Re: [BlueZ v2 08/11] gatt-server: Fix integer overflow due to cast operation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2024-07-08 at 11:17 -0400, Luiz Augusto von Dentz wrote:
> Hi Bastien,
> 
> On Fri, Jul 5, 2024 at 5:00 AM Bastien Nocera <hadess@xxxxxxxxxx>
> wrote:
> > 
> > Error: INTEGER_OVERFLOW (CWE-190): [#def25] [important]
> > bluez-5.76/src/shared/gatt-server.c:927:2: cast_overflow:
> > Truncation due to cast operation on "((unsigned int)mtu - 1U < len)
> > ? (unsigned int)mtu - 1U : len" from 32 to 16 bits.
> > bluez-5.76/src/shared/gatt-server.c:927:2: overflow_sink:
> > "((unsigned int)mtu - 1U < len) ? (unsigned int)mtu - 1U : len",
> > which might have overflowed, is passed to "bt_att_chan_send(op-
> > >chan, rsp_opcode, (len ? value : NULL), (((unsigned int)mtu - 1U <
> > len) ? (unsigned int)mtu - 1U : len), NULL, NULL, NULL)".
> > 925|    rsp_opcode = get_read_rsp_opcode(op->opcode);
> > 926|
> > 927|->  bt_att_chan_send_rsp(op->chan, rsp_opcode, len ? value :
> > NULL,
> > 928|                                    MIN((unsigned int) mtu - 1,
> > len));
> > 929|    async_read_op_destroy(op);
> > ---
> >  src/shared/gatt-server.c | 6 +++---
> >  1 file changed, 3 insertions(+), 3 deletions(-)
> > 
> > diff --git a/src/shared/gatt-server.c b/src/shared/gatt-server.c
> > index 66e370d1fe3d..e0e1776779cd 100644
> > --- a/src/shared/gatt-server.c
> > +++ b/src/shared/gatt-server.c
> > @@ -908,7 +908,7 @@ static void read_complete_cb(struct
> > gatt_db_attribute *attr, int err,
> >         struct async_read_op *op = user_data;
> >         struct bt_gatt_server *server = op->server;
> >         uint8_t rsp_opcode;
> > -       uint16_t mtu;
> > +       size_t mtu;
> >         uint16_t handle;
> > 
> >         DBG(server, "Read Complete: err %d", err);
> > @@ -916,7 +916,7 @@ static void read_complete_cb(struct
> > gatt_db_attribute *attr, int err,
> >         mtu = bt_att_get_mtu(server->att);
> >         handle = gatt_db_attribute_get_handle(attr);
> > 
> > -       if (err) {
> > +       if (err || mtu <= 1) {
> 
> Also pointless here if the mtu is 0 then we should not attempt to
> send anything.

There's more than one fix in this patch. One is the data type used
(should be a size_t, not a uint16_t), the other is avoid a negative or
zero pdu value. What happens to guard against a "1" mtu? Do we need to
guard against it?

> 
> >                 bt_att_chan_send_error_rsp(op->chan, op->opcode,
> > handle, err);
> >                 async_read_op_destroy(op);
> >                 return;
> > @@ -925,7 +925,7 @@ static void read_complete_cb(struct
> > gatt_db_attribute *attr, int err,
> >         rsp_opcode = get_read_rsp_opcode(op->opcode);
> > 
> >         bt_att_chan_send_rsp(op->chan, rsp_opcode, len ? value :
> > NULL,
> > -                                       MIN((unsigned int) mtu - 1,
> > len));
> > +                                       MIN(mtu - 1, len));
> 
> And this is incorrect as well, we need the mtu of the channel here
> not
> bt_att_get_mtu.

I see you fixed this in 110a8b47a4f159a8239795255b6c1c0edd79e4cd
Thanks!

> 
> >         async_read_op_destroy(op);
> >  }
> > 
> > --
> > 2.45.2
> > 
> > 
> 
> 






[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux