+-- On Sun, 21 Oct 2018, P J P wrote --+ | The length parameter values are not negative, thus use an unsigned | type 'size_t' for them. Many routines pass 'len' values to memcpy(3) | calls. If it was negative, it could lead to memory corruption issues. | Add check to avoid it. | | Reported-by: Arash TC <tohidi.ar...@gmail.com> | Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> | --- | bt-host.c | 8 +++--- | bt-vhci.c | 7 +++--- | hw/bt/core.c | 2 +- | hw/bt/hci-csr.c | 20 +++++++-------- | hw/bt/hci.c | 38 ++++++++++++++-------------- | hw/bt/hid.c | 10 ++++---- | hw/bt/l2cap.c | 56 ++++++++++++++++++++++-------------------- | hw/bt/sdp.c | 6 ++--- | hw/usb/dev-bluetooth.c | 12 ++++----- | include/hw/bt.h | 8 +++--- | include/sysemu/bt.h | 10 ++++---- | 11 files changed, 90 insertions(+), 87 deletions(-) | | Update v1: add assert check in vhci_host_send. Also check other places wherein | length is used with fixed size buffers. | -> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg03831.html
Ping...! -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F