Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
xen.10697
CVE-2018-19665-qemut-Integer-overflow-in-Blueto...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2018-19665-qemut-Integer-overflow-in-Bluetooth-routines-allows-memory-corruption.patch of Package xen.10697
The length parameter values are not negative, thus use an unsigned type 'size_t' for them. Many routines pass 'len' values to memcpy(3) calls. If it was negative, it could lead to memory corruption issues. Reported-by: Arash TC <address@hidden> Signed-off-by: Prasad J Pandit <address@hidden> --- bt-host.c | 6 ++--- bt-vhci.c | 4 +-- hw/bt/core.c | 2 +- hw/bt/hci-csr.c | 16 ++++++------ hw/bt/hci.c | 38 ++++++++++++++-------------- hw/bt/hid.c | 8 +++--- hw/bt/l2cap.c | 56 ++++++++++++++++++++++-------------------- hw/bt/sdp.c | 6 ++--- hw/usb/dev-bluetooth.c | 6 ++--- include/hw/bt.h | 8 +++--- include/sysemu/bt.h | 10 ++++---- 11 files changed, 81 insertions(+), 79 deletions(-) This change is similar to -> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg02402.html Index: xen-4.4.4-testing/tools/qemu-xen-traditional-dir-remote/bt-host.c =================================================================== --- xen-4.4.4-testing.orig/tools/qemu-xen-traditional-dir-remote/bt-host.c +++ xen-4.4.4-testing/tools/qemu-xen-traditional-dir-remote/bt-host.c @@ -69,17 +69,17 @@ static void bt_host_send(struct HCIInfo } } -static void bt_host_cmd(struct HCIInfo *hci, const uint8_t *data, int len) +static void bt_host_cmd(struct HCIInfo *hci, const uint8_t *data, size_t len) { bt_host_send(hci, HCI_COMMAND_PKT, data, len); } -static void bt_host_acl(struct HCIInfo *hci, const uint8_t *data, int len) +static void bt_host_acl(struct HCIInfo *hci, const uint8_t *data, size_t len) { bt_host_send(hci, HCI_ACLDATA_PKT, data, len); } -static void bt_host_sco(struct HCIInfo *hci, const uint8_t *data, int len) +static void bt_host_sco(struct HCIInfo *hci, const uint8_t *data, size_t len) { bt_host_send(hci, HCI_SCODATA_PKT, data, len); } Index: xen-4.4.4-testing/tools/qemu-xen-traditional-dir-remote/bt-vhci.c =================================================================== --- xen-4.4.4-testing.orig/tools/qemu-xen-traditional-dir-remote/bt-vhci.c +++ xen-4.4.4-testing/tools/qemu-xen-traditional-dir-remote/bt-vhci.c @@ -126,13 +126,13 @@ static void vhci_host_send(void *opaque, } static void vhci_out_hci_packet_event(void *opaque, - const uint8_t *data, int len) + const uint8_t *data, size_t len) { vhci_host_send(opaque, HCI_EVENT_PKT, data, len); } static void vhci_out_hci_packet_acl(void *opaque, - const uint8_t *data, int len) + const uint8_t *data, size_t len) { vhci_host_send(opaque, HCI_ACLDATA_PKT, data, len); } Index: xen-4.4.4-testing/tools/qemu-xen-traditional-dir-remote/hw/bt.c =================================================================== --- xen-4.4.4-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/bt.c +++ xen-4.4.4-testing/tools/qemu-xen-traditional-dir-remote/hw/bt.c @@ -46,7 +46,7 @@ static void bt_dummy_lmp_disconnect_mast } static void bt_dummy_lmp_acl_resp(struct bt_link_s *link, - const uint8_t *data, int start, int len) + const uint8_t *data, int start, size_t len) { fprintf(stderr, "%s: stray ACL response PDU, fixme\n", __FUNCTION__); exit(-1); Index: xen-4.4.4-testing/tools/qemu-xen-traditional-dir-remote/hw/bt-hci-csr.c =================================================================== --- xen-4.4.4-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/bt-hci-csr.c +++ xen-4.4.4-testing/tools/qemu-xen-traditional-dir-remote/hw/bt-hci-csr.c @@ -93,7 +93,7 @@ static inline void csrhci_fifo_wake(stru } #define csrhci_out_packetz(s, len) memset(csrhci_out_packet(s, len), 0, len) -static uint8_t *csrhci_out_packet(struct csrhci_s *s, int len) +static uint8_t *csrhci_out_packet(struct csrhci_s *s, size_t len) { int off = s->out_start + s->out_len; @@ -102,14 +102,14 @@ static uint8_t *csrhci_out_packet(struct if (off < FIFO_LEN) { if (off + len > FIFO_LEN && (s->out_size = off + len) > FIFO_LEN * 2) { - fprintf(stderr, "%s: can't alloc %i bytes\n", __FUNCTION__, len); + fprintf(stderr, "%s: can't alloc %zu bytes\n", __FUNCTION__, len); exit(-1); } return s->outfifo + off; } if (s->out_len > s->out_size) { - fprintf(stderr, "%s: can't alloc %i bytes\n", __FUNCTION__, len); + fprintf(stderr, "%s: can't alloc %zu bytes\n", __FUNCTION__, len); exit(-1); } @@ -117,7 +117,7 @@ static uint8_t *csrhci_out_packet(struct } static inline uint8_t *csrhci_out_packet_csr(struct csrhci_s *s, - int type, int len) + int type, size_t len) { uint8_t *ret = csrhci_out_packetz(s, len + 2); @@ -128,7 +128,7 @@ static inline uint8_t *csrhci_out_packet } static inline uint8_t *csrhci_out_packet_event(struct csrhci_s *s, - int evt, int len) + int evt, size_t len) { uint8_t *ret = csrhci_out_packetz(s, len + 1 + sizeof(struct hci_event_hdr)); @@ -141,7 +141,7 @@ static inline uint8_t *csrhci_out_packet } static void csrhci_in_packet_vendor(struct csrhci_s *s, int ocf, - uint8_t *data, int len) + uint8_t *data, size_t len) { int offset; uint8_t *rpkt; @@ -331,7 +331,7 @@ static int csrhci_write(struct CharDrive } static void csrhci_out_hci_packet_event(void *opaque, - const uint8_t *data, int len) + const uint8_t *data, size_t len) { struct csrhci_s *s = (struct csrhci_s *) opaque; uint8_t *pkt = csrhci_out_packet(s, (len + 2) & ~1); /* Align */ @@ -343,7 +343,7 @@ static void csrhci_out_hci_packet_event( } static void csrhci_out_hci_packet_acl(void *opaque, - const uint8_t *data, int len) + const uint8_t *data, size_t len) { struct csrhci_s *s = (struct csrhci_s *) opaque; uint8_t *pkt = csrhci_out_packet(s, (len + 2) & ~1); /* Align */ Index: xen-4.4.4-testing/tools/qemu-xen-traditional-dir-remote/hw/bt-hci.c =================================================================== --- xen-4.4.4-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/bt-hci.c +++ xen-4.4.4-testing/tools/qemu-xen-traditional-dir-remote/hw/bt-hci.c @@ -28,7 +28,7 @@ struct bt_hci_s { uint8_t *(*evt_packet)(void *opaque); - void (*evt_submit)(void *opaque, int len); + void (*evt_submit)(void *opaque, size_t len); void *opaque; uint8_t evt_buf[256]; @@ -58,7 +58,7 @@ struct bt_hci_s { struct bt_hci_master_link_s { struct bt_link_s *link; void (*lmp_acl_data)(struct