Error: INTEGER_OVERFLOW (CWE-190): [#def25] [important]
bluez-5.76/src/shared/gatt-server.c:927:2: cast_overflow: Truncation due to cast operation on "((unsigned int)mtu - 1U < len) ? (unsigned int)mtu - 1U : len" from 32 to 16 bits.
bluez-5.76/src/shared/gatt-server.c:927:2: overflow_sink: "((unsigned int)mtu - 1U < len) ? (unsigned int)mtu - 1U : len", which might have overflowed, is passed to "bt_att_chan_send(op->chan, rsp_opcode, (len ? value : NULL), (((unsigned int)mtu - 1U < len) ? (unsigned int)mtu - 1U : len), NULL, NULL, NULL)".
925| rsp_opcode = get_read_rsp_opcode(op->opcode);
926|
927|-> bt_att_chan_send_rsp(op->chan, rsp_opcode, len ? value : NULL,
928| MIN((unsigned int) mtu - 1, len));
929| async_read_op_destroy(op);
---
src/shared/gatt-server.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
index c587553d655d..6ced21248b75 100644
--- a/src/shared/gatt-server.c
+++ b/src/shared/gatt-server.c
@@ -908,7 +908,7 @@ static void read_complete_cb(struct gatt_db_attribute *attr, int err,
struct async_read_op *op = user_data;
struct bt_gatt_server *server = op->server;
uint8_t rsp_opcode;
- uint16_t mtu;
+ size_t mtu;
uint16_t handle;
DBG(server, "Read Complete: err %d", err);
@@ -916,7 +916,7 @@ static void read_complete_cb(struct gatt_db_attribute *attr, int err,
mtu = bt_att_get_mtu(server->att);
handle = gatt_db_attribute_get_handle(attr);
- if (err) {
+ if (err || mtu <= 1) {
bt_att_chan_send_error_rsp(op->chan, op->opcode, handle, err);
async_read_op_destroy(op);
return;
@@ -925,7 +925,7 @@ static void read_complete_cb(struct gatt_db_attribute *attr, int err,
rsp_opcode = get_read_rsp_opcode(op->opcode);
bt_att_chan_send_rsp(op->chan, rsp_opcode, len ? value : NULL,
- MIN((unsigned int) mtu - 1, len));
+ MIN(mtu - 1, len));
async_read_op_destroy(op);
}
--
2.45.2
