[Bluez PATCH v1] textfile: Fix possible bad memory access in find_key

[Bluez PATCH v1] textfile: Fix possible bad memory access in find_key

[Howard Chung]

From: Yun-Hao Chung <howardchung@google.com>

If the searched key is a prefix of the first key in the textfile,
the code will assume it's not the first line which is wrong.
---
This is reproduced by fuzzer: https://issues.oss-fuzz.com/issues/42515619

 src/textfile.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/textfile.c b/src/textfile.c
index 313098f38..8188d2ebe 100644
--- a/src/textfile.c
+++ b/src/textfile.c
@@ -127,10 +127,10 @@ static inline char *find_key(char *map, size_t size, const char *key, size_t len
 	while (ptrlen > len + 1) {
 		int cmp = (icase) ? strncasecmp(ptr, key, len) : strncmp(ptr, key, len);
 		if (cmp == 0) {
-			if (ptr == map && *(ptr + len) == ' ')
-				return ptr;
-
-			if ((*(ptr - 1) == '\r' || *(ptr - 1) == '\n') &&
+			if (ptr == map) {
+				if (*(ptr + len) == ' ')
+					return ptr;
+			} else if ((*(ptr - 1) == '\r' || *(ptr - 1) == '\n') &&
 							*(ptr + len) == ' ')
 				return ptr;
 		}
-- 
2.47.0.163.g1226f6d8fa-goog

RE: [Bluez,v1] textfile: Fix possible bad memory access in find_key

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 949 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=904898

---Test result---

Test Summary:
CheckPatch                    PASS      0.37 seconds
GitLint                       PASS      0.26 seconds
BuildEll                      PASS      24.71 seconds
BluezMake                     PASS      1781.02 seconds
MakeCheck                     PASS      13.09 seconds
MakeDistcheck                 PASS      185.64 seconds
CheckValgrind                 PASS      256.05 seconds
CheckSmatch                   PASS      361.03 seconds
bluezmakeextell               PASS      122.27 seconds
IncrementalBuild              PASS      1493.16 seconds
ScanBuild                     PASS      1038.19 seconds



---
Regards,
Linux Bluetooth

Re: [Bluez PATCH v1] textfile: Fix possible bad memory access in find_key

[Luiz Augusto von Dentz]

Hi Howard,

On Thu, Oct 31, 2024 at 12:04 AM Howard Chung <howardchung@google.com> wrote:
>
> From: Yun-Hao Chung <howardchung@google.com>
>
> If the searched key is a prefix of the first key in the textfile,
> the code will assume it's not the first line which is wrong.

We might want to include a backtrace if there is one.

> ---
> This is reproduced by fuzzer: https://issues.oss-fuzz.com/issues/42515619
>
>  src/textfile.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/src/textfile.c b/src/textfile.c
> index 313098f38..8188d2ebe 100644
> --- a/src/textfile.c
> +++ b/src/textfile.c
> @@ -127,10 +127,10 @@ static inline char *find_key(char *map, size_t size, const char *key, size_t len
>         while (ptrlen > len + 1) {
>                 int cmp = (icase) ? strncasecmp(ptr, key, len) : strncmp(ptr, key, len);
>                 if (cmp == 0) {
> -                       if (ptr == map && *(ptr + len) == ' ')
> -                               return ptr;
> -
> -                       if ((*(ptr - 1) == '\r' || *(ptr - 1) == '\n') &&
> +                       if (ptr == map) {
> +                               if (*(ptr + len) == ' ')
> +                                       return ptr;
> +                       } else if ((*(ptr - 1) == '\r' || *(ptr - 1) == '\n') &&
>                                                         *(ptr + len) == ' ')
>                                 return ptr;
>                 }
> --
> 2.47.0.163.g1226f6d8fa-goog
>


-- 
Luiz Augusto von Dentz