We would boundary check the expected_pdu_size array based on the value
of type, but would still access it out-of-bounds for the debug message.
Split off the invalid type check into its own message to avoid this.
Error: OVERRUN (CWE-119): [#def23] [important]
bluez-5.76/mesh/prov-initiator.c:676:2: cond_at_least: Checking "type >= 10UL" implies that "type" is at least 10 on the true branch.
bluez-5.76/mesh/prov-initiator.c:678:3: overrun-local: Overrunning array "expected_pdu_size" of 10 2-byte elements at element index 10 (byte offset 21) using index "type" (which evaluates to 10).
676| if (type >= L_ARRAY_SIZE(expected_pdu_size) ||
677| len != expected_pdu_size[type]) {
678|-> l_error("Expected PDU size %d, Got %d (type: %2.2x)",
679| expected_pdu_size[type], len, type);
680| fail_code[1] = PROV_ERR_INVALID_FORMAT;
---
mesh/prov-initiator.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/mesh/prov-initiator.c b/mesh/prov-initiator.c
index 653f3ae3e1c2..e353d23865ef 100644
--- a/mesh/prov-initiator.c
+++ b/mesh/prov-initiator.c
@@ -673,8 +673,13 @@ static void int_prov_rx(void *user_data, const void *dptr, uint16_t len)
goto failure;
}
- if (type >= L_ARRAY_SIZE(expected_pdu_size) ||
- len != expected_pdu_size[type]) {
+ if (type >= L_ARRAY_SIZE(expected_pdu_size)) {
+ l_error("Invalid PDU type %2.2x", type);
+ fail_code[1] = PROV_ERR_INVALID_FORMAT;
+ goto failure;
+ }
+
+ if (len != expected_pdu_size[type]) {
l_error("Expected PDU size %d, Got %d (type: %2.2x)",
expected_pdu_size[type], len, type);
fail_code[1] = PROV_ERR_INVALID_FORMAT;
--
2.45.2
