subsys/bluetooth: Avoid RX overflow in lt_tx_real_no_encode

[keith-packard]

I have no idea what this code does, but when compiling tests/bluetooth/controller/ctrl_feature_exchange/bluetooth.controller.ctrl_feature_exchange.test without -ffreestanding (i.e., with memcpy warnings enabled), I get:

.../tests/bluetooth/controller/common/src/helper_util.c: In function ‘lt_tx_real_no_encode’: .../tests/bluetooth/controller/common/src/helper_util.c:412:9: error: ‘memcpy’ writing 39 bytes into a region of size 32 overflows the destination [-Werror=stringop-overflow=]
412 | memcpy((struct pdu_data *)rx->pdu, pdu, sizeof(struct pdu_data));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.../tests/bluetooth/controller/common/src/helper_util.c:410:14: note: at offset 32 into destination object of size 64 allocated by ‘malloc’
410 | rx = malloc(PDU_RX_NODE_SIZE);
| ^~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors

I increased the default size of LL_LENGTH_OCTETS_RX_MAX to satisfy this warning, but I would be very surprised if this were the correct fix.

Signed-off-by: Keith Packard [email protected]

[cvinayak]

I increased the default size of LL_LENGTH_OCTETS_RX_MAX to satisfy this warning, but I would be very surprised if this were the correct fix.

Correct, increasing the default in the implementation is not correct. The bug is in the test and needs to be fixed. @erbr-ot could you take a look?

[erbr-ot]

Yeah, there is an issue with the define of PDU_RX_NODE_SIZE in helper_util.c - the use of LL_LENGTH_OCTETS_RX_MAX in PDU_DATA_SIZE is incorrect. I'd like to run this by @thoh-ot, but I think PDU_DATA_SIZE should use sizeof(struct pdu_data) instead.

[stephanosio]

@cvinayak @erbr-ot @kruithofa Any updates on this?

[stephanosio]

@cvinayak @erbr-ot @kruithofa Any updates on this?

Ping

[kruithofa]

See issue #55110 for status

[stephanosio]

Superseded by #57328