[PATCH BlueZ v2 1/5] main: Fix comparison of narrow type with wide type in loop condition

[PATCH BlueZ v2 1/5] main: Fix comparison of narrow type with wide type in loop condition

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

In a loop condition, comparison of a value of a narrow type with a
value of a wide type may result in unexpected behavior if the wider
value is sufficiently large (or small).

Fixes: https://github.com/bluez/bluez/issues/1213
---
 src/main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main.c b/src/main.c
index 6a682e9b921f..3c51a0092425 100644
--- a/src/main.c
+++ b/src/main.c
@@ -501,7 +501,7 @@ static void parse_mode_config(GKeyFile *config, const char *group,
 				const struct config_param *params,
 				size_t params_len)
 {
-	uint16_t i;
+	size_t i;
 
 	if (!config)
 		return;
-- 
2.49.0

[PATCH BlueZ v2 2/5] client/mgmt: Fix comparison of narrow type with wide type in loop condition

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

In a loop condition, comparison of a value of a narrow type with a
value of a wide type may result in unexpected behavior if the wider
value is sufficiently large (or small).

Fixes: https://github.com/bluez/bluez/issues/1211
---
 client/mgmt.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/client/mgmt.c b/client/mgmt.c
index 1946d65d2fe2..86b5879db8b0 100644
--- a/client/mgmt.c
+++ b/client/mgmt.c
@@ -571,7 +571,7 @@ static void confirm_name_rsp(uint8_t status, uint16_t len,
 
 static char *eir_get_name(const uint8_t *eir, uint16_t eir_len)
 {
-	uint8_t parsed = 0;
+	uint16_t parsed = 0;
 
 	if (eir_len < 2)
 		return NULL;
@@ -599,7 +599,7 @@ static char *eir_get_name(const uint8_t *eir, uint16_t eir_len)
 
 static unsigned int eir_get_flags(const uint8_t *eir, uint16_t eir_len)
 {
-	uint8_t parsed = 0;
+	uint16_t parsed = 0;
 
 	if (eir_len < 2)
 		return 0;
-- 
2.49.0

[PATCH BlueZ v2 3/5] test-runner: Fix potentially overflowing call to snprintf

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

The return value of a call to snprintf is the number of characters that
would have been written to the buffer assuming there was sufficient
space.
In the event that the operation reaches the end of the buffer and more
than one character is discarded, the return value will be greater than
the buffer size.

Fixes: https://github.com/bluez/bluez/issues/1215
---
 tools/test-runner.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/tools/test-runner.c b/tools/test-runner.c
index 1d770330ceaa..7c9386d2c3d3 100644
--- a/tools/test-runner.c
+++ b/tools/test-runner.c
@@ -261,7 +261,15 @@ static void start_qemu(void)
 
 	for (i = 1; i < test_argc; i++) {
 		int len = sizeof(testargs) - pos;
-		pos += snprintf(testargs + pos, len, " %s", test_argv[i]);
+		int n = snprintf(testargs + pos, len, " %s", test_argv[i]);
+
+		if (n < 0 || n >= len) {
+			fprintf(stderr, "Buffer overflow detected in "
+					"testargs\n");
+			exit(EXIT_FAILURE);
+		}
+
+		pos += n;
 	}
 
 	snprintf(cmdline, sizeof(cmdline),
-- 
2.49.0

[PATCH BlueZ v2 4/5] client/mgmt: Fix potentially overflowing call to snprintf

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

The return value of a call to snprintf is the number of characters that
would have been written to the buffer assuming there was sufficient
space.
In the event that the operation reaches the end of the buffer and more
than one character is discarded, the return value will be greater than
the buffer size.

Fixes: https://github.com/bluez/bluez/issues/1216
Fixes: https://github.com/bluez/bluez/issues/1217
Fixes: https://github.com/bluez/bluez/issues/1218
Fixes: https://github.com/bluez/bluez/issues/1219
---
 client/mgmt.c | 48 ++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 40 insertions(+), 8 deletions(-)

diff --git a/client/mgmt.c b/client/mgmt.c
index 86b5879db8b0..faa97a159e3c 100644
--- a/client/mgmt.c
+++ b/client/mgmt.c
@@ -316,9 +316,17 @@ static const char *options2str(uint32_t options)
 	str[0] = '\0';
 
 	for (i = 0; i < NELEM(options_str); i++) {
-		if ((options & (1 << i)) != 0)
-			off += snprintf(str + off, sizeof(str) - off, "%s ",
+		if ((options & (1 << i)) != 0) {
+			int n = snprintf(str + off, sizeof(str) - off, "%s ",
 							options_str[i]);
+
+			if (n < 0 || n >= (int)(sizeof(str) - off)) {
+				str[off] = '\0';
+				break;
+			}
+
+			off += n;
+		}
 	}
 
 	return str;
@@ -372,9 +380,17 @@ static const char *settings2str(uint32_t settings)
 	str[0] = '\0';
 
 	for (i = 0; i < NELEM(settings_str); i++) {
-		if ((settings & (1 << i)) != 0)
-			off += snprintf(str + off, sizeof(str) - off, "%s ",
+		if ((settings & (1 << i)) != 0) {
+			int n = snprintf(str + off, sizeof(str) - off, "%s ",
 							settings_str[i]);
+
+			if (n < 0 || n >= (int)(sizeof(str) - off)) {
+				str[off] = '\0';
+				break;
+			}
+
+			off += n;
+		}
 	}
 
