From patchwork Tue Jul 2 14:23:33 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 810084 Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 906E21B583E for ; Tue, 2 Jul 2024 14:24:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719930288; cv=none; b=VWz+n0tFq3hFYirMKkU5IgF+c5rYQvlohO8NtP2r5j1QDQC/Z45N0j920S/hJ7TqMob7SWKmDQDZpsb7YYRVl/KMK2QVnkAMvJgg0ry8OJgUh/5FaMATL9Z4B5ERByEydRlkPFaZSIMVIiLOHodjoIF3EWadBzLQ1XiQOARqKYc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719930288; c=relaxed/simple; bh=SygPxPvYyqAKNBGu+ImyRhBldapxXCSzpjOLb0s9Gxo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=GE6Oe4kLetHl4bF5g0ovvbbQgkhRPWsuGDsNlR0XOnJSPOoiHLrfwNy0AzGw9YimjgQcPEtKCnE9r2R1/Kbz9lBPBTXZWrplxzzhYcfe2LlNMeI51+OvBY/G8ydocP1TiPHBLaP0hY3nfH8/5bFVUi7wZZNxO76ZGEFY7ywTmh0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id BA57624000C; Tue, 2 Jul 2024 14:24:37 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ resend 1/9] main: Simplify parse_config_string() Date: Tue, 2 Jul 2024 16:23:33 +0200 Message-ID: <20240702142436.833138-2-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240702142436.833138-1-hadess@hadess.net> References: <20240702142436.833138-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net The memory management done by parse_config_string() was quite complicated, as it expected to be able to free the value in the return variable if it was already allocated. That particular behaviour was only used for a single variable which was set to its default value during startup and might be overwritten after this function call. Use an intermediate variable to check whether we need to free btd_opts.name and simplify parse_config_string(). Error: RESOURCE_LEAK (CWE-772): [#def39] [important] bluez-5.75/src/main.c:425:2: alloc_fn: Storage is returned from allocation function "g_key_file_get_string". bluez-5.75/src/main.c:425:2: var_assign: Assigning: "tmp" = storage returned from "g_key_file_get_string(config, group, key, &err)". bluez-5.75/src/main.c:433:2: noescape: Assuming resource "tmp" is not freed or pointed-to as ellipsis argument to "btd_debug". bluez-5.75/src/main.c:440:2: leaked_storage: Variable "tmp" going out of scope leaks the storage it points to. 438| } 439| 440|-> return true; 441| } 442| --- src/main.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/src/main.c b/src/main.c index 62453bffaf57..9db8d7000490 100644 --- a/src/main.c +++ b/src/main.c @@ -420,9 +420,10 @@ static bool parse_config_string(GKeyFile *config, const char *group, const char *key, char **val) { GError *err = NULL; - char *tmp; - tmp = g_key_file_get_string(config, group, key, &err); + g_return_val_if_fail(val, false); + + *val = g_key_file_get_string(config, group, key, &err); if (err) { if (err->code != G_KEY_FILE_ERROR_KEY_NOT_FOUND) DBG("%s", err->message); @@ -430,12 +431,7 @@ static bool parse_config_string(GKeyFile *config, const char *group, return false; } - DBG("%s.%s = %s", group, key, tmp); - - if (val) { - g_free(*val); - *val = tmp; - } + DBG("%s.%s = %s", group, key, *val); return true; } @@ -1004,7 +1000,12 @@ static void parse_secure_conns(GKeyFile *config) static void parse_general(GKeyFile *config) { - parse_config_string(config, "General", "Name", &btd_opts.name); + char *str = NULL; + + if (parse_config_string(config, "General", "Name", &str)) { + g_free(btd_opts.name); + btd_opts.name = str; + } parse_config_hex(config, "General", "Class", &btd_opts.class); parse_config_u32(config, "General", "DiscoverableTimeout", &btd_opts.discovto, From patchwork Tue Jul 2 14:23:34 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 809179 Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6E3841B5837 for ; Tue, 2 Jul 2024 14:24:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719930287; cv=none; b=tM8DtQaP7OuBqt8BOBImwkdBJY62sRd2K59eTouMIoXr9rz5GtK3KOmlX0HcEDK+9iiG25G0mJCzsxmiEQ16jYQpiaWAWwmd+jKsDE9xUS7DqZaV/uLLuZuQJF7xDhiB7ok9JLCWRBNb8TSsw4QfMYIp7YgCuNub4Tyra7mdrK0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719930287; c=relaxed/simple; bh=nxQmHvj5d+IOf5OrJz12+hosL98o57kQzrHPM1hlJc8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=e8fvlffsJ6WhnssNYuLMQV3mpRYHlnwYLlX9OAPcUcj9FeJ3NXfrU6R7u1jYC8iieFfP9GnJQc4hyB34MAE7LQ0+S/tKaGwi8LWm31h/86LO/v4i4y2r+8oJJTyKRRGFsGsb1aEZfPDg8f5Mgk4q0MTNFFN1I9y4cdLekzXFpZk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 