[BlueZ v2 09/11] mesh: Fix integer overflow due to cast operation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Error: INTEGER_OVERFLOW (CWE-190): [#def15] [important]
bluez-5.76/mesh/pb-adv.c:174:4: cast_overflow: Truncation due to cast operation on "size - consumed" from 32 to 8 bits.
bluez-5.76/mesh/pb-adv.c:174:4: overflow_assign: "seg_size" is assigned from "size - consumed".
bluez-5.76/mesh/pb-adv.c:177:3: overflow_sink: "seg_size", which might have overflowed, is passed to "memcpy(buf + 7, data + consumed, seg_size)". [Note: The source code implementation of the function has been overridden by a builtin model.]
175|
176|		buf[6] = (i << 2) | 0x02;
177|->		memcpy(buf + 7, data + consumed, seg_size);
178|
179|		pb_adv_send(session, MESH_IO_TX_COUNT_UNLIMITED, 500,

Error: INTEGER_OVERFLOW (CWE-190): [#def16] [important]
bluez-5.76/mesh/pb-adv.c:179:3: cast_overflow: Truncation due to cast operation on "seg_size + 7" from 32 to 16 bits.
bluez-5.76/mesh/pb-adv.c:179:3: overflow_sink: "seg_size + 7", which might have overflowed, is passed to "pb_adv_send(session, 0, 500, buf, seg_size + 7)".
177|		memcpy(buf + 7, data + consumed, seg_size);
178|
179|->		pb_adv_send(session, MESH_IO_TX_COUNT_UNLIMITED, 500,
180|							buf, seg_size + 7);
---
 mesh/pb-adv.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mesh/pb-adv.c b/mesh/pb-adv.c
index 385d81d65731..7a1dd87dc210 100644
--- a/mesh/pb-adv.c
+++ b/mesh/pb-adv.c
@@ -166,7 +166,7 @@ static void send_adv_segs(struct pb_adv_session *session, const uint8_t *data,
 	consumed = init_size;
 
 	for (i = 1; i <= max_seg; i++) {
-		uint8_t seg_size; /* Amount of payload data being sent */
+		size_t seg_size; /* Amount of payload data being sent */
 
 		if (size - consumed > PB_ADV_MTU - 1)
 			seg_size = PB_ADV_MTU - 1;
-- 
2.45.2





[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux