Error: INTEGER_OVERFLOW (CWE-190): [#def15] [important]
bluez-5.76/mesh/pb-adv.c:174:4: cast_overflow: Truncation due to cast operation on "size - consumed" from 32 to 8 bits.
bluez-5.76/mesh/pb-adv.c:174:4: overflow_assign: "seg_size" is assigned from "size - consumed".
bluez-5.76/mesh/pb-adv.c:177:3: overflow_sink: "seg_size", which might have overflowed, is passed to "memcpy(buf + 7, data + consumed, seg_size)". [Note: The source code implementation of the function has been overridden by a builtin model.]
175|
176| buf[6] = (i << 2) | 0x02;
177|-> memcpy(buf + 7, data + consumed, seg_size);
178|
179| pb_adv_send(session, MESH_IO_TX_COUNT_UNLIMITED, 500,
Error: INTEGER_OVERFLOW (CWE-190): [#def16] [important]
bluez-5.76/mesh/pb-adv.c:179:3: cast_overflow: Truncation due to cast operation on "seg_size + 7" from 32 to 16 bits.
bluez-5.76/mesh/pb-adv.c:179:3: overflow_sink: "seg_size + 7", which might have overflowed, is passed to "pb_adv_send(session, 0, 500, buf, seg_size + 7)".
177| memcpy(buf + 7, data + consumed, seg_size);
178|
179|-> pb_adv_send(session, MESH_IO_TX_COUNT_UNLIMITED, 500,
180| buf, seg_size + 7);
---
mesh/pb-adv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mesh/pb-adv.c b/mesh/pb-adv.c
index 385d81d65731..7a1dd87dc210 100644
--- a/mesh/pb-adv.c
+++ b/mesh/pb-adv.c
@@ -166,7 +166,7 @@ static void send_adv_segs(struct pb_adv_session *session, const uint8_t *data,
consumed = init_size;
for (i = 1; i <= max_seg; i++) {
- uint8_t seg_size; /* Amount of payload data being sent */
+ size_t seg_size; /* Amount of payload data being sent */
if (size - consumed > PB_ADV_MTU - 1)
seg_size = PB_ADV_MTU - 1;
--
2.45.2