0C28A24000D; Tue, 2 Jul 2024 14:24:37 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ resend 2/9] avdtp: Fix manipulating struct as an array Date: Tue, 2 Jul 2024 16:23:34 +0200 Message-ID: <20240702142436.833138-3-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240702142436.833138-1-hadess@hadess.net> References: <20240702142436.833138-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Don't manipulate the "req" structs as if they were flat arrays, static analysis and humans are both equally confused by this kind of usage. Error: ARRAY_VS_SINGLETON (CWE-119): [#def26] [important] bluez-5.76/profiles/audio/avdtp.c:1675:2: address_of: Taking address with "&start->first_seid" yields a singleton pointer. bluez-5.76/profiles/audio/avdtp.c:1675:2: assign: Assigning: "seid" = "&start->first_seid". bluez-5.76/profiles/audio/avdtp.c:1679:25: ptr_arith: Using "seid" as an array. This might corrupt or misinterpret adjacent memory locations. 1677| int i; 1678| 1679|-> for (i = 0; i < count; i++, seid++) { 1680| if (seid->seid == id) { 1681| req->collided = TRUE; Error: ARRAY_VS_SINGLETON (CWE-119): [#def27] [important] bluez-5.76/profiles/audio/avdtp.c:1690:2: address_of: Taking address with "&suspend->first_seid" yields a singleton pointer. bluez-5.76/profiles/audio/avdtp.c:1690:2: assign: Assigning: "seid" = "&suspend->first_seid". bluez-5.76/profiles/audio/avdtp.c:1694:25: ptr_arith: Using "seid" as an array. This might corrupt or misinterpret adjacent memory locations. 1692| int i; 1693| 1694|-> for (i = 0; i < count; i++, seid++) { 1695| if (seid->seid == id) { 1696| req->collided = TRUE; Error: ARRAY_VS_SINGLETON (CWE-119): [#def28] [important] bluez-5.76/profiles/audio/avdtp.c:1799:2: address_of: Taking address with "&req->first_seid" yields a singleton pointer. bluez-5.76/profiles/audio/avdtp.c:1799:2: assign: Assigning: "seid" = "&req->first_seid". bluez-5.76/profiles/audio/avdtp.c:1801:30: ptr_arith: Using "seid" as an array. This might corrupt or misinterpret adjacent memory locations. 1799| seid = &req->first_seid; 1800| 1801|-> for (i = 0; i < seid_count; i++, seid++) { 1802| failed_seid = seid->seid; 1803| Error: ARRAY_VS_SINGLETON (CWE-119): [#def29] [important] bluez-5.76/profiles/audio/avdtp.c:1912:2: address_of: Taking address with "&req->first_seid" yields a singleton pointer. bluez-5.76/profiles/audio/avdtp.c:1912:2: assign: Assigning: "seid" = "&req->first_seid". bluez-5.76/profiles/audio/avdtp.c:1914:30: ptr_arith: Using "seid" as an array. This might corrupt or misinterpret adjacent memory locations. 1912| seid = &req->first_seid; 1913| 1914|-> for (i = 0; i < seid_count; i++, seid++) { 1915| failed_seid = seid->seid; 1916| --- profiles/audio/avdtp.c | 45 +++++++++++++++++++++--------------------- 1 file changed, 23 insertions(+), 22 deletions(-) diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c index 3667e08400dd..45d1b120b760 100644 --- a/profiles/audio/avdtp.c +++ b/profiles/audio/avdtp.c @@ -184,13 +184,17 @@ struct getcap_resp { } __attribute__ ((packed)); struct start_req { - struct seid first_seid; - struct seid other_seids[0]; + union { + struct seid required[1]; + struct seid seids[0]; + }; } __attribute__ ((packed)); struct suspend_req { - struct seid first_seid; - struct seid other_seids[0]; + union { + struct seid required[1]; + struct seid seids[0]; + }; } __attribute__ ((packed)); struct seid_rej { @@ -1672,12 +1676,12 @@ static void check_seid_collision(struct pending_req *req, uint8_t id) static void check_start_collision(struct pending_req *req, uint8_t id) { struct start_req *start = req->data; - struct seid *seid = &start->first_seid; int count = 1 + req->data_size - sizeof(struct start_req); int i; - for (i = 0; i < count; i++, seid++) { - if (seid->seid == id) { + for (i = 0; i < count; i++) { + struct seid seid = start->seids[i]; + if (seid.seid == id) { req->collided = TRUE; return; } @@ -1687,12 +1691,12 @@ static void check_start_collision(struct pending_req *req, uint8_t id) static void check_suspend_collision(struct pending_req *req, uint8_t id) { struct suspend_req *suspend = req->data; - struct seid *seid = &suspend->first_seid; int count = 1 + req->data_size - sizeof(struct suspend_req); int i; - for (i = 0; i < count; i++, seid++) { - if (seid->seid == id) { + for (i = 0; i < count; i++) { + struct seid seid = suspend->seids[i]; + if (seid.seid == id) { req->collided = TRUE; return; } @@ -1785,7 +1789,6 @@ static gboolean avdtp_start_cmd(struct avdtp *session, uint8_t transaction, struct avdtp_local_sep *sep; struct avdtp_stream *stream; struct stream_rej rej; - struct seid *seid; uint8_t err, failed_seid; int seid_count, i; @@ -1796,12 +1799,12 @@ static gboolean avdtp_start_cmd(struct avdtp *session, uint8_t transaction, seid_count = 1 + size - sizeof(struct start_req); - seid = &req->first_seid; + for (i = 0; i < seid_count; i++) { + struct seid seid = req->seids[i]; - for (i = 0; i < seid_count; i++, seid++) { - failed_seid = seid->seid; + failed_seid = seid.seid; - sep = find_local_sep_by_seid(session, seid->seid); + sep = find_local_sep_by_seid(session, seid.seid); if (!sep || !sep->stream) { err = AVDTP_BAD_ACP_SEID; goto failed; @@ -1898,7 +1901,6 @@ static gboolean avdtp_suspend_cmd(struct avdtp *session, uint8_t transaction, struct avdtp_local_sep *sep; struct avdtp_stream *stream; struct stream_rej rej; - struct seid *seid; uint8_t err, failed_seid; int seid_count, i; @@ -1909,12 +1911,11 @@ static gboolean avdtp_suspend_cmd(struct avdtp *session, uint8_t transaction, seid_count = 1 + size - sizeof(struct suspend_req); - seid = &req->first_seid; + for (i = 0; i < seid_count; i++) { + struct seid seid = req->seids[i]; + failed_seid = seid.seid; - for (i = 0; i < seid_count; i++, seid++) { - failed_seid = seid->seid; - - sep = find_local_sep_by_seid(session, seid->seid); + sep = find_local_sep_by_seid(session, seid.seid); if (!sep || !sep->stream) { err = AVDTP_BAD_ACP_SEID; goto failed; @@ -3663,7 +3664,7 @@ int avdtp_start(struct avdtp *session, struct avdtp_stream *stream) } memset(&req, 0, sizeof(req)); - req.first_seid.seid = stream->rseid; + req.required->seid = stream->rseid; ret = send_request(session, FALSE, stream, AVDTP_START, &req, sizeof(req)); From patchwork Tue Jul 2 14:23:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 810086 Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6E3321B5831 for ; Tue, 2 Jul 2024 14:24:45 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719930287; cv=none; b=mQCd2HWYi/IaSN5NvzkqYQEs3GujPJsWW6HFUsbMQrERwH1o3qzus+P4NGm5rF7I0d7aHWXt8ULlPRVrFTM7m+cEjdeCEkUHQ+FqTn+P0Fz6rCrS3QzYW77vP0axB6C6ttoakKbwE0vbUco3fDI2ZAJ+yZmYpJRbo/ikX6PQiRU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719930287; c=relaxed/simple; bh=ib/BkXoy0+vwgqUindMB+HL0wQHRNyQmquiFjwvdr24=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=X+We+CB1Wew8VheA/awzzb0BaVZ8FVaKehIWaheomIUHr8plUu1Hz9Izj7QgIZRpfFCjO485cOPQTlb2gUQCM1WWJI5jTkG1hZmH5EfuWJcGudmgTvpUiP3wcYNtUw+cCNMYGmrcQvE7lRccfYTfrbRagrVXts796qOYMZq4Je0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 51D9C240006; Tue, 2 Jul 2024 14:24:38 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ resend 3/9] mesh: Avoid accessing array out-of-bounds Date: Tue, 2 Jul 2024 16:23:35 +0200 Message-ID: <20240702142436.833138-4-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240702142436.833138-1-hadess@hadess.net> References: <20240702142436.833138-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net We would boundary check the expected_pdu_size array based on the value of type, but would still access it out-of-bounds for the debug message. Split off the invalid type check into its own message to avoid this. Error: OVERRUN (CWE-119): [#def23] [important] bluez-5.76/mesh/prov-initiator.c:676:2: cond_at_least: Checking "type >= 10UL" implies that "type" is at least 10 on the true branch. bluez-5.76/mesh/prov-initiator.c:678:3: overrun-local: Overrunning array "expected_pdu_size" of 10 2-byte elements at element index 10 (byte offset 21) using index "type" (which evaluates to 10). 