--- /dev/null
+From 9d1a3c74746428102d55371fbf74b484733937d9 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 9 Oct 2023 22:31:31 +0200
+Subject: Bluetooth: avoid memcmp() out of bounds warning
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 9d1a3c74746428102d55371fbf74b484733937d9 upstream.
+
+bacmp() is a wrapper around memcpy(), which contain compile-time
+checks for buffer overflow. Since the hci_conn_request_evt() also calls
+bt_dev_dbg() with an implicit NULL pointer check, the compiler is now
+aware of a case where 'hdev' is NULL and treats this as meaning that
+zero bytes are available:
+
+In file included from net/bluetooth/hci_event.c:32:
+In function 'bacmp',
+ inlined from 'hci_conn_request_evt' at net/bluetooth/hci_event.c:3276:7:
+include/net/bluetooth/bluetooth.h:364:16: error: 'memcmp' specified bound 6 exceeds source size 0 [-Werror=stringop-overread]
+ 364 | return memcmp(ba1, ba2, sizeof(bdaddr_t));
+ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Add another NULL pointer check before the bacmp() to ensure the compiler
+understands the code flow enough to not warn about it. Since the patch
+that introduced the warning is marked for stable backports, this one
+should also go that way to avoid introducing build regressions.
+
+Fixes: 1ffc6f8cc332 ("Bluetooth: Reject connection with the device which has same BD_ADDR")
+Cc: Kees Cook <keescook@chromium.org>
+Cc: "Lee, Chun-Yi" <jlee@suse.com>
+Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Cc: Marcel Holtmann <marcel@holtmann.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_event.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -2513,7 +2513,7 @@ static void hci_conn_request_evt(struct
+ /* Reject incoming connection from device with same BD ADDR against
+ * CVE-2020-26555
+ */
+- if (!bacmp(&hdev->bdaddr, &ev->bdaddr)) {
++ if (hdev && !bacmp(&hdev->bdaddr, &ev->bdaddr)) {
+ bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
+ &ev->bdaddr);
+ hci_reject_conn(hdev, &ev->bdaddr);
--- /dev/null
+From 35d91d95a0cd61ebb90e0246dc917fd25e519b8c Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Thu, 5 Oct 2023 14:12:19 -0700
+Subject: Bluetooth: hci_event: Fix coding style
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit 35d91d95a0cd61ebb90e0246dc917fd25e519b8c upstream.
+
+This fixes the following code style problem:
+
+ERROR: that open brace { should be on the previous line
++ if (!bacmp(&hdev->bdaddr, &ev->bdaddr))
++ {
+
+Fixes: 1ffc6f8cc332 ("Bluetooth: Reject connection with the device which has same BD_ADDR")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_event.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -2513,8 +2513,7 @@ static void hci_conn_request_evt(struct
+ /* Reject incoming connection from device with same BD ADDR against
+ * CVE-2020-26555
+ */
+- if (!bacmp(&hdev->bdaddr, &ev->bdaddr))
+- {
++ if (!bacmp(&hdev->bdaddr, &ev->bdaddr)) {
+ bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
+ &ev->bdaddr);
+ hci_reject_conn(hdev, &ev->bdaddr);
projects / thirdparty / kernel / stable-queue.git / commitdiff
