Hi Marcel, On Tue, Jun 09, 2015, Marcel Holtmann wrote: > > --- a/net/bluetooth/hci_event.c > > +++ b/net/bluetooth/hci_event.c > > @@ -4955,7 +4955,8 @@ static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb) > > goto not_found; > > } > > > > - memcpy(cp.ltk, ltk->val, sizeof(ltk->val)); > > + memcpy(cp.ltk, ltk->val, ltk->enc_size); > > + memset(cp.ltk + ltk->enc_size, 0, sizeof(cp.ltk) - ltk->enc_size); > > cp.handle = cpu_to_le16(conn->handle); > > you did test that a size of 16 - 16 = 0 is not causing memset to go > bezerk and crash? I'd say it's a severely broken memset implementation that would break because of passing 0. At least all the pure C based ones I could find in the kernel tree are correctly implemented in this regard. I did test this in practice too but that only covers the arch that I use. Johan -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
