diff options
author | Ildar Kamaletdinov <i.kamaletdinov@omp.ru> | 2022-04-01 15:16:44 +0300 |
---|---|---|
committer | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2022-04-04 09:41:59 -0700 |
commit | 497a0b220dbdd9b10d0ba797645d327cd6cfb6e5 (patch) | |
tree | 20686994b095c36b5814ff2d19ac521248b9f15f /tools | |
parent | d328abaa1715d3d8df05b06a2e09429fcdeebe34 (diff) | |
download | bluez-497a0b220dbdd9b10d0ba797645d327cd6cfb6e5.tar.gz |
tools: Fix signed integer overflow in btsnoop.c
If malformed packet is proceed with zero 'size' field we will face with
wrong behaviour of write() call. Value 'toread - 1' gives wrong sign
for value 'written' (-1) in write() call. To prevent this we should
check that 'toread' is not equal to zero.
Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
Diffstat (limited to 'tools')
-rw-r--r-- | tools/btsnoop.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/tools/btsnoop.c b/tools/btsnoop.c index 738027dfc..a0d6cf356 100644 --- a/tools/btsnoop.c +++ b/tools/btsnoop.c @@ -193,7 +193,7 @@ next_packet: flags = be32toh(input_pkt[select_input].flags); len = read(input_fd[select_input], buf, toread); - if (len < 0 || len != (ssize_t) toread) { + if (toread == 0 || len < 0 || len != (ssize_t) toread) { close(input_fd[select_input]); input_fd[select_input] = -1; goto next_packet; |