[PATCH 3/9] mesh: Avoid accessing array out-of-bounds

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



We would boundary check the expected_pdu_size array based on the value
of type, but would still access it out-of-bounds for the debug message.
Split off the invalid type check into its own message to avoid this.

Error: OVERRUN (CWE-119): [#def23] [important]
bluez-5.76/mesh/prov-initiator.c:676:2: cond_at_least: Checking "type >= 10UL" implies that "type" is at least 10 on the true branch.
bluez-5.76/mesh/prov-initiator.c:678:3: overrun-local: Overrunning array "expected_pdu_size" of 10 2-byte elements at element index 10 (byte offset 21) using index "type" (which evaluates to 10).
676|	if (type >= L_ARRAY_SIZE(expected_pdu_size) ||
677|					len != expected_pdu_size[type]) {
678|->		l_error("Expected PDU size %d, Got %d (type: %2.2x)",
679|			expected_pdu_size[type], len, type);
680|		fail_code[1] = PROV_ERR_INVALID_FORMAT;
---
 mesh/prov-initiator.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/mesh/prov-initiator.c b/mesh/prov-initiator.c
index 653f3ae3e1c2..e353d23865ef 100644
--- a/mesh/prov-initiator.c
+++ b/mesh/prov-initiator.c
@@ -673,8 +673,13 @@ static void int_prov_rx(void *user_data, const void *dptr, uint16_t len)
 		goto failure;
 	}
 
-	if (type >= L_ARRAY_SIZE(expected_pdu_size) ||
-					len != expected_pdu_size[type]) {
+	if (type >= L_ARRAY_SIZE(expected_pdu_size)) {
+		l_error("Invalid PDU type %2.2x", type);
+		fail_code[1] = PROV_ERR_INVALID_FORMAT;
+		goto failure;
+	}
+
+	if (len != expected_pdu_size[type]) {
 		l_error("Expected PDU size %d, Got %d (type: %2.2x)",
 			expected_pdu_size[type], len, type);
 		fail_code[1] = PROV_ERR_INVALID_FORMAT;
-- 
2.45.2





[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux