In add_expect_hci_list() we iterate through the entries of the
expect_hci_list as long as there is an opcode, which means currently
this relies on overflowing the buffer to detect the end of the list.
This is not great and when running with address sanitizer, the
out-of-bounds read gets detected and mgmt-tester aborts. Fix it by
adding a trailing zero-entry to all those lists.
---
tools/mgmt-tester.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/tools/mgmt-tester.c b/tools/mgmt-tester.c
index 7dfd1b0c7..7d884bbf6 100644
--- a/tools/mgmt-tester.c
+++ b/tools/mgmt-tester.c
@@ -8798,6 +8798,7 @@ static const struct hci_cmd_data multi_ext_adv_add_second_hci_cmds[] = {
.len = sizeof(le_set_ext_adv_enable_inst_2),
.param = le_set_ext_adv_enable_inst_2,
},
+ {},
};
static const struct generic_data multi_ext_advertising_add_second_2 = {
@@ -8845,6 +8846,7 @@ static const struct hci_cmd_data multi_ext_adv_remove_adv_hci_cmds[] = {
.len = sizeof(advertising_instance1_param),
.param = advertising_instance1_param,
},
+ {},
};
static const struct generic_data multi_ext_advertising_remove = {
@@ -8877,6 +8879,7 @@ static const struct hci_cmd_data multi_ext_adv_remove_all_adv_hci_cmds[] = {
{
.opcode = BT_HCI_CMD_LE_CLEAR_ADV_SETS,
},
+ {},
};
static const struct generic_data multi_ext_advertising_remove_all = {
@@ -8913,6 +8916,7 @@ static const struct hci_cmd_data multi_ext_adv_add_2_advs_hci_cmds[] = {
.len = sizeof(set_ext_adv_data_test1),
.param = set_ext_adv_data_test1,
},
+ {},
};
static const struct generic_data multi_ext_advertising_add_no_power = {
@@ -10378,6 +10382,7 @@ static const struct hci_cmd_data ll_privacy_add_device_3_hci_list[] = {
.param = set_resolv_on_param,
.len = sizeof(set_resolv_on_param),
},
+ {},
};
static const struct generic_data ll_privacy_add_device_3 = {
@@ -10495,6 +10500,7 @@ static const struct hci_cmd_data ll_privacy_add_device_9_hci_list[] = {
.len = sizeof(le_add_to_resolv_list_param),
.param = le_add_to_resolv_list_param
},
+ {},
};
static const struct generic_data ll_privacy_add_device_9 = {
@@ -10823,6 +10829,7 @@ static const struct hci_cmd_data ll_privacy_set_device_flags_1_hci_list[] = {
.param = set_resolv_on_param,
.len = sizeof(set_resolv_on_param),
},
+ {},
};
static const uint8_t device_flags_changed_params_1[] = {
--
2.43.0
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=823536
---Test result---
Test Summary:
CheckPatch FAIL 1.54 seconds
GitLint PASS 0.90 seconds
BuildEll PASS 23.89 seconds
BluezMake PASS 695.39 seconds
MakeCheck PASS 11.91 seconds
MakeDistcheck PASS 162.67 seconds
CheckValgrind PASS 226.45 seconds
CheckSmatch WARNING 331.05 seconds
bluezmakeextell PASS 108.44 seconds
IncrementalBuild PASS 2662.64 seconds
ScanBuild WARNING 988.49 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[BlueZ,v2,3/4] emulator/btdev: Send page timeout after 5.12 secs delay
WARNING:LONG_LINE_COMMENT: line length of 81 exceeds 80 columns
#106: FILE: emulator/btdev.c:1328:
+ /* Send page timeout after 5.12 seconds to emulate real paging */
/github/workspace/src/src/13547070.patch total: 0 errors, 1 warnings, 44 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/src/13547070.patch has style problems, please review.
NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
[BlueZ,v2,4/4] mgmt-tester: Add a test for connecting sequentially
WARNING:LONG_LINE: line length of 85 exceeds 80 columns
#128: FILE: tools/mgmt-tester.c:12822:
+ if (pd_data->n_conn_failed_evts != pd_data->n_create_conn_cmds - 1) {
WARNING:LONG_LINE_COMMENT: line length of 93 exceeds 80 columns
#146: FILE: tools/mgmt-tester.c:12840:
+ 0x31, 0xAB, 0xCD, 0x32, 0x34, 0x73, /* random bdaddr so we fail to connect */
/github/workspace/src/src/13547071.patch total: 0 errors, 2 warnings, 117 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/src/13547071.patch has style problems, please review.
NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: CheckSmatch - WARNING
Desc: Run smatch tool with source
Output:
emulator/btdev.c:420:29: warning: Variable length array is used.
##############################
Test: ScanBuild - WARNING
Desc: Run Scan Build
Output:
emulator/btdev.c:1084:10: warning: Although the value stored to 'conn' is used in the enclosing expression, the value is never actually read from 'conn'
while ((conn = queue_find(dev->conns, match_handle,
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
emulator/btdev.c:1365:24: warning: Access to field 'link' results in a dereference of a null pointer (loaded from variable 'conn')
pending_conn_del(dev, conn->link->dev);
^~~~~~~~~~
emulator/btdev.c:1487:13: warning: Access to field 'dev' results in a dereference of a null pointer (loaded from variable 'conn')
send_event(conn->dev, BT_HCI_EVT_AUTH_COMPLETE, &ev, sizeof(ev));
^~~~~~~~~
3 warnings generated.
---
Regards,
Linux Bluetooth