From 9b346513cc35c83da332c4b6ebd65b4674178a26 Mon Sep 17 00:00:00 2001 From: Bastien Nocera Date: Fri, 5 Jul 2024 10:57:38 +0200 Subject: [PATCH] tools/mesh: Fix integer overflow due to cast operation Error: INTEGER_OVERFLOW (CWE-190): [#def29] [important] tools/mesh/mesh-db.c:551:3: cast_overflow: Truncation due to cast operation on "ele_cnt" from 32 to 8 bits. tools/mesh/mesh-db.c:551:3: overflow_sink: "ele_cnt", which might have overflowed, is passed to "remote_add_node((uint8_t const *)uuid, unicast, ele_cnt, key_idx)". 549| continue; 550| 551|-> remote_add_node((const uint8_t *)uuid, unicast, ele_cnt, 552| key_idx); 553| for (j = 1; j < key_cnt; j++) { --- tools/mesh/mesh-db.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tools/mesh/mesh-db.c b/tools/mesh/mesh-db.c index 1d047691d..fb9c436d1 100644 --- a/tools/mesh/mesh-db.c +++ b/tools/mesh/mesh-db.c @@ -503,7 +503,8 @@ static void load_remotes(json_object *jcfg) uint8_t uuid[16]; uint16_t unicast, key_idx; const char *str; - int ele_cnt, key_cnt; + uint8_t ele_cnt; + int key_cnt; int j; jnode = json_object_array_get_idx(jnodes, i); @@ -528,14 +529,13 @@ static void load_remotes(json_object *jcfg) continue; json_object_object_get_ex(jnode, "elements", &jarray); - if (!jarray || json_object_get_type(jarray) != json_type_array) + if (!jarray || + json_object_get_type(jarray) != json_type_array || + json_object_array_length(jarray) > MAX_ELE_COUNT) continue; ele_cnt = json_object_array_length(jarray); - if (ele_cnt > MAX_ELE_COUNT) - continue; - json_object_object_get_ex(jnode, "netKeys", &jarray); if (!jarray || json_object_get_type(jarray) != json_type_array) continue; -- 2.47.3