Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[nrf fromtree] Bluetooth: UBSAN warnings fixes #1483

Merged
merged 3 commits into from
Feb 12, 2024
Merged

[nrf fromtree] Bluetooth: UBSAN warnings fixes #1483

merged 3 commits into from
Feb 12, 2024

Commits on Feb 12, 2024

  1. [nrf fromtree] Bluetooth: Fixing UBSAN warning in CTE field parsing i… 

    …n adv.c/scan.c

during local testling, UBSAN reported the following warnings:
- bluetooth/host/adv.c:2067:19: runtime error: shift exponent
255 is too large for 32-bit type 'long unsigned int'
- bluetooth/host/scan.c:828:18: runtime error: shift exponent
255 is too large for 32-bit type 'long unsigned int'

It turned out that we can't use BIT() macro directly on
bt_hci_evt_le_per_advertising_report::cte_type field.
According to Core Spec, `cte_type = 0xFF` corresponds
to `No contstant tone extension`.

Added separate function to convert CTE bit field from
HCI format to bt_df_cte_type
Signed-off-by: Ivan Iushkov <ivan.iushkov@nordicsemi.no>
(cherry picked from commit b1e9f86)
Signed-off-by: Ivan Iushkov <ivan.iushkov@nordicsemi.no>
    @ivaniushkov
    ivaniushkov committed Feb 12, 2024
    Configuration menu
    Copy the full SHA
    ab1667a View commit details
    Browse the repository at this point in the history

  2. [nrf fromtree] Bluetooth: fixing UBSAN warnings related to Codec Conf… 

    …iguration

During local testing with UBSAN enabled, warning was reported:
bluetooth/host/iso.c:237:2: runtime error: null pointer passed
as argument 2, which is declared to never be null

It turned out that when datapath doesn't contain
codec information, cc_len is 0 and cc is NULL

In order to avoid UB,
now we call memcpy only when cp->codec_config_len > 0

Signed-off-by: Ivan Iushkov <ivan.iushkov@nordicsemi.no>
(cherry picked from commit e8d0900)
Signed-off-by: Ivan Iushkov <ivan.iushkov@nordicsemi.no>
    @ivaniushkov
    ivaniushkov committed Feb 12, 2024
    Configuration menu
    Copy the full SHA
    d558462 View commit details
    Browse the repository at this point in the history

  3. [nrf fromtree] Bluetooth: fixing null-pointer dereference in l2cap ch… 

    …annel destroyer

During local testing with UBSAN enabled, warning was reported:
bluetooth/host/l2cap.c:980:25: runtime error: member access
within null pointer of type 'struct k_work_q'

It turned out that le_chan->rtx_work.queue can be NULL.
Since null-pointer dereference is a UB, additional check
was added to ensure we don't access
`le_chan->rtx_work.queue->thread` when
`le_chan->rtx_work.queue == NULL`

The same changes applied to l2cap_br.c

Signed-off-by: Ivan Iushkov <ivan.iushkov@nordicsemi.no>
(cherry picked from commit a3cbf8e)
Signed-off-by: Ivan Iushkov <ivan.iushkov@nordicsemi.no>
    @ivaniushkov
    ivaniushkov committed Feb 12, 2024
    Configuration menu
    Copy the full SHA
    3087c5c View commit details
    Browse the repository at this point in the history