Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Coverity CID :218737] Out-of-bounds write in subsys/bluetooth/host/gatt.c #32406

Closed
zephyrbot opened this issue Feb 17, 2021 · 0 comments · Fixed by #32584
Closed

[Coverity CID :218737] Out-of-bounds write in subsys/bluetooth/host/gatt.c #32406

zephyrbot opened this issue Feb 17, 2021 · 0 comments · Fixed by #32584
Assignees
@jhedberg @joerchan @Vudentz
Labels
bug The issue is a bug, or the PR is fixing a bug Coverity A Coverity detected issue or its fix priority: medium Medium impact/importance bug

Comments

@zephyrbot
Copy link
Collaborator

Static code scan issues found in file:

https:/zephyrproject-rtos/zephyr/tree/fe7c2efca800a0cf1bccf23aefe08b3c4beb88bf/subsys/bluetooth/host/gatt.c#L504

Category: Memory - corruptions
Function: cf_set_value
Component: Bluetooth
CID: 218737

Details:

493         uint16_t i;
494         uint8_t last_byte = CF_BYTE_LAST;
495         uint8_t last_bit = CF_BIT_LAST;
496    
497         /* Validate the bits */
498         for (i = 0U; i < len && i <= last_byte; i++) {
>>>     CID 218737:    (OVERRUN)
>>>     Overrunning array "cfg->data" of 1 bytes at byte offset 2 using index "i" (which evaluates to 2).
499             uint8_t chg_bits = value[i] ^ cfg->data[i];
500             uint8_t bit;
501    
502             for (bit = 0U; bit <= last_bit; bit++) {
503                 /* A client shall never clear a bit it has set */
504                 if ((BIT(bit) & chg_bits) &&
507                 }
508             }
509         }
510    
511         /* Set the bits for each octect */
512         for (i = 0U; i < len && i < last_byte; i++) {
>>>     CID 218737:    (OVERRUN)
>>>     Overrunning array "cfg->data" of 1 bytes at byte offset 1 using index "i" (which evaluates to 1).
513             cfg->data[i] |= value[i] & (BIT(last_bit + 1) - 1);
514             BT_DBG("byte %u: data 0x%02x value 0x%02x", i, cfg->data[i],
515                    value[i]);
516         }
517    
518         return true;
498         for (i = 0U; i < len && i <= last_byte; i++) {
499             uint8_t chg_bits = value[i] ^ cfg->data[i];
500             uint8_t bit;
501    
502             for (bit = 0U; bit <= last_bit; bit++) {
503                 /* A client shall never clear a bit it has set */
>>>     CID 218737:    (OVERRUN)
>>>     Overrunning array "cfg->data" of 1 bytes at byte offset 2 using index "i" (which evaluates to 2).
504                 if ((BIT(bit) & chg_bits) &&
505                     (BIT(bit) & cfg->data[i])) {
506                     return false;
507                 }
508             }
509         }

Please fix or provide comments in coverity using the link:

https://scan9.coverity.com/reports.htm#v32951/p12996.

Note: This issue was created automatically. Priority was set based on classification
of the file affected and the impact field in coverity. Assignees were set using the CODEOWNERS file.
@zephyrbot zephyrbot added bug The issue is a bug, or the PR is fixing a bug Coverity A Coverity detected issue or its fix priority: medium Medium impact/importance bug labels Feb 17, 2021
@joerchan joerchan mentioned this issue Feb 23, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jhedberg jhedberg

@joerchan joerchan

@Vudentz Vudentz

Labels
bug The issue is a bug, or the PR is fixing a bug Coverity A Coverity detected issue or its fix priority: medium Medium impact/importance bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bluetooth: host: Fix array overrun of client features bitset joerchan/zephyr
4 participants
@jhedberg @joerchan @Vudentz @zephyrbot