Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Coverity CID :218735] Out-of-bounds access in subsys/bluetooth/host/att.c #32405

Closed
zephyrbot opened this issue Feb 17, 2021 · 1 comment
Closed

[Coverity CID :218735] Out-of-bounds access in subsys/bluetooth/host/att.c #32405

zephyrbot opened this issue Feb 17, 2021 · 1 comment
Assignees
@jhedberg @joerchan @Vudentz
Labels
bug The issue is a bug, or the PR is fixing a bug Coverity A Coverity detected issue or its fix priority: medium Medium impact/importance bug

Comments

@zephyrbot
Copy link
Collaborator

Static code scan issues found in file:

https:/zephyrproject-rtos/zephyr/tree/fe7c2efca800a0cf1bccf23aefe08b3c4beb88bf/subsys/bluetooth/host/att.c#L1465

Category: Memory - corruptions
Function: read_group_cb
Component: Bluetooth
CID: 218735

Details:

1459     {
1460         struct read_group_data *data = user_data;
1461         struct bt_att_chan *chan = data->chan;
1462         int read;
1463    
1464         /* Update group end_handle if attribute is not a service */
>>>     CID 218735:    (OVERRUN)
>>>     Overrunning array "struct bt_uuid_16 [1]({{.uuid = {BT_UUID_TYPE_16}, .val = 10240}})" of 4 bytes by passing it to a function which accesses it at byte offset 16.
1465         if (bt_uuid_cmp(attr->uuid, BT_UUID_GATT_PRIMARY) &&
1466             bt_uuid_cmp(attr->uuid, BT_UUID_GATT_SECONDARY)) {
1467             if (data->group &&
1468                 handle > sys_le16_to_cpu(data->group->end_handle)) {
1469                 data->group->end_handle = sys_cpu_to_le16(handle);
1470             }
1459     {
1460         struct read_group_data *data = user_data;
1461         struct bt_att_chan *chan = data->chan;
1462         int read;
1463    
1464         /* Update group end_handle if attribute is not a service */
>>>     CID 218735:    (OVERRUN)
>>>     Overrunning array "struct bt_uuid_16 [1]({{.uuid = {BT_UUID_TYPE_16}, .val = 10241}})" of 4 bytes by passing it to a function which accesses it at byte offset 16.
1465         if (bt_uuid_cmp(attr->uuid, BT_UUID_GATT_PRIMARY) &&
1466             bt_uuid_cmp(attr->uuid, BT_UUID_GATT_SECONDARY)) {
1467             if (data->group &&
1468                 handle > sys_le16_to_cpu(data->group->end_handle)) {
1469                 data->group->end_handle = sys_cpu_to_le16(handle);
1470             }

Please fix or provide comments in coverity using the link:

https://scan9.coverity.com/reports.htm#v32951/p12996.

Note: This issue was created automatically. Priority was set based on classification
of the file affected and the impact field in coverity. Assignees were set using the CODEOWNERS file.
@zephyrbot zephyrbot added bug The issue is a bug, or the PR is fixing a bug Coverity A Coverity detected issue or its fix priority: medium Medium impact/importance bug labels Feb 17, 2021
@joerchan
Copy link
Contributor

Passing bt_uuid_16 with type BT_UUID_TYPE_16 will not take case branch BT_UUID_TYPE_128 in uuid_to_uuid128

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jhedberg jhedberg

@joerchan joerchan

@Vudentz Vudentz

Labels
bug The issue is a bug, or the PR is fixing a bug Coverity A Coverity detected issue or its fix priority: medium Medium impact/importance bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jhedberg @joerchan @Vudentz @zephyrbot