tools: Limit width of fields in sscanf

In tools/btmgmt.c and tools/hex2hcd.c few sscanf does not limit width
of fields. This could lead to static overflow and stack corruption.

Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.

Signed-off-by: Manika Shrivastava <manika.sh@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

diff --git a/tools/btmgmt.c b/tools/btmgmt.c
index 8697930..e01d245 100755 (executable)
--- a/tools/btmgmt.c
+++ b/tools/btmgmt.c
@@ -5165,7 +5165,7 @@ static bool str2pattern(struct mgmt_adv_pattern *pattern, const char *str)
        char pattern_str[62] = { 0 };
        char tmp;
 
-       if (sscanf(str, "%2hhx%n:%2hhx%n:%s", &pattern->ad_type, &type_len,
+       if (sscanf(str, "%2hhx%n:%2hhx%n:%61s", &pattern->ad_type, &type_len,
                        &pattern->offset, &offset_end_pos, pattern_str) != 3)
                return false;
 

diff --git a/tools/hex2hcd.c b/tools/hex2hcd.c
index 288fe77..0e8a560 100755 (executable)
--- a/tools/hex2hcd.c
+++ b/tools/hex2hcd.c
@@ -247,7 +247,7 @@ static void ver_parse_file(const char *pathname)
 
        memset(ver, 0, sizeof(*ver));
 
-       if (sscanf(pathname, "%[A-Z0-9]_%3c.%3c.%3c.%4c.%4c.hex",
+       if (sscanf(pathname, "%19[A-Z0-9]_%3c.%3c.%3c.%4c.%4c.hex",
                                        ver->name, ver->major, ver->minor,
                                        ver->build, dummy1, dummy2) != 6) {
                printf("\t/* failed to parse %s */\n", pathname);