Re: [PATCH BlueZ v1 3/4] settings: limit the string size in load_service()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Roman,

On Tue, Jul 9, 2024 at 8:01 AM Roman Smirnov <r.smirnov@xxxxxx> wrote:
>
> Calculate the length of the first string and use it to create
> a pattern. The pattern will limit the maximum length of the
> string, which will prevent the buffer from overflowing.
>
> Found with the SVACE static analysis tool.
> ---
>  src/settings.c | 19 ++++++++++++++++++-
>  1 file changed, 18 insertions(+), 1 deletion(-)
>
> diff --git a/src/settings.c b/src/settings.c
> index b61e694f1..4eccf0b4e 100644
> --- a/src/settings.c
> +++ b/src/settings.c
> @@ -187,13 +187,30 @@ static int load_service(struct gatt_db *db, char *handle, char *value)
>         char type[MAX_LEN_UUID_STR], uuid_str[MAX_LEN_UUID_STR];
>         bt_uuid_t uuid;
>         bool primary;
> +       char pattern[16];
> +       char *colon_pos;
> +       size_t len;
>
>         if (sscanf(handle, "%04hx", &start) != 1) {
>                 DBG("Failed to parse handle: %s", handle);
>                 return -EIO;
>         }
>
> -       if (sscanf(value, "%[^:]:%04hx:%36s", type, &end, uuid_str) != 3) {

Can't we just do %36[^:] instead since it is the same size of
uuid_str, the only real difference is that it reads until the ':'
rather than until the end, but %36s is also _at most_ 36 characters.

> +       colon_pos = memchr(value, ':', MAX_LEN_UUID_STR);
> +       if (!colon_pos) {
> +               DBG("Failed to parse value: %s", value);
> +               return -EIO;
> +       }
> +
> +       len = colon_pos - value;
> +       if (!len) {
> +               DBG("Failed to parse value: %s", value);
> +               return -EIO;
> +       }
> +
> +       snprintf(pattern, sizeof(pattern), "%%%lds:%%04hx:%%36s", len);
> +
> +       if (sscanf(value, pattern, type, &end, uuid_str) != 3) {
>                 DBG("Failed to parse value: %s", value);
>                 return -EIO;
>         }
> --
> 2.34.1
>
>


-- 
Luiz Augusto von Dentz





[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux