From fabfcc0082a204fb1fdf80c2c58b3d7ceccf3205 Mon Sep 17 00:00:00 2001 From: Ildar Kamaletdinov Date: Fri, 1 Apr 2022 15:16:42 +0300 Subject: [PATCH] monitor: Fix out-of-bound read in print_le_states Accessing le_states_desc_table array with value 15 can cause out-of-bound read because current size of array is 14. Currently this cannot lead to any problems becase we do no have such state in le_states_comb_table but this could be changed in future and raise described problem. Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. Signed-off-by: Manika Shrivastava Signed-off-by: Ayush Garg --- monitor/packet.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/monitor/packet.c b/monitor/packet.c index 51b42d7..7a2edeb 100755 --- a/monitor/packet.c +++ b/monitor/packet.c @@ -2815,7 +2815,8 @@ static const struct { static void print_le_states(const uint8_t *states_array) { uint64_t mask, states = 0; - int i, n; + int i = 0; + size_t n = 0; for (i = 0; i < 8; i++) states |= ((uint64_t) states_array[i]) << (i * 8); @@ -2827,12 +2828,12 @@ static void print_le_states(const uint8_t *states_array) for (i = 0; le_states_comb_table[i].states; i++) { uint64_t val = (((uint64_t) 1) << le_states_comb_table[i].bit); const char *str[3] = { NULL, }; - int num = 0; + size_t num = 0; if (!(states & val)) continue; - for (n = 0; n < 16; n++) { + for (n = 0; n < ARRAY_SIZE(le_states_desc_table); n++) { if (le_states_comb_table[i].states & (1 << n)) str[num++] = le_states_desc_table[n].str; } -- 2.7.4