From d558462fc8100bcd741ff6b68c570695a723343b Mon Sep 17 00:00:00 2001 From: Ivan Iushkov Date: Mon, 5 Feb 2024 16:30:36 +0100 Subject: [PATCH] [nrf fromtree] Bluetooth: fixing UBSAN warnings related to Codec Configuration During local testing with UBSAN enabled, warning was reported: bluetooth/host/iso.c:237:2: runtime error: null pointer passed as argument 2, which is declared to never be null It turned out that when datapath doesn't contain codec information, cc_len is 0 and cc is NULL In order to avoid UB, now we call memcpy only when cp->codec_config_len > 0 Signed-off-by: Ivan Iushkov (cherry picked from commit e8d090011b6fa9d7e37e05dd03eb457e801b2e97) Signed-off-by: Ivan Iushkov --- subsys/bluetooth/host/iso.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/subsys/bluetooth/host/iso.c b/subsys/bluetooth/host/iso.c index 4d6366ead67..05b5cc2f613 100644 --- a/subsys/bluetooth/host/iso.c +++ b/subsys/bluetooth/host/iso.c @@ -233,9 +233,10 @@ static int hci_le_setup_iso_data_path(const struct bt_conn *iso, uint8_t dir, cp->codec_id.vs_codec_id = sys_cpu_to_le16(path->vid); sys_put_le24(path->delay, cp->controller_delay); cp->codec_config_len = path->cc_len; - cc = net_buf_add(buf, cp->codec_config_len); - memcpy(cc, path->cc, cp->codec_config_len); - + cc = net_buf_add(buf, path->cc_len); + if (path->cc_len) { + memcpy(cc, path->cc, path->cc_len); + } err = bt_hci_cmd_send_sync(BT_HCI_OP_LE_SETUP_ISO_PATH, buf, &rsp); if (err) { return err;