Fixes for problems found with coverity analyzer
- fixed UNINITIALIZED variable (hdl) in bta_hh_act.c :220
- fixed possible RESOURCE LEAK in btif_config_util.cpp in relation to open_file_map() if file is fd size=0
- fixed possible RESOURCE LEAK in create_socket_server() in uipc:196 (s not closed)
- fixed possible OVERRUN in l2c_csm.c, (l2c_csm_config), array "l2cb.fixed_reg" of 4 20-byte elements at element index 60 (byte offset 1200) using index "p_ccb->local_cid - 3" (which evaluates to 60)
- fixed possible OVERRUN in btm_pm.c, (btm_pm_reset) array "btm_cb.acl_db" of 7 288-byte elements at element index 7 (byte offset 2016) using index "btm_cb.pm_pend_link" (which evaluates to 7).
- fixed possible OVERRUN in btif_storage.c, (btif_storage_add_device_to_autopair_blacklist) array "input_value" of 20 bytes by passing it to a function which accesses it at byte offset 20 using argument "20U".
patch set 2:
- fixed {}
Patch set 3:
- fixed review commment in stack/btm/btm_pm.c:379
bug: 10777562
Change-Id: I2a6d57f93acaaf9b25c49a6a29cb60d0e1e3c5d8
diff --git a/bta/dm/bta_dm_act.c b/bta/dm/bta_dm_act.c
index 829c986..46d73b3 100755
--- a/bta/dm/bta_dm_act.c
+++ b/bta/dm/bta_dm_act.c
@@ -839,14 +839,14 @@
if (bta_dm_cb.p_sec_cback && (status != BTM_CMD_STARTED))
{
- p_name = BTM_SecReadDevName(p_data->bond.bd_addr);
- if (!p_name)
- p_name = "";
-
memset(&sec_event, 0, sizeof(tBTA_DM_SEC));
bdcpy(sec_event.auth_cmpl.bd_addr, p_data->bond.bd_addr);
- memcpy(sec_event.auth_cmpl.bd_name, p_name, (BD_NAME_LEN-1));
- sec_event.auth_cmpl.bd_name[BD_NAME_LEN-1] = 0;
+ p_name = BTM_SecReadDevName(p_data->bond.bd_addr);
+ if (p_name != NULL)
+ {
+ memcpy(sec_event.auth_cmpl.bd_name, p_name, (BD_NAME_LEN-1));
+ sec_event.auth_cmpl.bd_name[BD_NAME_LEN-1] = 0;
+ }
/* taken care of by memset [above]
sec_event.auth_cmpl.key_present = FALSE;
diff --git a/bta/hh/bta_hh_act.c b/bta/hh/bta_hh_act.c
index 1c83d07..8ee60c6 100644
--- a/bta/hh/bta_hh_act.c
+++ b/bta/hh/bta_hh_act.c
@@ -221,6 +221,10 @@
{
p_cb->app_id = 0;
}
+ }
+ else
+ {
+ hdl = p_cb->hid_handle;
}
/* else : incoming connection after SDP should update the SDP information as well */
diff --git a/btif/src/btif_config_util.cpp b/btif/src/btif_config_util.cpp
index 885f5c2..0cc2b36 100644
--- a/btif/src/btif_config_util.cpp
+++ b/btif/src/btif_config_util.cpp
@@ -470,6 +470,8 @@
{
error("open_file_map fail, fd:%d, path:%s, size:%d", fd, path, size);
//debug("out");
+ if (fd >= 0)
+ close(fd);
return FALSE;
}
//get local bt device name from bluez config
@@ -539,6 +541,8 @@
{
error("open_file_map fail, fd:%d, path:%s, size:%d", fd, path, size);
//debug("out");
+ if (fd >= 0)
+ close(fd);
return FALSE;
}
int line_size = 0;
@@ -597,6 +601,8 @@
{
error("open_file_map fail, fd:%d, path:%s, size:%d", fd, path, size);
//debug("out");
+ if (fd >= 0)
+ close(fd);
return FALSE;
