> On Jul 4, 2024, at 3:27 AM, Bastien Nocera <hadess@xxxxxxxxxx> wrote:
>
> Error: INTEGER_OVERFLOW (CWE-190): [#def29] [important]
> bluez-5.76/tools/mesh/mesh-db.c:551:3: cast_overflow: Truncation due to cast operation on "ele_cnt" from 32 to 8 bits.
> bluez-5.76/tools/mesh/mesh-db.c:551:3: overflow_sink: "ele_cnt", which might have overflowed, is passed to "remote_add_node((uint8_t const *)uuid, unicast, ele_cnt, key_idx)".
> 549| continue;
> 550|
> 551|-> remote_add_node((const uint8_t *)uuid, unicast, ele_cnt,
> 552| key_idx);
> 553| for (j = 1; j < key_cnt; j++) {
> ---
> tools/mesh/mesh-db.c | 6 ++----
> 1 file changed, 2 insertions(+), 4 deletions(-)
>
> diff --git a/tools/mesh/mesh-db.c b/tools/mesh/mesh-db.c
> index 1d047691d240..abcc09d523a5 100644
> --- a/tools/mesh/mesh-db.c
> +++ b/tools/mesh/mesh-db.c
> @@ -503,7 +503,8 @@ static void load_remotes(json_object *jcfg)
> uint8_t uuid[16];
> uint16_t unicast, key_idx;
> const char *str;
> - int ele_cnt, key_cnt;
> + uint8_t ele_cnt;
> + int key_cnt;
> int j;
>
> jnode = json_object_array_get_idx(jnodes, i);
> @@ -533,9 +534,6 @@ static void load_remotes(json_object *jcfg)
>
> ele_cnt = json_object_array_length(jarray);
>
> - if (ele_cnt > MAX_ELE_COUNT)
> - continue;
> -
What happens if the json file is corrupted and there are more than 255 elements in the array?
> json_object_object_get_ex(jnode, "netKeys", &jarray);
> if (!jarray || json_object_get_type(jarray) != json_type_array)
> continue;
> --
> 2.45.2
>
>
