Commit 374ec066 authored by Paolo Bonzini's avatar Paolo Bonzini Committed by Michael Tokarev
Browse files

bt: fix use of uninitialized variable seqlen 



sdp_svc_match, sdp_attr_match and sdp_svc_attr_match read the last
argument.  The only sensible way to change the code is to make that last
argument "len" instead of "seqlen" which is the length of a subsequence
in the previous "if" branch.

To make the structure of the code clearer, use "else" instead of
"else if".

Reported by Coverity.

Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
Signed-off-by: default avatarMichael Tokarev <mjt@tls.msk.ru>
parent 1a13b272

hw/bt/sdp.c

+20 −9
Original line number Diff line number Diff line
@@ -150,12 +150,14 @@ static ssize_t sdp_svc_search(struct bt_l2cap_sdp_state_s *sdp, 
        if (seqlen < 3 || len < seqlen)

            return -SDP_INVALID_SYNTAX;

        len -= seqlen;



        while (seqlen)

            if (sdp_svc_match(sdp, &req, &seqlen))

                return -SDP_INVALID_SYNTAX;

    } else if (sdp_svc_match(sdp, &req, &seqlen))

    } else {

        if (sdp_svc_match(sdp, &req, &len)) {

            return -SDP_INVALID_SYNTAX;

        }

    }



    if (len < 3)

        return -SDP_INVALID_SYNTAX;
@@ -278,8 +280,11 @@ static ssize_t sdp_attr_get(struct bt_l2cap_sdp_state_s *sdp, 
        while (seqlen)

            if (sdp_attr_match(record, &req, &seqlen))

                return -SDP_INVALID_SYNTAX;

    } else if (sdp_attr_match(record, &req, &seqlen))

    } else {

        if (sdp_attr_match(record, &req, &len)) {

            return -SDP_INVALID_SYNTAX;

        }

    }



    if (len < 1)

        return -SDP_INVALID_SYNTAX;
@@ -393,8 +398,11 @@ static ssize_t sdp_svc_search_attr_get(struct bt_l2cap_sdp_state_s *sdp, 
        while (seqlen)

            if (sdp_svc_match(sdp, &req, &seqlen))

                return -SDP_INVALID_SYNTAX;

    } else if (sdp_svc_match(sdp, &req, &seqlen))

    } else {

        if (sdp_svc_match(sdp, &req, &len)) {

            return -SDP_INVALID_SYNTAX;

        }

    }



    if (len < 3)

        return -SDP_INVALID_SYNTAX;
@@ -413,8 +421,11 @@ static ssize_t sdp_svc_search_attr_get(struct bt_l2cap_sdp_state_s *sdp, 
        while (seqlen)

            if (sdp_svc_attr_match(sdp, &req, &seqlen))

                return -SDP_INVALID_SYNTAX;

    } else if (sdp_svc_attr_match(sdp, &req, &seqlen))

    } else {

        if (sdp_svc_attr_match(sdp, &req, &len)) {

            return -SDP_INVALID_SYNTAX;

        }

    }



    if (len < 1)

        return -SDP_INVALID_SYNTAX;