diff mbox series

[BlueZ,v2,4/4] settings: limit string size in gatt_db_load()

Message ID 20240709143503.12142-5-r.smirnov@omp.ru
State New
Headers show
Series fix errors found by SVACE static analyzer #3 | expand

Commit Message

Roman Smirnov July 9, 2024, 2:35 p.m. UTC
It is necessary to prevent buffer overflow by limiting
the maximum string length.

Found with the SVACE static analysis tool.
---
 V1 -> V2: use "%36s[^:]" instead of calculating the string length
 src/settings.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
diff mbox series

Patch

diff --git a/src/settings.c b/src/settings.c
index 643a083db..371649395 100644
--- a/src/settings.c
+++ b/src/settings.c
@@ -232,7 +232,7 @@  static int gatt_db_load(struct gatt_db *db, GKeyFile *key_file, char **keys)
 		value = g_key_file_get_string(key_file, "Attributes", *handle,
 									NULL);
 
-		if (!value || sscanf(value, "%[^:]:", type) != 1) {
+		if (!value || sscanf(value, "%36[^:]:", type) != 1) {
 			g_free(value);
 			return -EIO;
 		}
@@ -255,7 +255,7 @@  static int gatt_db_load(struct gatt_db *db, GKeyFile *key_file, char **keys)
 		value = g_key_file_get_string(key_file, "Attributes", *handle,
 									NULL);
 
-		if (!value || sscanf(value, "%[^:]:", type) != 1) {
+		if (!value || sscanf(value, "%36[^:]:", type) != 1) {
 			g_free(value);
 			return -EIO;
 		}