676| if (type >= L_ARRAY_SIZE(expected_pdu_size) || 677| len != expected_pdu_size[type]) { 678|-> l_error("Expected PDU size %d, Got %d (type: %2.2x)", 679| expected_pdu_size[type], len, type); 680| fail_code[1] = PROV_ERR_INVALID_FORMAT; --- mesh/prov-initiator.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/mesh/prov-initiator.c b/mesh/prov-initiator.c index 653f3ae3e1c2..e353d23865ef 100644 --- a/mesh/prov-initiator.c +++ b/mesh/prov-initiator.c @@ -673,8 +673,13 @@ static void int_prov_rx(void *user_data, const void *dptr, uint16_t len) goto failure; } - if (type >= L_ARRAY_SIZE(expected_pdu_size) || - len != expected_pdu_size[type]) { + if (type >= L_ARRAY_SIZE(expected_pdu_size)) { + l_error("Invalid PDU type %2.2x", type); + fail_code[1] = PROV_ERR_INVALID_FORMAT; + goto failure; + } + + if (len != expected_pdu_size[type]) { l_error("Expected PDU size %d, Got %d (type: %2.2x)", expected_pdu_size[type], len, type); fail_code[1] = PROV_ERR_INVALID_FORMAT; From patchwork Tue Jul 2 14:23:36 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 809177 Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7DB221BA062 for ; Tue, 2 Jul 2024 14:24:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719930288; cv=none; b=Z0+zx/+N78aH+dqq1qisxRVkgm3cvIIF9xvKGPVsAQRiZjy9CoCuWPZ6hdJk8vTOWUmThklhrNQTJnVoVsHinC35LKgnY6HKcJrVY3gSa+64ZY5NkvcAAWorkhKSdBbH/8I+6547Q1dAsboUZF8pFaZBPwhRjb5So3QhQYMzP9g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719930288; c=relaxed/simple; bh=Ou0kGDa50CgH9PnCyq7XPN19GakFWGQO/fwUzDZK+Yg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=cKBnmmjkQ+QGV+oMIVTe7l2ZcnQIguj58Why9HbVZzw+oA8z/KiPsnaC5wHQCZyRma5QYNsWdkTJk6N9tSXVPx/YUZZ8LR6SoZc4E0yBfNxB24SLcTXffRcK0UdOWJgfYtgaoNGShVc/HJrH62bG3lnnd3tmMF9s+C5xM6x6JpQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 95A5E24000E; Tue, 2 Jul 2024 14:24:38 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ resend 4/9] obexd: Fix possible memleak Date: Tue, 2 Jul 2024 16:23:36 +0200 Message-ID: <20240702142436.833138-5-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240702142436.833138-1-hadess@hadess.net> References: <20240702142436.833138-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Fix possible resource leak if a attribute is repeated, overriding the original value. Error: RESOURCE_LEAK (CWE-772): [#def28] [important] bluez-5.76/obexd/plugins/messages-dummy.c:362:4: alloc_fn: Storage is returned from allocation function "g_strdup_inline". bluez-5.76/obexd/plugins/messages-dummy.c:362:4: var_assign: Assigning: "entry->handle" = storage returned from "g_strdup_inline(values[i])". bluez-5.76/obexd/plugins/messages-dummy.c:362:4: overwrite_var: Overwriting "entry->handle" in "entry->handle = g_strdup_inline(values[i])" leaks the storage that "entry->handle" points to. 360| for (i = 0 ; names[i]; ++i) { 361| if (g_strcmp0(names[i], "handle") == 0) { 362|-> entry->handle = g_strdup(values[i]); 363| mld->size++; 364| continue; Error: RESOURCE_LEAK (CWE-772): [#def29] [important] bluez-5.76/obexd/plugins/messages-dummy.c:367:4: alloc_fn: Storage is returned from allocation function "g_strdup_inline". bluez-5.76/obexd/plugins/messages-dummy.c:367:4: var_assign: Assigning: "entry->attachment_size" = storage returned from "g_strdup_inline(values[i])". bluez-5.76/obexd/plugins/messages-dummy.c:367:4: overwrite_var: Overwriting "entry->attachment_size" in "entry->attachment_size = g_strdup_inline(values[i])" leaks the storage that "entry->attachment_size" points to. 365| } 366| if (g_strcmp0(names[i], "attachment_size") == 0) { 367|-> entry->attachment_size = g_strdup(values[i]); 368| continue; 369| } Error: RESOURCE_LEAK (CWE-772): [#def30] [important] bluez-5.76/obexd/plugins/messages-dummy.c:371:4: alloc_fn: Storage is returned from allocation function "g_strdup_inline". bluez-5.76/obexd/plugins/messages-dummy.c:371:4: var_assign: Assigning: "entry->datetime" = storage returned from "g_strdup_inline(values[i])". bluez-5.76/obexd/plugins/messages-dummy.c:371:4: overwrite_var: Overwriting "entry->datetime" in "entry->datetime = g_strdup_inline(values[i])" leaks the storage that "entry->datetime" points to. 369| } 370| if (g_strcmp0(names[i], "datetime") == 0) { 371|-> entry->datetime = g_strdup(values[i]); 372| continue; 373| } Error: RESOURCE_LEAK (CWE-772): [#def31] [important] bluez-5.76/obexd/plugins/messages-dummy.c:375:4: alloc_fn: Storage is returned from allocation function "g_strdup_inline". bluez-5.76/obexd/plugins/messages-dummy.c:375:4: var_assign: Assigning: "entry->subject" = storage returned from "g_strdup_inline(values[i])". bluez-5.76/obexd/plugins/messages-dummy.c:375:4: overwrite_var: Overwriting "entry->subject" in "entry->subject = g_strdup_inline(values[i])" leaks the storage that "entry->subject" points to. 373| } 374| if (g_strcmp0(names[i], "subject") == 0) { 375|-> entry->subject = g_strdup(values[i]); 376| continue; 377| } Error: RESOURCE_LEAK (CWE-772): [#def32] [important] bluez-5.76/obexd/plugins/messages-dummy.c:379:4: alloc_fn: Storage is returned from allocation function "g_strdup_inline". bluez-5.76/obexd/plugins/messages-dummy.c:379:4: var_assign: Assigning: "entry->recipient_addressing" = storage returned from "g_strdup_inline(values[i])". bluez-5.76/obexd/plugins/messages-dummy.c:379:4: overwrite_var: Overwriting "entry->recipient_addressing" in "entry->recipient_addressing = g_strdup_inline(values[i])" leaks the storage that "entry->recipient_addressing" points to. 377| } 378| if (g_strcmp0(names[i], "recipient_addressing") == 0) { 379|-> entry->recipient_addressing = g_strdup(values[i]); 380| continue; 381| } Error: RESOURCE_LEAK (CWE-772): [#def33] [important] bluez-5.76/obexd/plugins/messages-dummy.c:383:4: alloc_fn: Storage is returned from allocation function "g_strdup_inline". bluez-5.76/obexd/plugins/messages-dummy.c:383:4: var_assign: Assigning: "entry->sender_addressing" = storage returned from "g_strdup_inline(values[i])". bluez-5.76/obexd/plugins/messages-dummy.c:383:4: overwrite_var: Overwriting "entry->sender_addressing" in "entry->sender_addressing = g_strdup_inline(values[i])" leaks the storage that "entry->sender_addressing" points to. 381| } 382| if (g_strcmp0(names[i], "sender_addressing") == 0) { 383|-> entry->sender_addressing = g_strdup(values[i]); 384| continue; 385| } Error: RESOURCE_LEAK (CWE-772): [#def34] [important] bluez-5.76/obexd/plugins/messages-dummy.c:387:4: alloc_fn: Storage is returned from allocation function "g_strdup_inline". bluez-5.76/obexd/plugins/messages-dummy.c:387:4: var_assign: Assigning: "entry->type" = storage returned from "g_strdup_inline(values[i])". bluez-5.76/obexd/plugins/messages-dummy.c:387:4: overwrite_var: Overwriting "entry->type" in "entry->type = g_strdup_inline(values[i])" leaks the storage that "entry->type" points to. 385| } 386| if (g_strcmp0(names[i], "type") == 0) { 387|-> entry->type = g_strdup(values[i]); 388| continue; 389| } Error: RESOURCE_LEAK (CWE-772): [#def35] [important] bluez-5.76/obexd/plugins/messages-dummy.c:391:4: alloc_fn: Storage is returned from allocation function "g_strdup_inline". bluez-5.76/obexd/plugins/messages-dummy.c:391:4: var_assign: Assigning: "entry->reception_status" = storage returned from "g_strdup_inline(values[i])". bluez-5.76/obexd/plugins/messages-dummy.c:391:4: overwrite_var: Overwriting "entry->reception_status" in "entry->reception_status = g_strdup_inline(values[i])" leaks the storage that "entry->reception_status" points to. 389| } 390| if (g_strcmp0(names[i], "reception_status") == 0) 391|-> entry->reception_status = g_strdup(values[i]); 392| } 393| --- obexd/plugins/messages-dummy.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/obexd/plugins/messages-dummy.c b/obexd/plugins/messages-dummy.c index e37b52df6266..92378dab4b20 100644 --- a/obexd/plugins/messages-dummy.c +++ b/obexd/plugins/messages-dummy.c @@ -359,36 +359,45 @@ static void msg_element(GMarkupParseContext *ctxt, const char *element, for (i = 0 ; names[i]; ++i) { if (g_strcmp0(names[i], "handle") == 0) { + g_free(entry->handle); entry->handle = g_strdup(values[i]); mld->size++; continue; } if (g_strcmp0(names[i], "attachment_size") == 0) { + g_free(entry->attachment_size); entry->attachment_size = g_strdup(values[i]); continue; } if (g_strcmp0(names[i], "datetime") == 0) { + g_free(entry->datetime); entry->datetime = g_strdup(values[i]); continue; } if (g_strcmp0(names[i], "subject") == 0) { + g_free(entry->subject); entry->subject = g_strdup(values[i]); continue; } if (g_strcmp0(names[i], "recipient_addressing") == 0) { + g_free(entry->recipient_addressing); entry->recipient_addressing = g_strdup(values[i]); continue; } if (g_strcmp0(names[i], "sender_addressing") == 0) { + g_free(entry->sender_addressing); entry->sender_addressing = g_strdup(values[i]); continue; } if (g_strcmp0(names[i], "type") == 0) { + g_free(entry->type); entry->type = g_strdup(values[i]); continue; } - if (g_strcmp0(names[i], "reception_status") == 0) + if (g_strcmp0(names[i], "reception_status") == 0) { + g_free(entry->reception_status); entry->reception_status = g_strdup(values[i]); + } } if (mld->size > mld->offset) From patchwork Tue Jul 2 14:23:37 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 809178 Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7F19E1BA067 for ; Tue, 2 Jul 2024 14:24:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719930288; cv=none; b=uuSJvPGSUL28DD79xmp/oUEgE1VD2PTBmSusu9RHoZO3B7yHoBgowx50zMJzjRquLgDPAe0TGPvYHVUVGL8fqZnRL6N539tf+XOYqW9xRw/LgYgEF2yIU8iOsPiXymsxNiYjGqXs3186LzCXVgtrTTOxDgvWTisSKNG6hwM2Q1Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719930288; c=relaxed/simple; bh=AKHl5VFto3sNozrQJLDL6JJjajb/DisWdyrWdG2DJK0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=NvzmTxKFcabawiNscxm3wPkX99azFJN8h+AEiQevl/VkBf2iknDKlI3MmZtGojuKjldUPM93zt3A3SQvvoKVFvrKAyMbK0cRhrzdnT+OqcI7VsrPVUvwagabaIdrhIK81uNbZJarj8gCNCgsHpTnf/fyRVWBufm/Msoh4KshL6k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id DDC8C240012; Tue, 2 Jul 2024 14:24:38 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ resend 5/9] obexd: Fix memory leak in entry struct Date: Tue, 2 Jul 2024 16:23:37 +0200 Message-ID: <20240702142436.833138-6-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240702142436.833138-1-hadess@hadess.net> References: <20240702142436.833138-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net recipient_addressing was never freed. Error: RESOURCE_LEAK (CWE-772): [#def36] [important] bluez-5.76/obexd/plugins/messages-dummy.c:379:4: alloc_fn: Storage is returned from allocation function "g_strdup_inline". bluez-5.76/obexd/plugins/messages-dummy.c:379:4: var_assign: Assigning: "entry->recipient_addressing" = storage returned from "g_strdup_inline(values[i])". bluez-5.76/obexd/plugins/messages-dummy.c:404:2: leaked_storage: Freeing "entry" without freeing its pointer field "recipient_addressing" leaks the storage that "recipient_addressing" points to. 402| g_free(entry->attachment_size); 403| g_free(entry->handle); 404|-> g_free(entry); 405| } 406| --- obexd/plugins/messages-dummy.c | 1 + 1 file changed, 1 insertion(+) diff --git a/obexd/plugins/messages-dummy.c b/obexd/plugins/messages-dummy.c index 92378dab4b20..e313c6163ec4 100644 --- a/obexd/plugins/messages-dummy.c +++ b/obexd/plugins/messages-dummy.c @@ -406,6 +406,7 @@ static void msg_element(GMarkupParseContext *ctxt, const char *element, g_free(entry->reception_status); g_free(entry->type); g_free(entry->sender_addressing); + g_free(entry->recipient_addressing); g_free(entry->subject); g_free(entry->datetime); g_free(entry->attachment_size); From patchwork Tue Jul 2 14:23:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 810085 Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 806831BA06B for ; Tue, 2 Jul 2024 14:24:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719930288; cv=none; b=GKBD9pZwG/Zkrzuf0XSbIqgLWfnKsH8u75jyoKocWTPyYGsxXYCTUARzcj9gbG3kYL8/zNH53cXt+nYdLqeNkdC7GkcZF4KN5dCbhTXA7HO32VsrP7NWz0/Svf1grJRKZg1qPQV4DzzJoDflWl8GYob62w0KC1xygNRgOkibRpU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719930288; c=relaxed/simple; bh=LY1+OI1MtuM9RErM6AybQdpyESH5/KY00NIOZBUbgEs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Hter2Gox0xvgcc0+hIvH7RgEwoIp8hY4duaHjdWPSJU8pWiGVW2etYeMFdCq05c1JEfFj114bZLLrCeWZQVxh6wcJHzmIkfCjX1u9NmHs6usxoQPGH9qHRqErwFBNqGvzavQ/EjGejUHtw09B2YRhGf5OIJQ/ZMue6YPyfPg7UQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 29DA0240013; Tue, 2 Jul 2024 14:24:39 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ resend 6/9] obexd: Fix leak in backup_object struct Date: Tue, 2 Jul 2024 16:23:38 +0200 Message-ID: <20240702142436.833138-7-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240702142436.833138-1-hadess@hadess.net> References: <20240702142436.833138-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: RESOURCE_LEAK (CWE-772): [#def37] [important] bluez-5.76/obexd/plugins/pcsuite.c:370:2: alloc_fn: Storage is returned from allocation function "g_path_get_basename". bluez-5.76/obexd/plugins/pcsuite.c:370:2: var_assign: Assigning: "obj->cmd" = storage returned from "g_path_get_basename(name)". bluez-5.76/obexd/plugins/pcsuite.c:379:3: leaked_storage: Freeing "obj" without freeing its pointer field "cmd" leaks the storage that "cmd" points to. 377| 378| if (send_backup_dbus_message("open", obj, size) == FALSE) { 379|-> g_free(obj); 380| obj = NULL; 381| } --- obexd/plugins/pcsuite.c | 1 + 1 file changed, 1 insertion(+) diff --git a/obexd/plugins/pcsuite.c b/obexd/plugins/pcsuite.c index 752074c08f45..07c444ff27e0 100644 --- a/obexd/plugins/pcsuite.c +++ b/obexd/plugins/pcsuite.c @@ -376,6 +376,7 @@ static void *backup_open(const char *name, int oflag, mode_t mode, obj->error_code = 0; if (send_backup_dbus_message("open", obj, size) == FALSE) { + g_free(obj->cmd); g_free(obj); obj = NULL; } From patchwork Tue Jul 2 14:23:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 810083 Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D8AE51BA073 for ; Tue, 2 Jul 2024 14:24:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719930288; cv=none; b=Hy6IuDKe9LItBzzCJZZrFsYnNEjEfHCOgFtch13QVbOQzyshG/RNlO49IHjbwINrUZ+o2zPnGDH52+RJTJWyAuENfgEvZEorkFPtM+nwf+QiSlUPmw7Ne9eyRmfPsOQKiwbqDSkhimzaZ9+k3Fe7zA8Zco5CbP6G2v2XFFyjVbo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719930288; c=relaxed/simple; bh=pEFwQqrxZ7hYKYFfzvdo3ASO2CPzdk2+VAZswynkeqE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=nWYzs4nXOG0m+qQScIWMhDbN/BgW59tW15/5cdL7hoetY+yv73dKpNSq351Zt+OypxhnuWwpkXh+A24oLa7LmovbuWF4cZHbR9mqRYts8BmabZ32K7mKFTebBvD/mDqIN1L8rkYTmIY7qwGx8Pl/X/CWwlR9jo0048o7e8pX4rA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 724A5240010; Tue, 2 Jul 2024 14:24:39 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ resend 7/9] health/mcap: Fix memory leak in mcl struct Date: Tue, 2 Jul 2024 16:23:39 +0200 Message-ID: <20240702142436.833138-8-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240702142436.833138-1-hadess@hadess.net> References: <20240702142436.833138-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Error: RESOURCE_LEAK (CWE-772): [#def40] [important] bluez-5.76/profiles/health/mcap.c:2052:3: alloc_arg: "set_default_cb" allocates memory that is stored into "mcl->cb". bluez-5.76/profiles/health/mcap.c:2055:4: leaked_storage: Freeing "mcl" without freeing its pointer field "cb" leaks the storage that "cb" points to. 2053| if (util_getrandom(&val, sizeof(val), 0) < 0) { 2054| mcap_instance_unref(mcl->mi); 2055|-> g_free(mcl); 2056| goto drop; 2057| } --- profiles/health/mcap.c | 1 + 1 file changed, 1 insertion(+) diff --git a/profiles/health/mcap.c b/profiles/health/mcap.c index b544b9a0a9b4..7eceaa88a3a9 100644 --- a/profiles/health/mcap.c +++ b/profiles/health/mcap.c @@ -2052,6 +2052,7 @@ static void connect_mcl_event_cb(GIOChannel *chan, GError *gerr, set_default_cb(mcl); if (util_getrandom(&val, sizeof(val), 0) < 0) { mcap_instance_unref(mcl->mi); + g_free(mcl->cb); g_free(mcl); goto drop; } From patchwork Tue Jul 2 14:23:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 810082 Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3EE5D1BA08C for ; Tue, 2 Jul 2024 14:24:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719930289; cv=none; b=s/d9ZWKkLqkiBeJOAHV+dRMrRf97/6aJxExVUzT8w/LqxoDe9qrcdtpez0C2h9AzO0+ievLvIyBggozwiFWHYABkLTytqEpwsQSTSGelDoBJl+gVahbr4TUYm/S4jY9IQjVPADrg6ewxEfZI58UhZ0sW9oWPHFE9usrFsBK5hvE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719930289; c=relaxed/simple; bh=sIwc6ePtSzw560EK6jNHzIqsaPWzGQU3M10lm6e07TI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=fcceM5lQ6mcgf4hvqcPks8/OyOPaNcVO4UeDRu3SdyWC0Lc9MXXd5KqZs8XGAH5lZa2V655ALQ+r/nW77qAfwQpT67oL+4NF5gRFGpjHf/360DW8FqOQRzUHR2A+KbSsbN0GKYO50fK9SGlIWufHpDRqr3m/BfH8ceTsm4QbAHg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id