Re: seid structure in profiles/audio/avdtp.c

Linux-Bluetooth Archive mirror
 help / color / mirror / Atom feed

From: Pauli Virtanen <pav@iki.fi>
To: Bastien Nocera <hadess@hadess.net>
Cc: linux-bluetooth@vger.kernel.org
Subject: Re: seid structure in profiles/audio/avdtp.c
Date: Thu, 16 May 2024 19:00:04 +0300	[thread overview]
Message-ID: <99abd5269d6b72f391b39cec2c5f608654995beb.camel@iki.fi> (raw)
In-Reply-To: <78e4c9a65b6e7509a1f743f945270568a8548f26.camel@hadess.net>

Hi,

to, 2024-05-16 kello 11:13 +0200, Bastien Nocera kirjoitti:
> I was looking at the code in profiles/audio/avdtp.c surrounding those
> static analyser warnings, and couldn't understand how the seid arrays
> were constructed.
> 
> There's similar code in android/ which might also need fixing.
> 
> I could only find the code that assigned ".first_seid", nothing about
> how the rest of the structure is allocated and assigned.

These structs are from AVDTP spec, see eg. §8.13 for Start Stream
Command <-> struct start_req.

IIUC, they're actually arrays of struct seid, but the first element is
defined as a separate field. I guess the static checker chokes on that,
and not sure right now if this is even strictly allowed in C.

The structures are allocated in send_request() for the outgoing
messages and the bounds checking is via req->data_size. For incoming
messages they're raw message data from the remote device.


> Cheers
> 
> PS: Please CC: on the answer, as I'm not subscribed to the list
> 
> Error: ARRAY_VS_SINGLETON (CWE-119): [#def29] [important]
> bluez-5.75/profiles/audio/avdtp.c:1675:2: address_of: Taking address with "&start->first_seid" yields a singleton pointer.
> bluez-5.75/profiles/audio/avdtp.c:1675:2: assign: Assigning: "seid" = "&start->first_seid".
> bluez-5.75/profiles/audio/avdtp.c:1679:25: ptr_arith: Using "seid" as an array.  This might corrupt or misinterpret adjacent memory locations.
> # 1677|   	int i;
> # 1678|   
> # 1679|-> 	for (i = 0; i < count; i++, seid++) {
> # 1680|   		if (seid->seid == id) {
> # 1681|   			req->collided = TRUE;
> 
> Error: ARRAY_VS_SINGLETON (CWE-119): [#def30] [important]
> bluez-5.75/profiles/audio/avdtp.c:1690:2: address_of: Taking address with "&suspend->first_seid" yields a singleton pointer.
> bluez-5.75/profiles/audio/avdtp.c:1690:2: assign: Assigning: "seid" = "&suspend->first_seid".
> bluez-5.75/profiles/audio/avdtp.c:1694:25: ptr_arith: Using "seid" as an array.  This might corrupt or misinterpret adjacent memory locations.
> # 1692|   	int i;
> # 1693|   
> # 1694|-> 	for (i = 0; i < count; i++, seid++) {
> # 1695|   		if (seid->seid == id) {
> # 1696|   			req->collided = TRUE;
> 
> Error: ARRAY_VS_SINGLETON (CWE-119): [#def31] [important]
> bluez-5.75/profiles/audio/avdtp.c:1799:2: address_of: Taking address with "&req->first_seid" yields a singleton pointer.
> bluez-5.75/profiles/audio/avdtp.c:1799:2: assign: Assigning: "seid" = "&req->first_seid".
> bluez-5.75/profiles/audio/avdtp.c:1801:30: ptr_arith: Using "seid" as an array.  This might corrupt or misinterpret adjacent memory locations.
> # 1799|   	seid = &req->first_seid;
> # 1800|   
> # 1801|-> 	for (i = 0; i < seid_count; i++, seid++) {
> # 1802|   		failed_seid = seid->seid;
> # 1803|   
> 
> Error: ARRAY_VS_SINGLETON (CWE-119): [#def32] [important]
> bluez-5.75/profiles/audio/avdtp.c:1912:2: address_of: Taking address with "&req->first_seid" yields a singleton pointer.
> bluez-5.75/profiles/audio/avdtp.c:1912:2: assign: Assigning: "seid" = "&req->first_seid".
> bluez-5.75/profiles/audio/avdtp.c:1914:30: ptr_arith: Using "seid" as an array.  This might corrupt or misinterpret adjacent memory locations.
> # 1912|   	seid = &req->first_seid;
> # 1913|   
> # 1914|-> 	for (i = 0; i < seid_count; i++, seid++) {
> # 1915|   		failed_seid = seid->seid;
> # 1916|   

-- 
Pauli Virtanen

next prev parent reply	other threads:[~2024-05-16 16:00 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-05-16  9:13 seid structure in profiles/audio/avdtp.c Bastien Nocera
2024-05-16 16:00 ` Pauli Virtanen [this message]
2024-05-30 15:09   ` Bastien Nocera

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=99abd5269d6b72f391b39cec2c5f608654995beb.camel@iki.fi \
    --to=pav@iki.fi \
    --cc=hadess@hadess.net \
    --cc=linux-bluetooth@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).