signalfd_siginfo uses a u32 for the signal number, but siginfo_t uses a signed integer for it, so an (unlikely) big value for the signal number could result in a negative value being passed to the callbacks. Catch that and bail early. Error: INTEGER_OVERFLOW (CWE-190): [#def44] [important] bluez-5.76/src/shared/mainloop-notify.c:132:2: tainted_data_argument: The value "si" is considered tainted. bluez-5.76/src/shared/mainloop-notify.c:137:3: tainted_data_argument: "si.ssi_signo" is considered tainted. bluez-5.76/src/shared/mainloop-notify.c:137:3: underflow: The cast of "si.ssi_signo" to a signed type could result in a negative number. 135| 136| if (data && data->func) 137|-> data->func(si.ssi_signo, data->user_data); 138| 139| return true; --- src/shared/mainloop-notify.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/shared/mainloop-notify.c b/src/shared/mainloop-notify.c index 33be3cf8d78e..11989512e013 100644 --- a/src/shared/mainloop-notify.c +++ b/src/shared/mainloop-notify.c @@ -15,6 +15,7 @@ #define _GNU_SOURCE #include <stdio.h> #include <errno.h> +#include <limits.h> #include <unistd.h> #include <stdlib.h> #include <stddef.h> @@ -130,7 +131,7 @@ static bool signal_read(struct io *io, void *user_data) fd = io_get_fd(io); result = read(fd, &si, sizeof(si)); - if (result != sizeof(si)) + if (result != sizeof(si) || si.ssi_signo > INT_MAX) return false; if (data && data->func) -- 2.45.1
