-
Notifications
You must be signed in to change notification settings - Fork 6.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
subsys/bluetooth: Avoid RX overflow in lt_tx_real_no_encode #54119
subsys/bluetooth: Avoid RX overflow in lt_tx_real_no_encode #54119
Conversation
Correct, increasing the default in the implementation is not correct. The bug is in the test and needs to be fixed. @erbr-ot could you take a look? |
Yeah, there is an issue with the define of PDU_RX_NODE_SIZE in helper_util.c - the use of LL_LENGTH_OCTETS_RX_MAX in PDU_DATA_SIZE is incorrect. I'd like to run this by @thoh-ot, but I think PDU_DATA_SIZE should use sizeof(struct pdu_data) instead. |
@cvinayak @erbr-ot @kruithofa Any updates on this? |
1e6b56c
to
dd682bf
Compare
dd682bf
to
d04f8b1
Compare
I have no idea what this code does, but when compiling tests/bluetooth/controller/ctrl_feature_exchange/ bluetooth.controller.ctrl_feature_exchange.test without -ffreestanding (i.e., with memcpy warnings enabled), I get: .../tests/bluetooth/controller/common/src/helper_util.c: In function ‘lt_tx_real_no_encode’: .../tests/bluetooth/controller/common/src/helper_util.c:412:9: error: ‘memcpy’ writing 39 bytes into a region of size 32 overflows the destination [-Werror=stringop-overflow=] 412 | memcpy((struct pdu_data *)rx->pdu, pdu, sizeof(struct pdu_data)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .../tests/bluetooth/controller/common/src/helper_util.c:410:14: note: at offset 32 into destination object of size 64 allocated by ‘malloc’ 410 | rx = malloc(PDU_RX_NODE_SIZE); | ^~~~~~~~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors I increased the default size of LL_LENGTH_OCTETS_RX_MAX to satisfy this warning, but I would be very surprised if this were the correct fix. Signed-off-by: Keith Packard <[email protected]>
d04f8b1
to
f0a0e56
Compare
Ping |
See issue #55110 for status |
Superseded by #57328 |
I have no idea what this code does, but when compiling tests/bluetooth/controller/ctrl_feature_exchange/bluetooth.controller.ctrl_feature_exchange.test without -ffreestanding (i.e., with memcpy warnings enabled), I get:
.../tests/bluetooth/controller/common/src/helper_util.c: In function ‘lt_tx_real_no_encode’: .../tests/bluetooth/controller/common/src/helper_util.c:412:9: error: ‘memcpy’ writing 39 bytes into a region of size 32 overflows the destination [-Werror=stringop-overflow=]
412 | memcpy((struct pdu_data *)rx->pdu, pdu, sizeof(struct pdu_data));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.../tests/bluetooth/controller/common/src/helper_util.c:410:14: note: at offset 32 into destination object of size 64 allocated by ‘malloc’
410 | rx = malloc(PDU_RX_NODE_SIZE);
| ^~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
I increased the default size of LL_LENGTH_OCTETS_RX_MAX to satisfy this warning, but I would be very surprised if this were the correct fix.
Signed-off-by: Keith Packard [email protected]