B7084240011; Tue, 2 Jul 2024 14:24:39 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ resend 8/9] sdp: Fix memory leak in sdp_data_alloc*() Date: Tue, 2 Jul 2024 16:23:40 +0200 Message-ID: <20240702142436.833138-9-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240702142436.833138-1-hadess@hadess.net> References: <20240702142436.833138-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Make sure to free already allocated memory if we run out of memory before the end of the loop. Error: RESOURCE_LEAK (CWE-772): [#def8] [important] bluez-5.76/lib/sdp.c:542:4: alloc_fn: Storage is returned from allocation function "sdp_data_alloc". bluez-5.76/lib/sdp.c:542:4: var_assign: Assigning: "data" = storage returned from "sdp_data_alloc(dtd, values[i])". bluez-5.76/lib/sdp.c:550:4: var_assign: Assigning: "seq" = "data". bluez-5.76/lib/sdp.c:552:3: var_assign: Assigning: "curr" = "data". bluez-5.76/lib/sdp.c:553:2: out_of_scope: Variable "data" goes out of scope. bluez-5.76/lib/sdp.c:552:3: overwrite_var: Overwriting "curr" in "curr = data". bluez-5.76/lib/sdp.c:545:4: leaked_storage: Variable "seq" going out of scope leaks the storage it points to. 543| 544| if (!data) 545|-> return NULL; 546| 547| if (curr) --- lib/sdp.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/sdp.c b/lib/sdp.c index 2e66505b21b8..b87951b007a3 100644 --- a/lib/sdp.c +++ b/lib/sdp.c @@ -513,8 +513,10 @@ sdp_data_t *sdp_seq_alloc_with_length(void **dtds, void **values, int *length, else data = sdp_data_alloc_with_length(dtd, values[i], length[i]); - if (!data) + if (!data) { + sdp_data_free(seq); return NULL; + } if (curr) curr->next = data; @@ -541,8 +543,10 @@ sdp_data_t *sdp_seq_alloc(void **dtds, void **values, int len) else data = sdp_data_alloc(dtd, values[i]); - if (!data) + if (!data) { + sdp_data_free(seq); return NULL; + } if (curr) curr->next = data; From patchwork Tue Jul 2 14:23:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bastien Nocera X-Patchwork-Id: 809176 Received: from relay1-d.mail.gandi.net (relay1-d.mail.gandi.net [217.70.183.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2A3851B5837 for ; Tue, 2 Jul 2024 14:24:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.183.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719930289; cv=none; b=T7s2CqLqP30ZJ9fkUznzQu/27HQQjrPLJerMtozsox2Q5cJzCE8ZDqSATLLpmFZd0q2mZLt3P3y2mlwXe+vlUdHF4bqgO+vjXR4bmzlC99wpBa7g9fjq5tF/3WA5mI3nyOg7JrQea/LrDa2vzR0T9UQ+w07B7u3wjtPEraK4AaQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719930289; c=relaxed/simple; bh=AMs8ychV2P29ai3YR75bpglgCf2JFXuMVDB5Yw5686M=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=CMIWZxDUYU1NtFwrKPlZgI1s655OyGnAmvb085MxPWT1IZIa4D/JB/QaJbyTuztVmI+8rfMu7lg2gf9t/9H/l8ajCKAlY4dEdxXe3p2+zAjP6/zZcU6bdF+uNcVjyJvcGQWpsvzpwhBeEvpsG2x0d9e6gyi+0v9I8kShle386v4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net; spf=pass smtp.mailfrom=hadess.net; arc=none smtp.client-ip=217.70.183.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=hadess.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=hadess.net Received: by mail.gandi.net (Postfix) with ESMTPSA id 080BD240014; Tue, 2 Jul 2024 14:24:39 +0000 (UTC) From: Bastien Nocera To: linux-bluetooth@vger.kernel.org Cc: Bastien Nocera Subject: [BlueZ resend 9/9] sdp: Check memory allocation in sdp_copy_seq() Date: Tue, 2 Jul 2024 16:23:41 +0200 Message-ID: <20240702142436.833138-10-hadess@hadess.net> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20240702142436.833138-1-hadess@hadess.net> References: <20240702142436.833138-1-hadess@hadess.net> Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-GND-Sasl: hadess@hadess.net Fix a potential null-dereference if sdp_data_alloc_with_length() fails, as is done in other similar functions. --- lib/sdp.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/lib/sdp.c b/lib/sdp.c index b87951b007a3..b64245f668d3 100644 --- a/lib/sdp.c +++ b/lib/sdp.c @@ -1538,6 +1538,11 @@ static sdp_data_t *sdp_copy_seq(sdp_data_t *data) value = sdp_data_value(tmp, &len); datatmp = sdp_data_alloc_with_length(tmp->dtd, value, len); + if (!datatmp) { + sdp_data_free(seq); + return NULL; + } + if (cur) cur->next = datatmp; else