diff options
author | Ildar Kamaletdinov <i.kamaletdinov@omp.ru> | 2022-04-01 15:16:42 +0300 |
---|---|---|
committer | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2022-04-04 09:41:58 -0700 |
commit | 7fdfb67284a2f93b13c008e69ff04f462e45c791 (patch) | |
tree | cc46b8449305f59eb1b6427e5ec714f907748c81 /monitor/packet.c | |
parent | 0f382885d4a304dd781aa212ca1ee7b19fd46918 (diff) | |
download | bluez-7fdfb67284a2f93b13c008e69ff04f462e45c791.tar.gz |
monitor: Fix out-of-bound read in print_le_states
Accessing le_states_desc_table array with value 15 can cause
out-of-bound read because current size of array is 14.
Currently this cannot lead to any problems becase we do no have such
state in le_states_comb_table but this could be changed in future and
raise described problem.
Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
Diffstat (limited to 'monitor/packet.c')
-rw-r--r-- | monitor/packet.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/monitor/packet.c b/monitor/packet.c index b7431b57d..1f04063d3 100644 --- a/monitor/packet.c +++ b/monitor/packet.c @@ -2816,7 +2816,8 @@ static const struct { static void print_le_states(const uint8_t *states_array) { uint64_t mask, states = 0; - int i, n; + int i = 0; + size_t n = 0; for (i = 0; i < 8; i++) states |= ((uint64_t) states_array[i]) << (i * 8); @@ -2828,12 +2829,12 @@ static void print_le_states(const uint8_t *states_array) for (i = 0; le_states_comb_table[i].states; i++) { uint64_t val = (((uint64_t) 1) << le_states_comb_table[i].bit); const char *str[3] = { NULL, }; - int num = 0; + size_t num = 0; if (!(states & val)) continue; - for (n = 0; n < 16; n++) { + for (n = 0; n < ARRAY_SIZE(le_states_desc_table); n++) { if (le_states_comb_table[i].states & (1 << n)) str[num++] = le_states_desc_table[n].str; } |