net: lwm2m: fix out-of-bounds access in put_s8()

mike-scott · nashif · commit f6b221699c5f · 2019-02-13T21:02:53.000-05:00
Per Coverity report, oma_tlv_put() does pointer arithmetic accessing the data as an array of u8_t. In put_bool() we get a singleton pointer from the evaluation of: "value != 0 ? 1 : 0" which is passed to put_s8() which in turn passes it to oma_tlv_put(). To avoid misinterpretation, let's create a temporary s8_t variable to pass into oma_tlv_put instead. Fixes: #12312 Signed-off-by: Michael Scott <mike@foundries.io>
diff --git a/subsys/net/lib/lwm2m/lwm2m_rw_oma_tlv.c b/subsys/net/lib/lwm2m/lwm2m_rw_oma_tlv.c
@@ -554,7 +554,9 @@ static size_t put_float64fix(struct lwm2m_output_context *out,
 static size_t put_bool(struct lwm2m_output_context *out,
 		       struct lwm2m_obj_path *path, bool value)
 {
-	return put_s8(out, path, value != 0 ? 1 : 0);
+	s8_t value_s8 = (value != 0 ? 1 : 0);
+
+	return put_s8(out, path, value_s8);
 }
 
 static size_t get_number(struct lwm2m_input_context *in, s64_t *value,

Original file line number	Diff line number	Diff line change
`@@ -554,7 +554,9 @@ static size_t put_float64fix(struct lwm2m_output_context *out,`
`554`	`554`	`static size_t put_bool(struct lwm2m_output_context *out,`
`555`	`555`	`struct lwm2m_obj_path *path, bool value)`
`556`	`556`	`{`
`557`		`- return put_s8(out, path, value != 0 ? 1 : 0);`
	`557`	`+ s8_t value_s8 = (value != 0 ? 1 : 0);`
	`558`	`+`
	`559`	`+ return put_s8(out, path, value_s8);`
`558`	`560`	`}`
`559`	`561`
`560`	`562`	`static size_t get_number(struct lwm2m_input_context in, s64_t value,`