If malformed packet is proceed with zero 'size' field we will face with
wrong behaviour of write() call. Value 'toread - 1' gives wrong sign
for value 'written' (-1) in write() call. To prevent this we should
check that 'toread' is not equal to zero.
Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
---
tools/btsnoop.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/btsnoop.c b/tools/btsnoop.c
index 738027dfc..a0d6cf356 100644
--- a/tools/btsnoop.c
+++ b/tools/btsnoop.c
@@ -193,7 +193,7 @@ next_packet:
flags = be32toh(input_pkt[select_input].flags);
len = read(input_fd[select_input], buf, toread);
- if (len < 0 || len != (ssize_t) toread) {
+ if (toread == 0 || len < 0 || len != (ssize_t) toread) {
close(input_fd[select_input]);
input_fd[select_input] = -1;
goto next_packet;
--
2.35.1
