tools: Fix signed integer overflow in btsnoop.c

If malformed packet is proceed with zero 'size' field we will face with wrong behaviour of write() call. Value 'toread - 1' gives wrong sign for value 'written' (-1) in write() call. To prevent this we should check that 'toread' is not equal to zero. Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool.
author: Ildar Kamaletdinov <i.kamaletdinov@omp.ru> 2022-04-01 15:16:44 +0300
committer: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2022-04-04 09:41:59 -0700
commit: 497a0b220dbdd9b10d0ba797645d327cd6cfb6e5 (patch)
tree: 20686994b095c36b5814ff2d19ac521248b9f15f /tools
parent: d328abaa1715d3d8df05b06a2e09429fcdeebe34 (diff)
download: bluez-497a0b220dbdd9b10d0ba797645d327cd6cfb6e5.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/tools/btsnoop.c b/tools/btsnoop.c
index 738027dfc..a0d6cf356 100644
--- a/tools/btsnoop.c
+++ b/tools/btsnoop.c
@@ -193,7 +193,7 @@ next_packet:
 	flags = be32toh(input_pkt[select_input].flags);
 
 	len = read(input_fd[select_input], buf, toread);
-	if (len < 0 || len != (ssize_t) toread) {
+	if (toread == 0 || len < 0 || len != (ssize_t) toread) {
 		close(input_fd[select_input]);
 		input_fd[select_input] = -1;
 		goto next_packet;
author	Ildar Kamaletdinov <i.kamaletdinov@omp.ru>	2022-04-01 15:16:44 +0300
committer	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>	2022-04-04 09:41:59 -0700
commit	497a0b220dbdd9b10d0ba797645d327cd6cfb6e5 (patch)
tree	20686994b095c36b5814ff2d19ac521248b9f15f /tools
parent	d328abaa1715d3d8df05b06a2e09429fcdeebe34 (diff)
download	bluez-497a0b220dbdd9b10d0ba797645d327cd6cfb6e5.tar.gz