From: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
To: Gopal Tiwari <gopalkrishna.tiwari@gmail.com>
Cc: "linux-bluetooth@vger.kernel.org"
<linux-bluetooth@vger.kernel.org>,
Gopal Tiwari <gtiwari@redhat.com>
Subject: Re: [Bluez V2 10/13] Fixing use after free in src/device.c
Date: Tue, 31 May 2022 13:22:55 -0700 [thread overview]
Message-ID: <CABBYNZJqnj0x-7wheW8WG9p6oP2DqLh9PBuoqT6K0QmhW5g5uw@mail.gmail.com> (raw)
In-Reply-To: <20220531074117.610321-11-gopalkrishna.tiwari@gmail.com>
Hi Gopal,
On Tue, May 31, 2022 at 12:42 AM Gopal Tiwari
<gopalkrishna.tiwari@gmail.com> wrote:
>
> From: Gopal Tiwari <gtiwari@redhat.com>
>
> Following traces reported by covirty tool
>
> Error: USE_AFTER_FREE (CWE-416):
> bluez-5.64/src/device.c:2962: path: Condition
> "!dbus_message_get_args(msg, NULL, 0 /* (int)0 */)", taking false branch.
>
> bluez-5.64/src/device.c:2965: path:
> Condition "device->bonding", taking false branch.
>
> bluez-5.64/src/device.c:2968: path:
> Condition "device->bredr_state.bonded", taking true branch.
>
> bluez-5.64/src/device.c:2969: path: Falling through to end of
> if statement.
>
> bluez-5.64/src/device.c:2977: path: Condition "state->bonded",
> taking false branch.
>
> bluez-5.64/src/device.c:2983: path: Condition "agent", taking
> true branch.
>
> bluez-5.64/src/device.c:2984: path: Falling through to end of
> if statement.
>
> bluez-5.64/src/device.c:2990: path: Condition "agent", taking
> true branch.
>
> bluez-5.64/src/device.c:3005: path: Condition "bdaddr_type != 0",
> taking true branch.
>
> bluez-5.64/src/device.c:3006: path:
>
> Condition "!state->connected", taking true branch.
>
> bluez-5.64/src/device.c:3006: path:
> Condition "btd_le_connect_before_pairing()", taking true branch.
> bluez-5.64/src/device.c:3007: freed_arg: "device_connect_le" frees
> "device->bonding".
>
> bluez-5.64/src/device.c:3007: path: Falling through to end of
> if statement.
>
> bluez-5.64/src/device.c:3012: path: Falling through to end of
> if statement.
>
> bluez-5.64/src/device.c:3017: path: Condition "err < 0",
> taking true branch.
>
> bluez-5.64/src/device.c:3018: double_free: Calling "bonding_request_free"
> frees pointer "device->bonding" which has already been freed.
>
> Signed-off-by: Gopal Tiwari <gtiwari@redhat.com>
> ---
> src/device.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/src/device.c b/src/device.c
> index 8dc12d026..a0e5d40db 100644
> --- a/src/device.c
> +++ b/src/device.c
> @@ -2942,6 +2942,7 @@ static void bonding_request_free(struct bonding_req *bonding)
> bonding->device->bonding = NULL;
>
> g_free(bonding);
> + bonding = NULL;
I don't think this fixes anything really, since bonding variable goes
out of scope this won't change anything, in fact this seems to be a
false positive since device->bonding shall be set to NULL in the if
statement just above any other call to bonding_request_free will bail
out when checking !bonding, it would be a problem if and only if the
code was using bonding pointer directly instead of device->bonding
with bonding_request_free.
> }
>
> static DBusMessage *pair_device(DBusConnection *conn, DBusMessage *msg,
> --
> 2.26.2
>
--
Luiz Augusto von Dentz
next prev parent reply other threads:[~2022-05-31 20:23 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-31 7:41 [Bluez 00/13] Fixing memory leak, leaked_handle and use_after Gopal Tiwari
2022-05-31 7:41 ` [Bluez V2 01/13] Fixing memory leak issue in gatt.c Gopal Tiwari
2022-05-31 7:41 ` [Bluez V2 02/13] Fixing memory leakage in appkey.c Gopal Tiwari
2022-05-31 7:41 ` [Bluez V2 03/13] Fixing memory leak in jlink.c Gopal Tiwari
2022-05-31 7:41 ` [Bluez V2 04/13] Fixing memory leak in sixaxis.c Gopal Tiwari
2022-05-31 7:41 ` [Bluez V2 05/13] Fixing leaked_handle in cltest.c Gopal Tiwari
2022-05-31 7:41 ` [Bluez V2 06/13] Fixing leaked_handle in create-image.c Gopal Tiwari
2022-05-31 7:41 ` [Bluez V2 07/13] Fixing leaked_handle in l2cap-tester.c Gopal Tiwari
2022-05-31 7:41 ` [Bluez V2 08/13] Fixing resource leak in mesh/mesh-db.c Gopal Tiwari
2022-05-31 7:41 ` [Bluez V2 09/13] Fixing leaked_handle in obex-client-tool.c Gopal Tiwari
2022-05-31 7:41 ` [Bluez V2 10/13] Fixing use after free in src/device.c Gopal Tiwari
2022-05-31 20:22 ` Luiz Augusto von Dentz [this message]
2022-05-31 7:41 ` [Bluez V2 11/13] Fixing memory leak in pbap.c Gopal Tiwari
2022-05-31 7:41 ` [Bluez V2 12/13] Fixing possible use_after_free in meshctl.c Gopal Tiwari
2022-05-31 7:41 ` [Bluez V2 13/13] Fixing use_after_free in prov-db.c Gopal Tiwari
2022-05-31 20:30 ` [Bluez 00/13] Fixing memory leak, leaked_handle and use_after patchwork-bot+bluetooth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CABBYNZJqnj0x-7wheW8WG9p6oP2DqLh9PBuoqT6K0QmhW5g5uw@mail.gmail.com \
--to=luiz.dentz@gmail.com \
--cc=gopalkrishna.tiwari@gmail.com \
--cc=gtiwari@redhat.com \
--cc=linux-bluetooth@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.