btsnoop: Fix possible negative memcpy length Error: INTEGER_OVERFLOW (CWE-190): [#def41] [important] tools/btsnoop.c:438:2: tainted_data_return: Called function "read(fd, buf, toread)", and a possible return value may be less than zero. tools/btsnoop.c:438:2: assign: Assigning: "len" = "read(fd, buf, toread)". tools/btsnoop.c:473:4: overflow: The cast of "len - 9L", which is potentially negative, to an unsigned type could result in an overflow. 471| /* next 4 bytes are data len and cid */ 472| current_cid = buf[8] << 8 | buf[7]; 473|-> memcpy(pdu_buf, buf + 9, len - 9); 474| pdu_len = len - 9; 475| } else if (acl_flags & 0x01) { Error: INTEGER_OVERFLOW (CWE-190): [#def42] [important] tools/btsnoop.c:438:2: tainted_data_return: Called function "read(fd, buf, toread)", and a possible return value may be less than zero. tools/btsnoop.c:438:2: assign: Assigning: "len" = "read(fd, buf, toread)". tools/btsnoop.c:476:4: overflow: The cast of "len - 5L", which is potentially negative, to an unsigned type could result in an overflow. 474| pdu_len = len - 9; 475| } else if (acl_flags & 0x01) { 476|-> memcpy(pdu_buf + pdu_len, buf + 5, len - 5); 477| pdu_len += len - 5; 478| }

Diffstat

1 files changed, 2 insertions(+), 2 deletions(-)