77/src/shared/gatt-db.c:978:2: overrun-buffer-arg: Overrunning array "value" of 19 bytes by passing it to a function which accesses it at byte offset 33 using argument "len" (which evaluates to 34).
|
|
976| len += uuid_to_le(uuid, &value[3]);
|
|
977|
|
|
978|-> service->attributes[i] = new_attribute(service, handle,
|
|
979| &characteristic_uuid,
|
|
980| value, len);
|
|
|
|
Error: OVERRUN (CWE-119): [#def8] [important]
|
|
bluez-5.77/src/shared/gatt-db.c:947:2: assignment: Assigning: "len" = "0".
|
|
bluez-5.77/src/shared/gatt-db.c:971:2: assignment: Assigning: "len" += "1UL". The value of "len" is now 1.
|
|
bluez-5.77/src/shared/gatt-db.c:975:2: assignment: Assigning: "len" += "2UL". The value of "len" is now 3.
|
|
bluez-5.77/src/shared/gatt-db.c:976:2: assignment: Assigning: "len" += "uuid_to_le(uuid, &value[3])". The value of "len" is now between 3 and 34 (inclusive).
|
|
bluez-5.77/src/shared/gatt-db.c:1005:2: overrun-buffer-arg: Overrunning array "value" of 19 bytes by passing it to a function which accesses it at byte offset 33 using argument "len" (which evaluates to 34).
|
|
1003| /* Update handle of characteristic value_handle if it has changed */
|
|
1004| put_le16(value_handle, &value[1]);
|
|
1005|-> if (memcmp((*chrc)->value, value, len))
|
|
1006| memcpy((*chrc)->value, value, len);
|
|
1007|
|
|
|
|
Error: OVERRUN (CWE-119): [#def9] [important]
|
|
bluez-5.77/src/shared/gatt-db.c:947:2: assignment: Assigning: "len" = "0".
|
|
bluez-5.77/src/shared/gatt-db.c:971:2: assignment: Assigning: "len" += "1UL". The value of "len" is now 1.
|
|
bluez-5.77/src/shared/gatt-db.c:975:2: assignment: Assigning: "len" += "2UL". The value of "len" is now 3.
|
|
bluez-5.77/src/shared/gatt-db.c:976:2: assignment: Assigning: "len" += "uuid_to_le(uuid, &value[3])". The value of "len" is now between 3 and 34 (inclusive).
|
|
bluez-5.77/src/shared/gatt-db.c:1006:3: overrun-buffer-arg: Overrunning array "value" of 19 bytes by passing it to a function which accesses it at byte offset 33 using argument "len" (which evaluates to 34). [Note: The source code implementation of the function has been overridden by a builtin model.]
|
|
1004| put_le16(value_handle, &value[1]);
|
|
1005| if (memcmp((*chrc)->value, value, len))
|
|
1006|-> memcpy((*chrc)->value, value, len);
|
|
1007|
|
|
1008| set_attribute_data(service->attributes[i], read_func, write_func,
|
|
---
|
|
src/shared/gatt-db.c | 7 ++++++-
|
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/shared/gatt-db.c b/src/shared/gatt-db.c
|
|
index cd0eba6bf1d0..9045a53c6dfe 100644
|
|
--- a/src/shared/gatt-db.c
|
|
+++ b/src/shared/gatt-db.c
|
|
@@ -616,6 +616,7 @@ static struct gatt_db_service *gatt_db_service_create(const bt_uuid_t *uuid,
|
|
|
|
len = uuid_to_le(uuid, value);
|
|
|
|
+ /* coverity[overrun-buffer-arg] : FALSE */
|
|
service->attributes[0] = new_attribute(service, handle, type, value,
|
|
len);
|
|
if (!service->attributes[0]) {
|
|
@@ -980,6 +981,7 @@ service_insert_characteristic(struct gatt_db_service *service,
|
|
len += sizeof(uint16_t);
|
|
len += uuid_to_le(uuid, &value[3]);
|
|
|
|
+ /* coverity[overrun-buffer-arg] : FALSE */
|
|
service->attributes[i] = new_attribute(service, handle,
|
|
&characteristic_uuid,
|
|
value, len);
|
|
@@ -1007,8 +1009,11 @@ service_insert_characteristic(struct gatt_db_service *service,
|
|
|
|
/* Update handle of characteristic value_handle if it has changed */
|
|
put_le16(value_handle, &value[1]);
|
|
- if (memcmp((*chrc)->value, value, len))
|
|
+ /* coverity[overrun-buffer-arg] : FALSE */
|
|
+ if (memcmp((*chrc)->value, value, len)) {
|
|
+ /* coverity[overrun-buffer-arg] : FALSE */
|
|
memcpy((*chrc)->value, value, len);
|
|
+ }
|
|
|
|
set_attribute_data(service->attributes[i], read_func, write_func,
|
|
permissions, user_data);
|
|
--
|
|
2.45.2
|
|
|
|
|
|
From cddd78cb6d2a780b352e27ea5e7e44378f8a8ef4 Mon Sep 17 00:00:00 2001
|
|
From: Bastien Nocera <hadess@hadess.net>
|
|
Date: Tue, 30 Jul 2024 15:27:49 +0200
|
|
Subject: [PATCH 8/8] shared/btsnoop: Work-around underflow case #01163329
|
|
|
|
It should be impossible to have toread underflow, as we check that it
|
|
has a value of at least 1 when decremented, and that we check for it
|
|
have a non-zero value before using it.
|
|
---
|
|
src/shared/btsnoop.c | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/src/shared/btsnoop.c b/src/shared/btsnoop.c
|
|
index bb0bccf0dd01..12f960ec353d 100644
|
|
--- a/src/shared/btsnoop.c
|
|
+++ b/src/shared/btsnoop.c
|
|
@@ -553,6 +553,7 @@ bool btsnoop_read_hci(struct btsnoop *btsnoop, struct timeval *tv,
|
|
btsnoop->aborted = true;
|
|
return false;
|
|
}
|
|
+ /* coverity[underflow] : FALSE */
|
|
toread--;
|
|
|
|
*index = 0;
|
|
--
|
|
2.45.2
|
|
|