 	return str;
@@ -4490,9 +4506,17 @@ static const char *adv_flags2str(uint32_t flags)
 	str[0] = '\0';
 
 	for (i = 0; i < NELEM(adv_flags_str); i++) {
-		if ((flags & (1 << i)) != 0)
-			off += snprintf(str + off, sizeof(str) - off, "%s ",
+		if ((flags & (1 << i)) != 0) {
+			int n = snprintf(str + off, sizeof(str) - off, "%s ",
 							adv_flags_str[i]);
+
+			if (n < 0 || n >= (int)(sizeof(str) - off)) {
+				str[off] = '\0';
+				break;
+			}
+
+			off += n;
+		}
 	}
 
 	return str;
@@ -5429,9 +5453,17 @@ static const char *phys2str(uint32_t phys)
 	str[0] = '\0';
 
 	for (i = 0; i < NELEM(phys_str); i++) {
-		if ((phys & (1 << i)) != 0)
-			off += snprintf(str + off, sizeof(str) - off, "%s ",
+		if ((phys & (1 << i)) != 0) {
+			int n = snprintf(str + off, sizeof(str) - off, "%s ",
 							phys_str[i]);
+
+			if (n < 0 || n >= (int)(sizeof(str) - off)) {
+				str[off] = '\0';
+				break;
+			}
+
+			off += n;
+		}
 	}
 
 	return str;
-- 
2.49.0

[PATCH BlueZ v2 5/5] shared/bap: Too few arguments to formatting function

[Luiz Augusto von Dentz]

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Each call to the printf function, or a related function, should include
the number of arguments defined by the format. Passing the function more
arguments than required is harmless (although it may be indicative of
other defects). However, passing the function fewer arguments than are
defined by the format can be a security vulnerability since the function
will process the next item on the stack as the missing arguments.

Fixes: https://github.com/bluez/bluez/issues/1221
Fixes: https://github.com/bluez/bluez/issues/1222
---
 src/shared/bap.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/shared/bap.c b/src/shared/bap.c
index 4c5b38b1e3d2..2a08f3eea7b8 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -1630,7 +1630,8 @@ static bool bap_send(struct bt_bap *bap, struct bt_bap_req *req)
 	DBG(bap, "req %p len %u", req, iov.iov_len);
 
 	if (req->stream && !queue_find(bap->streams, NULL, req->stream)) {
-		DBG(bap, "stream %p detached, aborting op 0x%02x", req->op);
+		DBG(bap, "stream %p detached, aborting op 0x%02x", req->stream,
+								req->op);
 		return false;
 	}
 
@@ -3138,7 +3139,7 @@ static uint8_t ascs_qos(struct bt_ascs *ascs, struct bt_bap *bap,
 
 	ep = bap_get_local_endpoint_id(bap, req->ase);
 	if (!ep) {
-		DBG(bap, "%s: Invalid ASE ID 0x%02x", req->ase);
+		DBG(bap, "Invalid ASE ID 0x%02x", req->ase);
 		ascs_ase_rsp_add(rsp, req->ase,
 				BT_ASCS_RSP_INVALID_ASE, BT_ASCS_REASON_NONE);
 		return 0;
-- 
2.49.0

RE: [BlueZ,v2,1/5] main: Fix comparison of narrow type with wide type in loop condition

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 1864 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=957841

---Test result---

Test Summary:
CheckPatch                    PENDING   0.25 seconds
GitLint                       PENDING   0.28 seconds
BuildEll                      PASS      20.36 seconds
BluezMake                     PASS      2696.47 seconds
MakeCheck                     PASS      20.52 seconds
MakeDistcheck                 PASS      198.26 seconds
CheckValgrind                 PASS      275.33 seconds
CheckSmatch                   WARNING   303.36 seconds
bluezmakeextell               PASS      127.88 seconds
IncrementalBuild              PENDING   0.21 seconds
ScanBuild                     PASS      903.97 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: CheckSmatch - WARNING
Desc: Run smatch tool with source
Output:
src/shared/bap.c:315:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:315:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:315:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structures
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth

Re: [PATCH BlueZ v2 1/5] main: Fix comparison of narrow type with wide type in loop condition

[patchwork-bot+bluetooth]

Hello:

This series was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Mon, 28 Apr 2025 15:51:18 -0400 you wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> 
> In a loop condition, comparison of a value of a narrow type with a
> value of a wide type may result in unexpected behavior if the wider
> value is sufficiently large (or small).
> 
> Fixes: https://github.com/bluez/bluez/issues/1213
> 
> [...]

Here is the summary with links:
  - [BlueZ,v2,1/5] main: Fix comparison of narrow type with wide type in loop condition
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=295ec99499c9
  - [BlueZ,v2,2/5] client/mgmt: Fix comparison of narrow type with wide type in loop condition
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=25c23ffca7e6
  - [BlueZ,v2,3/5] test-runner: Fix potentially overflowing call to snprintf
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=e18ce6c959a1
  - [BlueZ,v2,4/5] client/mgmt: Fix potentially overflowing call to snprintf
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=51adc109d41a
  - [BlueZ,v2,5/5] shared/bap: Too few arguments to formatting function
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=f96f3b34db40

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html