+-- On Mon, 19 Nov 2018, P J P wrote --+ | From: Prasad J Pandit <p...@fedoraproject.org> | | The length parameter values are not negative, thus use an unsigned | type 'size_t' for them. Many routines pass 'len' values to memcpy(3) | calls. If it was negative, it could lead to memory corruption issues. | Add check to avoid it. | | Reported-by: Arash TC <tohidi.ar...@gmail.com> | Signed-off-by: Prasad J Pandit <p...@fedoraproject.org> | --- | bt-host.c | 8 +++--- | bt-vhci.c | 7 +++--- | hw/bt/core.c | 2 +- | hw/bt/hci-csr.c | 32 ++++++++++++------------ | hw/bt/hci.c | 38 ++++++++++++++-------------- | hw/bt/hid.c | 10 ++++---- | hw/bt/l2cap.c | 56 ++++++++++++++++++++++-------------------- | hw/bt/sdp.c | 6 ++--- | hw/usb/dev-bluetooth.c | 12 ++++----- | include/hw/bt.h | 8 +++--- | include/sysemu/bt.h | 10 ++++---- | 11 files changed, 96 insertions(+), 93 deletions(-) | | Update v2: modify assert calls | -> https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg01036.html |
Ping...! -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