}
int pos = 0;
diff --git a/btif/src/btif_storage.c b/btif/src/btif_storage.c
index 9ac12eb..644fd1c 100644
--- a/btif/src/btif_storage.c
+++ b/btif/src/btif_storage.c
@@ -1684,8 +1684,9 @@
char input_value [20];
bd2str(remote_bd_addr, &bdstr);
- strncpy(input_value, (char*)bdstr, 20);
- strncat(input_value,BTIF_AUTO_PAIR_CONF_VALUE_SEPARATOR, 20);
+ strlcpy(input_value, (char*)bdstr, sizeof(input_value));
+ strlcat(input_value,BTIF_AUTO_PAIR_CONF_VALUE_SEPARATOR, sizeof(input_value));
+
int line_size = sizeof(linebuf);
if(btif_config_get_str("Local", BTIF_STORAGE_PATH_AUTOPAIR_BLACKLIST,
BTIF_STORAGE_KEY_AUTOPAIR_DYNAMIC_BLACKLIST_ADDR, linebuf, &line_size))
diff --git a/stack/btm/btm_pm.c b/stack/btm/btm_pm.c
index 19b90d3..925e69f 100644
--- a/stack/btm/btm_pm.c
+++ b/stack/btm/btm_pm.c
@@ -369,8 +369,6 @@
cb = btm_cb.pm_reg_db[btm_cb.pm_pend_id].cback;
}
- /* no command pending */
- btm_cb.pm_pend_link = MAX_L2CAP_LINKS;
/* clear the register record */
for(xx=0; xx<BTM_MAX_PM_RECORDS; xx++)
@@ -378,8 +376,11 @@
btm_cb.pm_reg_db[xx].mask = BTM_PM_REC_NOT_USED;
}
- if(cb != NULL)
+ if(cb != NULL && btm_cb.pm_pend_link < MAX_L2CAP_LINKS)
(*cb)(btm_cb.acl_db[btm_cb.pm_pend_link].remote_addr, BTM_PM_STS_ERROR, BTM_DEV_RESET, 0);
+
+ /* no command pending */
+ btm_cb.pm_pend_link = MAX_L2CAP_LINKS;
}
/*******************************************************************************
diff --git a/stack/l2cap/l2c_csm.c b/stack/l2cap/l2c_csm.c
index 0d04d8a..4e24c23 100644
--- a/stack/l2cap/l2c_csm.c
+++ b/stack/l2cap/l2c_csm.c
@@ -892,14 +892,17 @@
case L2CEVT_L2CAP_DATA: /* Peer data packet rcvd */
L2CAP_TRACE_API1 ("L2CAP - Calling DataInd_Cb(), CID: 0x%04x", p_ccb->local_cid);
#if (L2CAP_NUM_FIXED_CHNLS > 0)
- if (p_ccb->local_cid < L2CAP_BASE_APPL_CID)
+ if (p_ccb->local_cid >= L2CAP_FIRST_FIXED_CHNL &&
+ p_ccb->local_cid <= L2CAP_LAST_FIXED_CHNL)
{
- if (l2cb.fixed_reg[p_ccb->local_cid - L2CAP_FIRST_FIXED_CHNL].pL2CA_FixedData_Cb)
- (*l2cb.fixed_reg[p_ccb->local_cid - L2CAP_FIRST_FIXED_CHNL].pL2CA_FixedData_Cb)(p_ccb->p_lcb->remote_bd_addr,(BT_HDR *)p_data);
- else
- GKI_freebuf (p_data);
-
+ if (p_ccb->local_cid < L2CAP_BASE_APPL_CID)
+ {
+ if (l2cb.fixed_reg[p_ccb->local_cid - L2CAP_FIRST_FIXED_CHNL].pL2CA_FixedData_Cb)
+ (*l2cb.fixed_reg[p_ccb->local_cid - L2CAP_FIRST_FIXED_CHNL].pL2CA_FixedData_Cb)(p_ccb->p_lcb->remote_bd_addr,(BT_HDR *)p_data);
+ else
+ GKI_freebuf (p_data);
break;
+ }
}
#endif
(*p_ccb->p_rcb->api.pL2CA_DataInd_Cb)(p_ccb->local_cid, (BT_HDR *)p_data);
diff --git a/udrv/ulinux/uipc.c b/udrv/ulinux/uipc.c
index 1428c7d..846fa17 100644
--- a/udrv/ulinux/uipc.c
+++ b/udrv/ulinux/uipc.c
@@ -194,6 +194,7 @@
if(socket_local_server_bind(s, name, ANDROID_SOCKET_NAMESPACE_ABSTRACT) < 0)
{
BTIF_TRACE_EVENT1("socket failed to create (%s)", strerror(errno));
+ close(s);
return -1;
}