Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

subsys/bluetooth: Avoid RX overflow in lt_tx_real_no_encode #54119

Closed

Conversation

keith-packard
Copy link
Collaborator

I have no idea what this code does, but when compiling tests/bluetooth/controller/ctrl_feature_exchange/bluetooth.controller.ctrl_feature_exchange.test without -ffreestanding (i.e., with memcpy warnings enabled), I get:

.../tests/bluetooth/controller/common/src/helper_util.c: In function ‘lt_tx_real_no_encode’: .../tests/bluetooth/controller/common/src/helper_util.c:412:9: error: ‘memcpy’ writing 39 bytes into a region of size 32 overflows the destination [-Werror=stringop-overflow=]
412 | memcpy((struct pdu_data *)rx->pdu, pdu, sizeof(struct pdu_data));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.../tests/bluetooth/controller/common/src/helper_util.c:410:14: note: at offset 32 into destination object of size 64 allocated by ‘malloc’
410 | rx = malloc(PDU_RX_NODE_SIZE);
| ^~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors

I increased the default size of LL_LENGTH_OCTETS_RX_MAX to satisfy this warning, but I would be very surprised if this were the correct fix.

Signed-off-by: Keith Packard [email protected]

@cvinayak
Copy link
Contributor

I increased the default size of LL_LENGTH_OCTETS_RX_MAX to satisfy this warning, but I would be very surprised if this were the correct fix.

Correct, increasing the default in the implementation is not correct. The bug is in the test and needs to be fixed. @erbr-ot could you take a look?

@erbr-ot
Copy link
Collaborator

erbr-ot commented Jan 26, 2023

Yeah, there is an issue with the define of PDU_RX_NODE_SIZE in helper_util.c - the use of LL_LENGTH_OCTETS_RX_MAX in PDU_DATA_SIZE is incorrect. I'd like to run this by @thoh-ot, but I think PDU_DATA_SIZE should use sizeof(struct pdu_data) instead.

@stephanosio
Copy link
Member

@cvinayak @erbr-ot @kruithofa Any updates on this?

I have no idea what this code does, but when compiling
tests/bluetooth/controller/ctrl_feature_exchange/
bluetooth.controller.ctrl_feature_exchange.test
without -ffreestanding (i.e., with memcpy warnings enabled), I get:

.../tests/bluetooth/controller/common/src/helper_util.c: In function
‘lt_tx_real_no_encode’:

.../tests/bluetooth/controller/common/src/helper_util.c:412:9: error:
‘memcpy’ writing 39 bytes into a region of size 32 overflows the
destination [-Werror=stringop-overflow=]

  412 | memcpy((struct pdu_data *)rx->pdu, pdu, sizeof(struct pdu_data));
      | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

.../tests/bluetooth/controller/common/src/helper_util.c:410:14: note: at
offset 32 into destination object of size 64 allocated by ‘malloc’

  410 |         rx = malloc(PDU_RX_NODE_SIZE);
      |              ^~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors

I increased the default size of LL_LENGTH_OCTETS_RX_MAX to satisfy this
warning, but I would be very surprised if this were the correct fix.

Signed-off-by: Keith Packard <[email protected]>
@stephanosio
Copy link
Member

@cvinayak @erbr-ot @kruithofa Any updates on this?

Ping

@kruithofa
Copy link
Collaborator

kruithofa commented Apr 20, 2023

See issue #55110 for status

@stephanosio
Copy link
Member

Superseded by #57328

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants