diff options
| author | Paolo Bonzini <pbonzini@redhat.com> | 2015-10-19 16:08:40 +0200 |
|---|---|---|
| committer | Michael Tokarev <mjt@tls.msk.ru> | 2015-11-06 15:42:38 +0300 |
| commit | 374ec0669a1aa3affac7850a16c6cad18221c439 (patch) | |
| tree | c561a1c89a00cb8c4b43ba8af9a1fc65dcba32f8 | |
| parent | 1a13b27273cdc4f6fd18bc1e83950d47c6b5928b (diff) | |
| download | focaccia-qemu-374ec0669a1aa3affac7850a16c6cad18221c439.tar.gz focaccia-qemu-374ec0669a1aa3affac7850a16c6cad18221c439.zip | |
bt: fix use of uninitialized variable seqlen
sdp_svc_match, sdp_attr_match and sdp_svc_attr_match read the last argument. The only sensible way to change the code is to make that last argument "len" instead of "seqlen" which is the length of a subsequence in the previous "if" branch. To make the structure of the code clearer, use "else" instead of "else if". Reported by Coverity. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
| -rw-r--r-- | hw/bt/sdp.c | 29 |
1 files changed, 20 insertions, 9 deletions
diff --git a/hw/bt/sdp.c b/hw/bt/sdp.c index c903747952..b9bcdcc78d 100644 --- a/hw/bt/sdp.c +++ b/hw/bt/sdp.c @@ -150,12 +150,14 @@ static ssize_t sdp_svc_search(struct bt_l2cap_sdp_state_s *sdp, if (seqlen < 3 || len < seqlen) return -SDP_INVALID_SYNTAX; len -= seqlen; - while (seqlen) if (sdp_svc_match(sdp, &req, &seqlen)) return -SDP_INVALID_SYNTAX; - } else if (sdp_svc_match(sdp, &req, &seqlen)) - return -SDP_INVALID_SYNTAX; + } else { + if (sdp_svc_match(sdp, &req, &len)) { + return -SDP_INVALID_SYNTAX; + } + } if (len < 3) return -SDP_INVALID_SYNTAX; @@ -278,8 +280,11 @@ static ssize_t sdp_attr_get(struct bt_l2cap_sdp_state_s *sdp, while (seqlen) if (sdp_attr_match(record, &req, &seqlen)) return -SDP_INVALID_SYNTAX; - } else if (sdp_attr_match(record, &req, &seqlen)) - return -SDP_INVALID_SYNTAX; + } else { + if (sdp_attr_match(record, &req, &len)) { + return -SDP_INVALID_SYNTAX; + } + } if (len < 1) return -SDP_INVALID_SYNTAX; @@ -393,8 +398,11 @@ static ssize_t sdp_svc_search_attr_get(struct bt_l2cap_sdp_state_s *sdp, while (seqlen) if (sdp_svc_match(sdp, &req, &seqlen)) return -SDP_INVALID_SYNTAX; - } else if (sdp_svc_match(sdp, &req, &seqlen)) - return -SDP_INVALID_SYNTAX; + } else { + if (sdp_svc_match(sdp, &req, &len)) { + return -SDP_INVALID_SYNTAX; + } + } if (len < 3) return -SDP_INVALID_SYNTAX; @@ -413,8 +421,11 @@ static ssize_t sdp_svc_search_attr_get(struct bt_l2cap_sdp_state_s *sdp, while (seqlen) if (sdp_svc_attr_match(sdp, &req, &seqlen)) return -SDP_INVALID_SYNTAX; - } else if (sdp_svc_attr_match(sdp, &req, &seqlen)) - return -SDP_INVALID_SYNTAX; + } else { + if (sdp_svc_attr_match(sdp, &req, &len)) { + return -SDP_INVALID_SYNTAX; + } + } if (len < 1) return -SDP_INVALID_SYNTAX; |