mirror of
https://git.kernel.org/pub/scm/bluetooth/bluez.git
synced 2024-11-15 08:14:28 +08:00
bd954700e6
The return value from gen_attridseq_pdu() can be -ENOMEM or the always
positive return value from sdp_gen_pdu(), but we only guard against a
single negative return value "-1" (-EPERM).
Check for all negative values to avoid manipulating a negative length as
a valid one.
Error: INTEGER_OVERFLOW (CWE-190): [#def10] [important]
lib/sdp.c:4097:2: overflow_sink:
"t->reqsize + cstate_len", which might have underflowed, is passed to
"sdp_send_req(session, t->reqbuf, t->reqsize + cstate_len)".
4095| reqhdr->plen = htons((t->reqsize + cstate_len) - sizeof(sdp_pdu_hdr_t));
4096|
4097|-> if (sdp_send_req(session, t->reqbuf, t->reqsize + cstate_len) < 0) {
4098| SDPERR("Error sending data:%m");
4099| t->err = errno;
Error: INTEGER_OVERFLOW (CWE-190): [#def11] [important]
lib/sdp.c:4492:3: overflow_sink:
"reqsize", which might have underflowed, is passed to
"sdp_send_req_w4_rsp(session, reqbuf, rspbuf, reqsize, &rspsize)".
4490| reqhdr->plen = htons(reqsize - sizeof(sdp_pdu_hdr_t));
4491| rsphdr = (sdp_pdu_hdr_t *) rspbuf;
4492|-> status = sdp_send_req_w4_rsp(session, reqbuf, rspbuf, reqsize, &rspsize);
4493| if (rspsize < sizeof(sdp_pdu_hdr_t)) {
4494| SDPERR("Unexpected end of packet");
|
||
|---|---|---|
| .. | ||
| a2mp.h | ||
| amp.h | ||
| bluetooth.c | ||
| bluetooth.h | ||
| bluez.pc.in | ||
| bnep.h | ||
| cmtp.h | ||
| hci_lib.h | ||
| hci.c | ||
| hci.h | ||
| hidp.h | ||
| iso.h | ||
| l2cap.h | ||
| mgmt.h | ||
| rfcomm.h | ||
| sco.h | ||
| sdp_lib.h | ||
| sdp.c | ||
| sdp.h | ||
| uuid.c | ||
| uuid.h | ||