On Mon, Apr 29, 2024 at 01:50:46PM -0600, Gustavo A. R. Silva wrote:
>
> > > diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
> > > index fe23e862921d..c4c6b8810701 100644
> > > --- a/include/net/bluetooth/hci.h
> > > +++ b/include/net/bluetooth/hci.h
> > > @@ -2026,7 +2026,7 @@ struct hci_cp_le_set_ext_adv_data {
> > > __u8 operation;
> > > __u8 frag_pref;
> > > __u8 length;
> > > - __u8 data[];
> > > + __u8 data[] __counted_by(length);
> > > } __packed;
> >
> > I noticed some of the other structs here aren't flexible arrays, so it
> > made me go take a look at these ones. I see that the only user of struct
> > hci_cp_le_set_ext_adv_data uses a fixed-size array:
> >
> > struct {
> > struct hci_cp_le_set_ext_adv_data cp;
> > u8 data[HCI_MAX_EXT_AD_LENGTH];
> > } pdu;
> >
> > Let's just change this from a flex array to a fixed-size array?
>
> mmh... not sure about this. It would basically mean reverting this commit:
>
> c9ed0a707730 ("Bluetooth: Fix Set Extended (Scan Response) Data")
That change doesn't seem to need to make them flex arrays, though --
there's no savings at all (the same amount is stack allocated).
Anyway, not a big deal, I guess. It's an improvement to be using
__counted_by, so good! :)
Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
--
Kees Cook