bt_link_s *link, - const uint8_t *data, int start, int len); + const uint8_t *data, int start, size_t len); QEMUTimer *acl_mode_timer; } handle[HCI_HANDLES_MAX]; uint32_t role_bmp; @@ -432,13 +432,13 @@ static const uint8_t bt_event_reserved_m }; static inline uint8_t *bt_hci_event_start(struct bt_hci_s *hci, - int evt, int len) + int evt, size_t len) { uint8_t *packet, mask; int mask_byte; if (len > 255) { - fprintf(stderr, "%s: HCI event params too long (%ib)\n", + fprintf(stderr, "%s: HCI event params too long (%zub)\n", __FUNCTION__, len); exit(-1); } @@ -456,7 +456,7 @@ static inline uint8_t *bt_hci_event_star } static inline void bt_hci_event(struct bt_hci_s *hci, int evt, - void *params, int len) + void *params, size_t len) { uint8_t *packet = bt_hci_event_start(hci, evt, len); @@ -481,7 +481,7 @@ static inline void bt_hci_event_status(s } static inline void bt_hci_event_complete(struct bt_hci_s *hci, - void *ret, int len) + void *ret, size_t len) { uint8_t *packet = bt_hci_event_start(hci, EVT_CMD_COMPLETE, len + EVT_CMD_COMPLETE_SIZE); @@ -1460,7 +1460,7 @@ static inline void bt_hci_event_num_comp } static void bt_submit_hci(struct HCIInfo *info, - const uint8_t *data, int length) + const uint8_t *data, size_t length) { struct bt_hci_s *hci = hci_from_info(info); uint16_t cmd; @@ -1955,7 +1955,7 @@ static void bt_submit_hci(struct HCIInfo break; short_hci: - fprintf(stderr, "%s: HCI packet too short (%iB)\n", + fprintf(stderr, "%s: HCI packet too short (%zuB)\n", __FUNCTION__, length); bt_hci_event_status(hci, HCI_INVALID_PARAMETERS); break; @@ -1967,7 +1967,7 @@ static void bt_submit_hci(struct HCIInfo * know that a packet contained the last fragment of the SDU when the next * SDU starts. */ static inline void bt_hci_lmp_acl_data(struct bt_hci_s *hci, uint16_t handle, - const uint8_t *data, int start, int len) + const uint8_t *data, int start, size_t len) { struct hci_acl_hdr *pkt = (void *) hci->acl_buf; @@ -1975,7 +1975,7 @@ static inline void bt_hci_lmp_acl_data(s /* TODO: avoid memcpy'ing */ if (len + HCI_ACL_HDR_SIZE > sizeof(hci->acl_buf)) { - fprintf(stderr, "%s: can't take ACL packets %i bytes long\n", + fprintf(stderr, "%s: can't take ACL packets %zu bytes long\n", __FUNCTION__, len); return; } @@ -1989,7 +1989,7 @@ static inline void bt_hci_lmp_acl_data(s } static void bt_hci_lmp_acl_data_slave(struct bt_link_s *btlink, - const uint8_t *data, int start, int len) + const uint8_t *data, int start, size_t len) { struct bt_hci_link_s *link = (struct bt_hci_link_s *) btlink; @@ -1998,14 +1998,14 @@ static void bt_hci_lmp_acl_data_slave(st } static void bt_hci_lmp_acl_data_host(struct bt_link_s *link, - const uint8_t *data, int start, int len) + const uint8_t *data, int start, size_t len) { bt_hci_lmp_acl_data(hci_from_device(link->host), link->handle, data, start, len); } static void bt_submit_acl(struct HCIInfo *info, - const uint8_t *data, int length) + const uint8_t *data, size_t length) { struct bt_hci_s *hci = hci_from_info(info); uint16_t handle; @@ -2013,7 +2013,7 @@ static void bt_submit_acl(struct HCIInfo struct bt_link_s *link; if (length < HCI_ACL_HDR_SIZE) { - fprintf(stderr, "%s: ACL packet too short (%iB)\n", + fprintf(stderr, "%s: ACL packet too short (%zuB)\n", __FUNCTION__, length); return; } @@ -2033,7 +2033,7 @@ static void bt_submit_acl(struct HCIInfo handle &= ~HCI_HANDLE_OFFSET; if (datalen > length) { - fprintf(stderr, "%s: ACL packet too short (%iB < %iB)\n", + fprintf(stderr, "%s: ACL packet too short (%zuB < %iB)\n", __FUNCTION__, length, datalen); return; } @@ -2075,7 +2075,7 @@ static void bt_submit_acl(struct HCIInfo } static void bt_submit_sco(struct HCIInfo *info, - const uint8_t *data, int length) + const uint8_t *data, size_t length) { struct bt_hci_s *hci = hci_from_info(info); struct bt_link_s *link; @@ -2098,7 +2098,7 @@ static void bt_submit_sco(struct HCIInfo handle &= ~HCI_HANDLE_OFFSET; if (datalen > length) { - fprintf(stderr, "%s: SCO packet too short (%iB < %iB)\n", + fprintf(stderr, "%s: SCO packet too short (%zuB < %iB)\n", __FUNCTION__, length, datalen); return; } @@ -2120,7 +2120,7 @@ static uint8_t *bt_hci_evt_packet(void * return s->evt_buf; } -static void bt_hci_evt_submit(void *opaque, int len) +static void bt_hci_evt_submit(void *opaque, size_t len) { /* TODO: notify upper layer */ struct bt_hci_s *s = opaque; Index: xen-4.4.4-testing/tools/qemu-xen-traditional-dir-remote/hw/bt-hid.c =================================================================== --- xen-4.4.4-testing.orig/tools/qemu-xen-traditional-dir-remote/hw/bt-hid.c +++ xen-4.4.4-testing/tools/qemu-xen-traditional-dir-remote/hw/bt-hid.c @@ -180,7 +180,7 @@ static void bt_hid_disconnect(struct bt_ } static void bt_hid_send_data(struct bt_l2cap_conn_params_s *ch, int type, - const uint8_t *data, int len) + const uint8_t *data, size_t len) { uint8_t *pkt, hdr = (BT_DATA << 4) | type; int plen; @@ -201,7 +201,7 @@ static void bt_hid_send_data(struct bt_l } static void bt_hid_control_transaction(struct bt_hid_device_s *s, - const uint8_t *data, int len) + const uint8_t *data, size_t len) { uint8_t type, parameter; int rlen, ret = -1; @@ -378,7 +378,7 @@ static void bt_hid_control_transaction(s bt_hid_send_handshake(s, ret); } -static void bt_hid_control_sdu(void *opaque, const uint8_t *data, int len) +static void bt_hid_control_sdu(void *opaque, const uint8_t *data, size_t len) { struct bt_hid_device_s *hid = opaque; @@ -403,7 +403,7 @@ static void bt_hid_datain(void *opaque) hid->datain.buffer, hid->datain.len); } -static void bt_hid_interrupt_sdu(void *opaque, const uint8_t *data, int len) +static void bt_hid_interrupt_sdu(void *opaque, const uint8_t *data, size_t len) { struct bt_hid_device_s *hid = opaque; Index: xen-4.4.4-testing/tools/qemu-xen-traditional-dir-remote/vl.c =================================================================== --- xen-4.4.4-testing.orig/tools/qemu-xen-traditional-dir-remote/vl.c +++ xen-4.4.4-testing/tools/qemu-xen-traditional-dir-remote/vl.c @@ -2027,7 +2027,7 @@ static struct bt_scatternet_s *qemu_find return &vlan->net; } -static void null_hci_send(struct HCIInfo *hci, const uint8_t *data, int len) +static void null_hci_send(struct HCIInfo *hci, const uint8_t *data, size_t len) { }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
