[BlueZ v2 02/20] attrib/gatt: Guard against possible integer overflow

public inbox for linux-bluetooth@vger.kernel.org
 help / color / mirror / Atom feed

From: Bastien Nocera <hadess@hadess.net>
To: linux-bluetooth@vger.kernel.org
Cc: Bastien Nocera <hadess@hadess.net>
Subject: [BlueZ v2 02/20] attrib/gatt: Guard against possible integer overflow
Date: Fri, 10 May 2024 14:10:12 +0200	[thread overview]
Message-ID: <20240510121355.3241456-3-hadess@hadess.net> (raw)
In-Reply-To: <20240510121355.3241456-1-hadess@hadess.net>

Error: INTEGER_OVERFLOW (CWE-190): [#def30]
bluez-5.75/attrib/gatt.c:1016:2: known_value_assign: "last" = "65535", its value is now 65535.
bluez-5.75/attrib/gatt.c:1087:2: overflow_const: Expression "dd->start", which is equal to 65536, where "last + 1" is known to be equal to 65536, overflows the type that receives it, an unsigned integer 16 bits wide.
1085|		}
1086|
1087|->		dd->start = last + 1;
1088|
1089|		if (last < dd->end && !uuid_found) {
---
 attrib/gatt.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/attrib/gatt.c b/attrib/gatt.c
index b496dd1ebd95..3cedae9d167a 100644
--- a/attrib/gatt.c
+++ b/attrib/gatt.c
@@ -1076,10 +1076,12 @@ static void desc_discovered_cb(guint8 status, const guint8 *ipdu,
 	att_data_list_free(list);
 
 	/*
-	 * If last handle is lower from previous start handle then it is smth
-	 * wrong. Let's stop search, otherwise we might enter infinite loop.
+	 * If last handle is lower from previous start handle or if iterating
+	 * to the next handle from the last possible offset would overflow, then
+	 * something is wrong. Let's stop search, otherwise we might enter
+	 * infinite loop.
 	 */
-	if (last < dd->start) {
+	if (last < dd->start || last == G_MAXUINT16) {
 		err = ATT_ECODE_UNLIKELY;
 		goto done;
 	}
-- 
2.44.0

next prev parent reply	other threads:[~2024-05-10 12:14 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-05-10 12:10 [BlueZ v2 00/20] Fix a number of static analysis issues Bastien Nocera
2024-05-10 12:10 ` [BlueZ v2 01/20] adapter: Use false instead of 0 for bool Bastien Nocera
2024-05-10 12:10 ` Bastien Nocera [this message]
2024-05-10 12:10 ` [BlueZ v2 03/20] client/gatt: Don't pass negative fd on error Bastien Nocera
2024-05-10 12:10 ` [BlueZ v2 04/20] client/gatt: Check write_value() retval Bastien Nocera
2024-05-10 12:10 ` [BlueZ v2 05/20] client/main: Fix array access Bastien Nocera
2024-05-10 12:10 ` [BlueZ v2 06/20] client/main: Fix mismatched free Bastien Nocera
2024-05-10 12:10 ` [BlueZ v2 07/20] monitor/att: Fix memory leak Bastien Nocera
2024-05-10 12:10 ` [BlueZ v2 08/20] bap: Fix memory leaks Bastien Nocera
2024-05-10 12:10 ` [BlueZ v2 09/20] media: Fix memory leak Bastien Nocera
2024-05-10 12:10 ` [BlueZ v2 10/20] main: Fix memory leaks Bastien Nocera
2024-05-10 12:10 ` [BlueZ v2 11/20] isotest: Consider "0" fd to be valid Bastien Nocera
2024-05-10 12:10 ` [BlueZ v2 12/20] isotest: Fix error check after opening file Bastien Nocera
2024-05-10 12:10 ` [BlueZ v2 13/20] client/player: Fix copy/paste error Bastien Nocera
2024-05-10 12:10 ` [BlueZ v2 14/20] shared/vcp: " Bastien Nocera
2024-05-10 12:10 ` [BlueZ v2 15/20] isotest: Fix fd leak Bastien Nocera
2024-05-10 12:10 ` [BlueZ v2 16/20] iso-tester: " Bastien Nocera
2024-05-10 12:10 ` [BlueZ v2 17/20] sdp: Fix use of uninitialised memory Bastien Nocera
2024-05-10 12:10 ` [BlueZ v2 18/20] monitor: Work-around memory leak warning Bastien Nocera
2024-05-10 12:10 ` [BlueZ v2 19/20] avrcp: Fix uninitialised memory usage Bastien Nocera
2024-05-10 12:10 ` [BlueZ v2 20/20] main: Simplify variable assignment Bastien Nocera
2024-05-10 15:40 ` [BlueZ v2 00/20] Fix a number of static analysis issues patchwork-bot+bluetooth
2024-05-10 16:42   ` Luiz Augusto von Dentz
2024-05-14 10:05     ` Bastien Nocera

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:b496dd1ebd9 dfblob:3cedae9d167 )
 OR (
bs:"[BlueZ v2 02/20] attrib/gatt: Guard against possible integer overflow" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240510121355.3241456-3-hadess@hadess.net \
    --to=hadess@hadess.net \
    --cc=linux-bluetooth@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox