• Kees Cook's avatar
    Bluetooth: mgmt: Pessimize compile-time bounds-check · a31e5a41
    Kees Cook authored
    After gaining __alloc_size hints, GCC thinks it can reach a memcpy()
    with eir_len == 0 (since it can't see into the rewrite of status).
    Instead, check eir_len == 0, avoiding this future warning:
    
    In function 'eir_append_data',
        inlined from 'read_local_oob_ext_data_complete' at net/bluetooth/mgmt.c:7210:12:
    ./include/linux/fortify-string.h:54:29: warning: '__builtin_memcpy' offset 5 is out of the bounds [0, 3] [-Warray-bounds]
    ...
    net/bluetooth/hci_request.h:133:2: note: in expansion of macro 'memcpy'
      133 |  memcpy(&eir[eir_len], data, data_len);
          |  ^~~~~~
    
    Cc: Marcel Holtmann <marcel@holtmann.org>
    Cc: Johan Hedberg <johan.hedberg@gmail.com>
    Cc: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
    Cc: "David S. Miller" <davem@davemloft.net>
    Cc: Jakub Kicinski <kuba@kernel.org>
    Cc: linux-bluetooth@vger.kernel.org
    Cc: netdev@vger.kernel.org
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
    a31e5a41
mgmt.c 239 KB