From patchwork Fri Jul 5 08:57:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 810480 Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net [217.70.183.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 96271145FE0 for ; Fri, 5 Jul 2024 08:59:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.195 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720169987; cv=none; b=JeGl62AGe6/K3HDxeVt0n1BEi1Djc4aAAQY2RImHE6M/nTX4fowyj6CCltCmKVizA2RW2HI2IaZtM5O1GA5kmqnKOxTR/3/uBBCgUK8yrPYgMzQ1kZN9exxtIkzmqUj9IUhTVhNdA/pUBZy4/zuXTx6OuUGB95a4FhUzNNsuJjE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720169987; c=relaxed/simple; bh=lvIg2+dDecXMydPp3QRxG42uiS2BVeRFzszFwjtEl44=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=qClbhdsgoIggcQ8gMKz59vf9TiC8xS4CIgPiOdOcLGfd+Drs1nwKfmwMoPkRlC6kxcFq8uDdUl7mYjd2HhfL6f2pcZQFrNKSngi8p8PXfyWzoIYHLh6RZnQZt/79Hxmin8XZzyLnSF+vlYjkSVOrEOvcaMVTDVAldGw/oDu95cs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.195 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 06CF860005; Fri, 5 Jul 2024 08:59:36 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ v2 04/11] btsnoop: Fix possible negative memcpy length Date: Fri, 5 Jul 2024 10:57:32 +0200 Message-ID: <20240705085935.1255725-5-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240705085935.1255725-1-hadess@hadess.net> References: <20240705085935.1255725-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: INTEGER_OVERFLOW (CWE-190): [#def41] [important] bluez-5.76/tools/btsnoop.c:438:2: tainted_data_return: Called function "read(fd, buf, toread)", and a possible return value may be less than zero. bluez-5.76/tools/btsnoop.c:438:2: assign: Assigning: "len" = "read(fd, buf, toread)". bluez-5.76/tools/btsnoop.c:473:4: overflow: The cast of "len - 9L", which is potentially negative, to an unsigned type could result in an overflow. 471| /* next 4 bytes are data len and cid */ 472| current_cid = buf[8] << 8 | buf[7]; 473|-> memcpy(pdu_buf, buf + 9, len - 9); 474| pdu_len = len - 9; 475| } else if (acl_flags & 0x01) { Error: INTEGER_OVERFLOW (CWE-190): [#def42] [important] bluez-5.76/tools/btsnoop.c:438:2: tainted_data_return: Called function "read(fd, buf, toread)", and a possible return value may be less than zero. bluez-5.76/tools/btsnoop.c:438:2: assign: Assigning: "len" = "read(fd, buf, toread)". bluez-5.76/tools/btsnoop.c:476:4: overflow: The cast of "len - 5L", which is potentially negative, to an unsigned type could result in an overflow. 474| pdu_len = len - 9; 475| } else if (acl_flags & 0x01) { 476|-> memcpy(pdu_buf + pdu_len, buf + 5, len - 5); 477| pdu_len += len - 5; 478| } --- tools/btsnoop.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/btsnoop.c b/tools/btsnoop.c index efaa45db41dd..0bd28b65b6e1 100644 --- a/tools/btsnoop.c +++ b/tools/btsnoop.c @@ -448,7 +448,7 @@ next_packet: acl_flags = buf[2] >> 4; /* use only packet with ACL start flag */ - if (acl_flags & 0x02) { + if ((acl_flags & 0x02) && len > 9) { if (current_cid == 0x0040 && pdu_len > 0) { int i; if (!pdu_first) @@ -472,7 +472,7 @@ next_packet: current_cid = buf[8] << 8 | buf[7]; memcpy(pdu_buf, buf + 9, len - 9); pdu_len = len - 9; - } else if (acl_flags & 0x01) { + } else if ((acl_flags & 0x01) && len > 5) { memcpy(pdu_buf + pdu_len, buf + 5, len - 5); pdu_len += len - 5; }