In tools/btmgmt.c and tools/hex2hcd.c few sscanf does not limit width of fields. This could lead to static overflow and stack corruption. Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. --- tools/btmgmt.c | 2 +- tools/hex2hcd.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/btmgmt.c b/tools/btmgmt.c index 42ef9acef..8f63f12ba 100644 --- a/tools/btmgmt.c +++ b/tools/btmgmt.c @@ -5164,7 +5164,7 @@ static bool str2pattern(struct mgmt_adv_pattern *pattern, const char *str) char pattern_str[62] = { 0 }; char tmp; - if (sscanf(str, "%2hhx%n:%2hhx%n:%s", &pattern->ad_type, &type_len, + if (sscanf(str, "%2hhx%n:%2hhx%n:%61s", &pattern->ad_type, &type_len, &pattern->offset, &offset_end_pos, pattern_str) != 3) return false; diff --git a/tools/hex2hcd.c b/tools/hex2hcd.c index 674d62744..e6dca5a81 100644 --- a/tools/hex2hcd.c +++ b/tools/hex2hcd.c @@ -248,7 +248,7 @@ static void ver_parse_file(const char *pathname) memset(ver, 0, sizeof(*ver)); - if (sscanf(pathname, "%[A-Z0-9]_%3c.%3c.%3c.%4c.%4c.hex", + if (sscanf(pathname, "%19[A-Z0-9]_%3c.%3c.%3c.%4c.%4c.hex", ver->name, ver->major, ver->minor, ver->build, dummy1, dummy2) != 6) { printf("\t/* failed to parse %s */\n", pathname); -- 2.35.1