Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Coverity CID: 236079] Untrusted divisor in subsys/bluetooth/controller/hci/hci.c #35343

Closed
zephyrbot opened this issue May 17, 2021 · 0 comments · Fixed by #35527
Closed

[Coverity CID: 236079] Untrusted divisor in subsys/bluetooth/controller/hci/hci.c #35343

zephyrbot opened this issue May 17, 2021 · 0 comments · Fixed by #35527
Assignees
@carlescufi
Labels
area: Bluetooth bug The issue is a bug, or the PR is fixing a bug Coverity A Coverity detected issue or its fix priority: low Low impact/importance bug

Comments

@zephyrbot
Copy link
Collaborator

Static code scan issues found in file:

https://github.com/zephyrproject-rtos/zephyr/tree/21d1ad3762302b3e461953df59430c77e0709274/subsys/bluetooth/controller/hci/hci.c#L3261

Category: Insecure data handling
Function: le_ext_create_connection
Component: Bluetooth
CID: 236079

Details:

zephyr/subsys/bluetooth/controller/hci/hci.c

Line 3261 in 21d1ad3

status = ll_create_connection(scan_interval, 

3255                             conn_interval_max =
3256                                     sys_le16_to_cpu(p->conn_interval_max);
3257                             conn_latency = sys_le16_to_cpu(p->conn_latency);
3258                             supervision_timeout =
3259                                     sys_le16_to_cpu(p->supervision_timeout);
3260     
>>>     CID 236079:  Insecure data handling  (TAINTED_SCALAR)
>>>     Passing tainted expression "conn_interval_max" to "ll_create_connection", which uses it as a divisor or modulus.
3261                             status = ll_create_connection(scan_interval,
3262                                                           scan_window,
3263                                                           filter_policy,
3264                                                           peer_addr_type,
3265                                                           peer_addr,
3266                                                           own_addr_type,

Please fix or provide comments in coverity using the link:

https://scan9.coverity.com/reports.htm#v29271/p12996

Note: This issue was created automatically. Priority was set based on classification
of the file affected and the impact field in coverity. Assignees were set using the CODEOWNERS file.
@zephyrbot zephyrbot added bug The issue is a bug, or the PR is fixing a bug Coverity A Coverity detected issue or its fix priority: low Low impact/importance bug labels May 17, 2021
@carlescufi carlescufi mentioned this issue May 21, 2021
Merged
carlescufi added a commit to carlescufi/zephyr that referenced this issue May 21, 2021
@carlescufi
Bluetooth: controller: Add conn creation param checks
323d235 
Coverity detected that a zero divisor can be passed to
ll_create_connection() without parameter sanitization. Conditionally
check the connection creation parameters according to spec.

Fixes zephyrproject-rtos#35343.

Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
carlescufi added a commit that referenced this issue May 21, 2021
@carlescufi
Bluetooth: controller: Add conn creation param checks
0e26836 
Coverity detected that a zero divisor can be passed to
ll_create_connection() without parameter sanitization. Conditionally
check the connection creation parameters according to spec.

Fixes #35343.

Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@carlescufi carlescufi

Labels
area: Bluetooth bug The issue is a bug, or the PR is fixing a bug Coverity A Coverity detected issue or its fix priority: low Low impact/importance bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bluetooth: controller: Add conn creation param checks carlescufi/zephyr
5 participants
@cvinayak @carlescufi @zephyrbot @thoh-ot @kruithofa