Error: INTEGER_OVERFLOW (CWE-190): [#def41] [important]
bluez-5.76/tools/btsnoop.c:438:2: tainted_data_return: Called function "read(fd, buf, toread)", and a possible return value may be less than zero.
bluez-5.76/tools/btsnoop.c:438:2: assign: Assigning: "len" = "read(fd, buf, toread)".
bluez-5.76/tools/btsnoop.c:473:4: overflow: The cast of "len - 9L", which is potentially negative, to an unsigned type could result in an overflow.
471| /* next 4 bytes are data len and cid */
472| current_cid = buf[8] << 8 | buf[7];
473|-> memcpy(pdu_buf, buf + 9, len - 9);
474| pdu_len = len - 9;
475| } else if (acl_flags & 0x01) {
Error: INTEGER_OVERFLOW (CWE-190): [#def42] [important]
bluez-5.76/tools/btsnoop.c:438:2: tainted_data_return: Called function "read(fd, buf, toread)", and a possible return value may be less than zero.
bluez-5.76/tools/btsnoop.c:438:2: assign: Assigning: "len" = "read(fd, buf, toread)".
bluez-5.76/tools/btsnoop.c:476:4: overflow: The cast of "len - 5L", which is potentially negative, to an unsigned type could result in an overflow.
474| pdu_len = len - 9;
475| } else if (acl_flags & 0x01) {
476|-> memcpy(pdu_buf + pdu_len, buf + 5, len - 5);
477| pdu_len += len - 5;
478| }
---
tools/btsnoop.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/btsnoop.c b/tools/btsnoop.c
index efaa45db41dd..0bd28b65b6e1 100644
--- a/tools/btsnoop.c
+++ b/tools/btsnoop.c
@@ -448,7 +448,7 @@ next_packet:
acl_flags = buf[2] >> 4;
/* use only packet with ACL start flag */
- if (acl_flags & 0x02) {
+ if ((acl_flags & 0x02) && len > 9) {
if (current_cid == 0x0040 && pdu_len > 0) {
int i;
if (!pdu_first)
@@ -472,7 +472,7 @@ next_packet:
current_cid = buf[8] << 8 | buf[7];
memcpy(pdu_buf, buf + 9, len - 9);
pdu_len = len - 9;
- } else if (acl_flags & 0x01) {
+ } else if ((acl_flags & 0x01) && len > 5) {
memcpy(pdu_buf + pdu_len, buf + 5, len - 5);
pdu_len += len - 5;
}
--
2.45.2
