Branch: refs/heads/master Home: https://github.com/bluez/bluez Commit: 0f382885d4a304dd781aa212ca1ee7b19fd46918 https://github.com/bluez/bluez/commit/0f382885d4a304dd781aa212ca1ee7b19fd46918 Author: Frédéric Danis <frederic.danis@xxxxxxxxxxxxx> Date: 2022-04-04 (Mon, 04 Apr 2022) Changed paths: M tools/mpris-proxy.c Log Message: ----------- tools: Fix g_dbus_setup_private connection check in mpris-proxy Commit: 7fdfb67284a2f93b13c008e69ff04f462e45c791 https://github.com/bluez/bluez/commit/7fdfb67284a2f93b13c008e69ff04f462e45c791 Author: Ildar Kamaletdinov <i.kamaletdinov@xxxxxx> Date: 2022-04-04 (Mon, 04 Apr 2022) Changed paths: M monitor/packet.c Log Message: ----------- monitor: Fix out-of-bound read in print_le_states Accessing le_states_desc_table array with value 15 can cause out-of-bound read because current size of array is 14. Currently this cannot lead to any problems becase we do no have such state in le_states_comb_table but this could be changed in future and raise described problem. Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. Commit: d328abaa1715d3d8df05b06a2e09429fcdeebe34 https://github.com/bluez/bluez/commit/d328abaa1715d3d8df05b06a2e09429fcdeebe34 Author: Ildar Kamaletdinov <i.kamaletdinov@xxxxxx> Date: 2022-04-04 (Mon, 04 Apr 2022) Changed paths: M tools/hciattach_tialt.c Log Message: ----------- tools: Fix buffer overflow in hciattach_tialt.c Array 'c_brf_chip' of size 8 could be accessed by index > 7. We should limit array access like in previous check at line 221. Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. Commit: 497a0b220dbdd9b10d0ba797645d327cd6cfb6e5 https://github.com/bluez/bluez/commit/497a0b220dbdd9b10d0ba797645d327cd6cfb6e5 Author: Ildar Kamaletdinov <i.kamaletdinov@xxxxxx> Date: 2022-04-04 (Mon, 04 Apr 2022) Changed paths: M tools/btsnoop.c Log Message: ----------- tools: Fix signed integer overflow in btsnoop.c If malformed packet is proceed with zero 'size' field we will face with wrong behaviour of write() call. Value 'toread - 1' gives wrong sign for value 'written' (-1) in write() call. To prevent this we should check that 'toread' is not equal to zero. Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. Commit: 1e664b9838cd84a921360806de084c749a60304b https://github.com/bluez/bluez/commit/1e664b9838cd84a921360806de084c749a60304b Author: Ildar Kamaletdinov <i.kamaletdinov@xxxxxx> Date: 2022-04-04 (Mon, 04 Apr 2022) Changed paths: M tools/btmgmt.c M tools/hex2hcd.c Log Message: ----------- tools: Limit width of fields in sscanf In tools/btmgmt.c and tools/hex2hcd.c few sscanf does not limit width of fields. This could lead to static overflow and stack corruption. Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. Commit: 4afbef7790ce0b1b30afaade19af17903e05a801 https://github.com/bluez/bluez/commit/4afbef7790ce0b1b30afaade19af17903e05a801 Author: Ildar Kamaletdinov <i.kamaletdinov@xxxxxx> Date: 2022-04-04 (Mon, 04 Apr 2022) Changed paths: M src/device.c Log Message: ----------- device: Limit width of fields in sscanf In src/device.c few sscanf does not limit width of uuid field. This could lead to static overflow and stack corruption. Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. Commit: 3627eddea13042ffc0848ae37356f30335ce2e4b https://github.com/bluez/bluez/commit/3627eddea13042ffc0848ae37356f30335ce2e4b Author: Ildar Kamaletdinov <i.kamaletdinov@xxxxxx> Date: 2022-04-04 (Mon, 04 Apr 2022) Changed paths: M src/gatt-database.c Log Message: ----------- gatt: Fix double free and freed memory dereference If device is no longer exists or not paired when notifications send it is possible to get double free and dereference of already freed memory. To avoid this we need to recheck the state of device after sending notification. Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. Compare: https://github.com/bluez/bluez/compare/234d60423c3b...3627eddea130
