From d17a42105afd7e5e2ab65ccecc9195cbf9d313ea Mon Sep 17 00:00:00 2001
From: Sven Gothel <sgothel@jausoft.com>
Date: Sat, 17 Oct 2020 15:41:36 +0200
Subject: HCIHandler (UBSAN): Replace 'nasty' cast to
 'HCIStructCmdCompleteMetaEvt<T> *' with wrapper
 'HCIStructCmdCompleteMetaEvtWrap<T>' ctor

Assume T is any 'hci_cmd_event_struct' template type.

We had

[1]  HCIStructCmdCompleteMetaEvt<T> * ev_cc = (HCIStructCmdCompleteMetaEvt<T> *) orig_ptr;

now use simple (actual) wrapper (as was intended)

[2]  HCIStructCmdCompleteMetaEvtWrap<T> ev_cc(*orig_ptr);

++++

[1] is a potential violation of virtual function pointer table,
as HCIStructCmdCompleteMetaEvt<T> might not have indentical heritage as
the type 'orig_ptr' points to.

The intention was to just access the orig_ptr data to deliver
certain aspects in regards to any 'hci_cmd_event_struct' -> a wrapper.

[2] Resolves the issue, using a temporary instance of the wrapper.

This inconsistency was found with 'UndefinedBehaviorSanitizer' UBSAN,
using GCC '-fsanitize=undefined' option.
---
 src/direct_bt/HCIHandler.cpp | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

(limited to 'src')

diff --git a/src/direct_bt/HCIHandler.cpp b/src/direct_bt/HCIHandler.cpp
index e0b9590b..b4afc008 100644
--- a/src/direct_bt/HCIHandler.cpp
+++ b/src/direct_bt/HCIHandler.cpp
@@ -962,16 +962,16 @@ const hci_cmd_event_struct* HCIHandler::getReplyStruct(std::shared_ptr<HCIEvent>
     const hci_cmd_event_struct* res = nullptr;
     *status = HCIStatusCode::INTERNAL_FAILURE;
 
-    typedef HCIStructCmdCompleteEvt<hci_cmd_event_struct> HCITypeCmdCompleteEvt;
-    HCITypeCmdCompleteEvt * ev_cc = static_cast<HCITypeCmdCompleteEvt*>(event.get());
-    if( ev_cc->isTypeAndSizeValid(evc) ) {
-        *status = ev_cc->getStatus();
-        res = ev_cc->getStruct();
+    typedef HCIStructCmdCompleteEvtWrap<hci_cmd_event_struct> HCITypeCmdCompleteEvtWrap;
+    HCITypeCmdCompleteEvtWrap ev_cc( *event.get() );
+    if( ev_cc.isTypeAndSizeValid(evc) ) {
+        *status = ev_cc.getStatus();
+        res = ev_cc.getStruct();
     } else {
         WARN_PRINT("HCIHandler::getReplyStruct: %s: Type or size mismatch: Status 0x%2.2X (%s), errno %d %s: res %s",
                 getHCIEventTypeString(evc).c_str(),
                 number(*status), getHCIStatusCodeString(*status).c_str(), errno, strerror(errno),
-                ev_cc->toString().c_str());
+                ev_cc.toString().c_str());
     }
     return res;
 }
@@ -982,16 +982,16 @@ const hci_cmd_event_struct* HCIHandler::getMetaReplyStruct(std::shared_ptr<HCIEv
     const hci_cmd_event_struct* res = nullptr;
     *status = HCIStatusCode::INTERNAL_FAILURE;
 
-    typedef HCIStructCmdCompleteMetaEvt<hci_cmd_event_struct> HCITypeCmdCompleteMetaEvt;
-    HCITypeCmdCompleteMetaEvt * ev_cc = static_cast<HCITypeCmdCompleteMetaEvt*>(event.get());
-    if( ev_cc->isTypeAndSizeValid(mec) ) {
-        *status = ev_cc->getStatus();
-        res = ev_cc->getStruct();
+    typedef HCIStructCmdCompleteMetaEvtWrap<hci_cmd_event_struct> HCITypeCmdCompleteMetaEvtWrap;
+    HCITypeCmdCompleteMetaEvtWrap ev_cc( *static_cast<HCIMetaEvent*>( event.get() ) );
+    if( ev_cc.isTypeAndSizeValid(mec) ) {
+        *status = ev_cc.getStatus();
+        res = ev_cc.getStruct();
     } else {
         WARN_PRINT("HCIHandler::getMetaReplyStruct: %s: Type or size mismatch: Status 0x%2.2X (%s), errno %d %s: res %s",
                   getHCIMetaEventTypeString(mec).c_str(),
                   number(*status), getHCIStatusCodeString(*status).c_str(), errno, strerror(errno),
-                  ev_cc->toString().c_str());
+                  ev_cc.toString().c_str());
     }
     return res;
 }
-- 
cgit v1.2.3