+-- On Sat, 27 Oct 2018, P J P wrote --+ |+-- On Sun, 21 Oct 2018, P J P wrote --+ || The length parameter values are not negative, thus use an unsigned || type 'size_t' for them. Many routines pass 'len' values to memcpy(3) || calls. If it was negative, it could lead to memory corruption issues. || Add check to avoid it. || || Reported-by: Arash TC <tohidi.ar...@gmail.com> || Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> || --- || bt-host.c | 8 +++--- || bt-vhci.c | 7 +++--- || hw/bt/core.c | 2 +- || hw/bt/hci-csr.c | 20 +++++++-------- || hw/bt/hci.c | 38 ++++++++++++++-------------- || hw/bt/hid.c | 10 ++++---- || hw/bt/l2cap.c | 56 ++++++++++++++++++++++-------------------- || hw/bt/sdp.c | 6 ++--- || hw/usb/dev-bluetooth.c | 12 ++++----- || include/hw/bt.h | 8 +++--- || include/sysemu/bt.h | 10 ++++---- || 11 files changed, 90 insertions(+), 87 deletions(-) || || Update v1: add assert check in vhci_host_send. Also check other places wherein || length is used with fixed size buffers. || -> https://lists.gnu.org/archive/html/qemu-devel/2018-10/msg03831.html | | Ping...!
Ping...! -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F