From f0a0e56ecb53aef7f315682d32330d983e5da2f1 Mon Sep 17 00:00:00 2001 From: Keith Packard Date: Wed, 25 Jan 2023 17:09:12 -0800 Subject: [PATCH] subsys/bluetooth: Avoid RX overflow in lt_tx_real_no_encode MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I have no idea what this code does, but when compiling tests/bluetooth/controller/ctrl_feature_exchange/ bluetooth.controller.ctrl_feature_exchange.test without -ffreestanding (i.e., with memcpy warnings enabled), I get: .../tests/bluetooth/controller/common/src/helper_util.c: In function ‘lt_tx_real_no_encode’: .../tests/bluetooth/controller/common/src/helper_util.c:412:9: error: ‘memcpy’ writing 39 bytes into a region of size 32 overflows the destination [-Werror=stringop-overflow=] 412 | memcpy((struct pdu_data *)rx->pdu, pdu, sizeof(struct pdu_data)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .../tests/bluetooth/controller/common/src/helper_util.c:410:14: note: at offset 32 into destination object of size 64 allocated by ‘malloc’ 410 | rx = malloc(PDU_RX_NODE_SIZE); | ^~~~~~~~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors I increased the default size of LL_LENGTH_OCTETS_RX_MAX to satisfy this warning, but I would be very surprised if this were the correct fix. Signed-off-by: Keith Packard --- subsys/bluetooth/controller/include/ll_feat.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/subsys/bluetooth/controller/include/ll_feat.h b/subsys/bluetooth/controller/include/ll_feat.h index 1ab2cf6c58321..1bbfe57dd69c7 100644 --- a/subsys/bluetooth/controller/include/ll_feat.h +++ b/subsys/bluetooth/controller/include/ll_feat.h @@ -48,7 +48,7 @@ #define LL_LENGTH_OCTETS_RX_MAX CONFIG_BT_CTLR_DATA_LENGTH_MAX #else #define LL_FEAT_BIT_DLE 0 -#define LL_LENGTH_OCTETS_RX_MAX 27 +#define LL_LENGTH_OCTETS_RX_MAX 34 #endif /* CONFIG_BT_CTLR_DATA_LENGTH_MAX */ #if defined(CONFIG_BT_CTLR_PRIVACY)