Error: INTEGER_OVERFLOW (CWE-190): [#def8] [important]
bluez-5.77/src/shared/btsnoop.c:556:3: underflow: The decrement operator on the unsigned variable "toread" might result in an underflow.
bluez-5.77/src/shared/btsnoop.c:572:2: overflow_sink: "toread", which might have underflowed, is passed to "read(btsnoop->fd, data, toread)". [Note: The source code implementation of the function has been overridden by a builtin model.]
570| }
571|
572|-> len = read(btsnoop->fd, data, toread);
573| if (len < 0) {
574| btsnoop->aborted = true;
---
src/shared/btsnoop.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/shared/btsnoop.c b/src/shared/btsnoop.c
index bc5f7fcbe84c..bb0bccf0dd01 100644
--- a/src/shared/btsnoop.c
+++ b/src/shared/btsnoop.c
@@ -530,7 +530,7 @@ bool btsnoop_read_hci(struct btsnoop *btsnoop, struct timeval *tv,
}
toread = be32toh(pkt.len);
- if (toread > BTSNOOP_MAX_PACKET_SIZE) {
+ if (toread > BTSNOOP_MAX_PACKET_SIZE || toread < 1) {
btsnoop->aborted = true;
return false;
}
@@ -569,6 +569,11 @@ bool btsnoop_read_hci(struct btsnoop *btsnoop, struct timeval *tv,
return false;
}
+ if (toread == 0) {
+ btsnoop->aborted = true;
+ return false;
+ }
+
len = read(btsnoop->fd, data, toread);
if (len < 0) {
btsnoop->aborted = true;
--
2.45.2
