[PATCH BlueZ 0/7] Fix bugs found by SVACE static analisys tool

[PATCH BlueZ 0/7] Fix bugs found by SVACE static analisys tool

[Ildar Kamaletdinov]

This patch set includes few fixes that was found by Linux Verification Center
(linuxtesting.org) with the SVACE static analysis tool.

I have manually filtered out non-relevant and false positive problems and only
procedeed with bugs that currently lead to some errors/vulnerabilities or may
lead to them in some specific conditions. 

Ildar Kamaletdinov (7):
  monitor: Fix out-of-bound read in print_le_states
  tools: Fix buffer overflow in hciattach_tialt.c
  tools: Fix signed interger overflow in btsnoop.c
  tools: Prevent infinity loops in bluemoon.c
  tools: Limit width of fields in sscanf
  device: Limit width of fields in sscanf
  gatt: Fix double free and freed memory dereference

 monitor/packet.c        |  2 +-
 src/device.c            | 12 ++++++------
 src/gatt-database.c     |  4 ++++
 tools/bluemoon.c        | 13 +++++++++++++
 tools/btmgmt.c          |  2 +-
 tools/btsnoop.c         |  2 +-
 tools/hciattach_tialt.c |  3 ++-
 tools/hex2hcd.c         |  2 +-
 8 files changed, 29 insertions(+), 11 deletions(-)

-- 
2.34.0

[PATCH BlueZ 1/7] monitor: Fix out-of-bound read in print_le_states

[Ildar Kamaletdinov]

Accessing le_states_desc_table array with value 15 can cause
out-of-bound read because current size of array is 14.

Currently this cannot lead to any problems becase we do no have such
state in le_states_comb_table but this could be changed in future and
raise described problem.

Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
---
 monitor/packet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/monitor/packet.c b/monitor/packet.c
index b7431b57d..c61d6bd4b 100644
--- a/monitor/packet.c
+++ b/monitor/packet.c
@@ -2833,7 +2833,7 @@ static void print_le_states(const uint8_t *states_array)
 		if (!(states & val))
 			continue;
 
-		for (n = 0; n < 16; n++) {
+		for (n = 0; n < ARRAY_SIZE(le_states_desc_table); n++) {
 			if (le_states_comb_table[i].states & (1 << n))
 				str[num++] = le_states_desc_table[n].str;
 		}
-- 
2.34.0

[PATCH BlueZ 2/7] tools: Fix buffer overflow in hciattach_tialt.c

[Ildar Kamaletdinov]

Array 'c_brf_chip' of size 8 could be accessed by index > 7. We should
limit array access like in previous check at line 221.

Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
---
 tools/hciattach_tialt.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tools/hciattach_tialt.c b/tools/hciattach_tialt.c
index 520b383a1..4f7fd42a3 100644
--- a/tools/hciattach_tialt.c
+++ b/tools/hciattach_tialt.c
@@ -221,7 +221,8 @@ int texasalt_init(int fd, int speed, struct termios *ti)
 				((brf_chip > 7) ? "unknown" : c_brf_chip[brf_chip]),
 				brf_chip);
 
-		sprintf(fw, "/etc/firmware/%s.bin", c_brf_chip[brf_chip]);
+		sprintf(fw, "/etc/firmware/%s.bin",
+			(brf_chip > 7) ? "unknown" : c_brf_chip[brf_chip]);
 		texas_load_firmware(fd, fw);
 
 		texas_change_speed(fd, speed);
-- 
2.34.0

[PATCH BlueZ 3/7] tools: Fix signed interger overflow in btsnoop.c

[Ildar Kamaletdinov]

If malformed packet is proceed with zero 'size' field we will face with
wrong behaviour of write() call. Value 'toread - 1' gives wrong sign
for value 'written' (-1) in write() call. To prevent this we should
check that 'toread' is not equal to zero.

Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
---
 tools/btsnoop.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/btsnoop.c b/tools/btsnoop.c
index 738027dfc..a0d6cf356 100644
--- a/tools/btsnoop.c
+++ b/tools/btsnoop.c
@@ -193,7 +193,7 @@ next_packet:
 	flags = be32toh(input_pkt[select_input].flags);
 
 	len = read(input_fd[select_input], buf, toread);
-	if (len < 0 || len != (ssize_t) toread) {
+	if (toread == 0 || len < 0 || len != (ssize_t) toread) {
 		close(input_fd[select_input]);
 		input_fd[select_input] = -1;
 		goto next_packet;
-- 
2.34.0

[PATCH BlueZ 4/7] tools: Prevent infinity loops in bluemoon.c

[Ildar Kamaletdinov]

In case FW size is too big we can face with infinity while() loops.
According to C99 standart SIZE_MAX could be as small as 65535.

So to prevent overflow of 'firmware_offset' we must limit maximum FW
size that could be processed by bluemoon.

Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
---
 tools/bluemoon.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/tools/bluemoon.c b/tools/bluemoon.c
index f50107a2a..729da36f6 100644
--- a/tools/bluemoon.c
+++ b/tools/bluemoon.c
@@ -492,6 +492,13 @@ static void request_firmware(const char *path)
 		return;
 	}
 
+	if (st.st_size > (SIZE_MAX - 4)) {
+		fprintf(stderr, "Firmware size is too big\n");
+		close(fd);
+		shutdown_device();
+		return;
+	}
+
 	firmware_data = malloc(st.st_size);
 	if (!firmware_data) {
 		fprintf(stderr, "Failed to allocate firmware buffer\n");
@@ -874,6 +881,12 @@ static void analyze_firmware(const char *path)
 		return;
 	}
 
+	if (st.st_size > (SIZE_MAX - 3)) {
+		fprintf(stderr, "Firmware size is too big\n");
+		close(fd);
+		return;
+	}
+
 	firmware_data = malloc(st.st_size);
 	if (!firmware_data) {
 		fprintf(stderr, "Failed to allocate firmware buffer\n");
-- 
2.34.0

[PATCH BlueZ 5/7] tools: Limit width of fields in sscanf

[Ildar Kamaletdinov]

In tools/btmgmt.c and tools/hex2hcd.c few sscanf does not limit width
of fields. This could lead to static overflow and stack corruption.

Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
---
 tools/btmgmt.c  | 2 +-
 tools/hex2hcd.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/tools/btmgmt.c b/tools/btmgmt.c
index 42ef9acef..8f63f12ba 100644
--- a/tools/btmgmt.c
+++ b/tools/btmgmt.c
@@ -5164,7 +5164,7 @@ static bool str2pattern(struct mgmt_adv_pattern *pattern, const char *str)
 	char pattern_str[62] = { 0 };
 	char tmp;
 
-	if (sscanf(str, "%2hhx%n:%2hhx%n:%s", &pattern->ad_type, &type_len,
+	if (sscanf(str, "%2hhx%n:%2hhx%n:%61s", &pattern->ad_type, &type_len,
 			&pattern->offset, &offset_end_pos, pattern_str) != 3)
 		return false;
 
diff --git a/tools/hex2hcd.c b/tools/hex2hcd.c
index 674d62744..e6dca5a81 100644
--- a/tools/hex2hcd.c
+++ b/tools/hex2hcd.c
@@ -248,7 +248,7 @@ static void ver_parse_file(const char *pathname)
 
 	memset(ver, 0, sizeof(*ver));
 
-	if (sscanf(pathname, "%[A-Z0-9]_%3c.%3c.%3c.%4c.%4c.hex",
+	if (sscanf(pathname, "%19[A-Z0-9]_%3c.%3c.%3c.%4c.%4c.hex",
 					ver->name, ver->major, ver->minor,
 					ver->build, dummy1, dummy2) != 6) {
 		printf("\t/* failed to parse %s */\n", pathname);
-- 
2.34.0

[PATCH BlueZ 6/7] device: Limit width of fields in sscanf

[Ildar Kamaletdinov]

In src/device.c few sscanf does not limit width of uuid field. This
could lead to static overflow and stack corruption.

Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
---
 src/device.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/device.c b/src/device.c
index 381faf91c..9077f07f7 100644
--- a/src/device.c
+++ b/src/device.c
@@ -3790,8 +3790,8 @@ static int load_desc(char *handle, char *value,
 		return -EIO;
 
 	/* Check if there is any value stored, otherwise it is just the UUID */
-	if (sscanf(value, "%04hx:%s", &val, uuid_str) != 2) {
-		if (sscanf(value, "%s", uuid_str) != 1)
+	if (sscanf(value, "%04hx:%36s", &val, uuid_str) != 2) {
+		if (sscanf(value, "%36s", uuid_str) != 1)
 			return -EIO;
 		val = 0;
 	}
@@ -3840,9 +3840,9 @@ static int load_chrc(char *handle, char *value,
 		return -EIO;
 
 	/* Check if there is any value stored */
-	if (sscanf(value, GATT_CHARAC_UUID_STR ":%04hx:%02hx:%32s:%s",
+	if (sscanf(value, GATT_CHARAC_UUID_STR ":%04hx:%02hx:%32s:%36s",
 			&value_handle, &properties, val_str, uuid_str) != 4) {
-		if (sscanf(value, GATT_CHARAC_UUID_STR ":%04hx:%02hx:%s",
+		if (sscanf(value, GATT_CHARAC_UUID_STR ":%04hx:%02hx:%36s",
 				&value_handle, &properties, uuid_str) != 3)
 			return -EIO;
 		val_len = 0;
@@ -3884,7 +3884,7 @@ static int load_incl(struct gatt_db *db, char *handle, char *value,
 	if (sscanf(handle, "%04hx", &start) != 1)
 		return -EIO;
 
-	if (sscanf(value, GATT_INCLUDE_UUID_STR ":%04hx:%04hx:%s", &start, &end,
+	if (sscanf(value, GATT_INCLUDE_UUID_STR ":%04hx:%04hx:%36s", &start, &end,
 								uuid_str) != 3)
 		return -EIO;
 
@@ -3918,7 +3918,7 @@ static int load_service(struct gatt_db *db, char *handle, char *value)
 	if (sscanf(handle, "%04hx", &start) != 1)
 		return -EIO;
 
-	if (sscanf(value, "%[^:]:%04hx:%s", type, &end, uuid_str) != 3)
+	if (sscanf(value, "%[^:]:%04hx:%36s", type, &end, uuid_str) != 3)
 		return -EIO;
 
 	if (g_str_equal(type, GATT_PRIM_SVC_UUID_STR))
-- 
2.34.0

[PATCH BlueZ 7/7] gatt: Fix double free and freed memory dereference

[Ildar Kamaletdinov]

In condition where device no longer exist or not paired when sending
notification it is possible to to occure double free and dereference of
already freed memory.

To avoid this we need to recheck the state of device after sending
notification.

Found by Linux Verification Center (linuxtesting.org) with the SVACE
static analysis tool.
---
 src/gatt-database.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/gatt-database.c b/src/gatt-database.c
index d6c94058c..d32f616a9 100644
--- a/src/gatt-database.c
+++ b/src/gatt-database.c
@@ -3877,6 +3877,10 @@ void btd_gatt_database_server_connected(struct btd_gatt_database *database,
 
 	send_notification_to_device(state, state->pending);
 
+	state = find_device_state(database, &bdaddr, bdaddr_type);
+	if (!state || !state->pending)
+		return;
+
 	free(state->pending->value);
 	free(state->pending);
 	state->pending = NULL;
-- 
2.34.0

RE: Fix bugs found by SVACE static analisys tool

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 7356 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=628109

---Test result---

Test Summary:
CheckPatch                    FAIL      9.98 seconds
GitLint                       PASS      6.96 seconds
Prep - Setup ELL              PASS      42.33 seconds
Build - Prep                  PASS      0.68 seconds
Build - Configure             PASS      8.45 seconds
Build - Make                  FAIL      36.46 seconds
Make Check                    FAIL      10.48 seconds
Make Check w/Valgrind         FAIL      35.64 seconds
Make Distcheck                PASS      223.16 seconds
Build w/ext ELL - Configure   PASS      8.57 seconds
Build w/ext ELL - Make        FAIL      36.93 seconds
Incremental Build with patchesFAIL      46.08 seconds

Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script with rule in .checkpatch.conf
Output:
[BlueZ,3/7] tools: Fix signed interger overflow in btsnoop.c
WARNING:TYPO_SPELLING: 'interger' may be misspelled - perhaps 'integer'?
#35: 
Subject: [PATCH BlueZ 3/7] tools: Fix signed interger overflow in btsnoop.c
                                             ^^^^^^^^

/github/workspace/src/12797974.patch total: 0 errors, 1 warnings, 8 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/12797974.patch has style problems, please review.

NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.

[BlueZ,4/7] tools: Prevent infinity loops in bluemoon.c
WARNING:TYPO_SPELLING: 'standart' may be misspelled - perhaps 'standard'?
#50: 
According to C99 standart SIZE_MAX could be as small as 65535.
                 ^^^^^^^^

/github/workspace/src/12797975.patch total: 0 errors, 1 warnings, 25 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/12797975.patch has style problems, please review.

NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.

[BlueZ,6/7] device: Limit width of fields in sscanf
WARNING:LONG_LINE: line length of 82 exceeds 80 columns
#90: FILE: src/device.c:3887:
+	if (sscanf(value, GATT_INCLUDE_UUID_STR ":%04hx:%04hx:%36s", &start, &end,

/github/workspace/src/12797978.patch total: 0 errors, 1 warnings, 37 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/12797978.patch has style problems, please review.

NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.

[BlueZ,7/7] gatt: Fix double free and freed memory dereference
WARNING:TYPO_SPELLING: 'occure' may be misspelled - perhaps 'occurred'?
#50: 
notification it is possible to to occure double free and dereference of
                                  ^^^^^^

WARNING:REPEATED_WORD: Possible repeated word: 'to'
#50: 
notification it is possible to to occure double free and dereference of

/github/workspace/src/12797968.patch total: 0 errors, 2 warnings, 10 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/12797968.patch has style problems, please review.

NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.


##############################
Test: Build - Make - FAIL
Desc: Build the BlueZ source tree
Output:
monitor/packet.c: In function ‘print_le_states’:
monitor/packet.c:2836:17: error: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Werror=sign-compare]
 2836 |   for (n = 0; n < ARRAY_SIZE(le_states_desc_table); n++) {
      |                 ^
cc1: all warnings being treated as errors
make[1]: *** [Makefile:7277: monitor/packet.o] Error 1
make: *** [Makefile:4310: all] Error 2


##############################
Test: Make Check - FAIL
Desc: Run 'make check'
Output:
monitor/packet.c: In function ‘print_le_states’:
monitor/packet.c:2836:17: error: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Werror=sign-compare]
 2836 |   for (n = 0; n < ARRAY_SIZE(le_states_desc_table); n++) {
      |                 ^
cc1: all warnings being treated as errors
make[1]: *** [Makefile:7277: monitor/packet.o] Error 1
make: *** [Makefile:11283: check] Error 2


##############################
Test: Make Check w/Valgrind - FAIL
Desc: Run 'make check' with Valgrind
Output:
monitor/packet.c: In function ‘print_le_states’:
monitor/packet.c:2836:17: error: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Werror=sign-compare]
 2836 |   for (n = 0; n < ARRAY_SIZE(le_states_desc_table); n++) {
      |                 ^
cc1: all warnings being treated as errors
make[1]: *** [Makefile:7277: monitor/packet.o] Error 1
make: *** [Makefile:4310: all] Error 2


##############################
Test: Build w/ext ELL - Make - FAIL
Desc: Build BlueZ source with '--enable-external-ell' configuration
Output:
monitor/packet.c: In function ‘print_le_states’:
monitor/packet.c:2836:17: error: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Werror=sign-compare]
 2836 |   for (n = 0; n < ARRAY_SIZE(le_states_desc_table); n++) {
      |                 ^
cc1: all warnings being treated as errors
make[1]: *** [Makefile:7277: monitor/packet.o] Error 1
make: *** [Makefile:4310: all] Error 2


##############################
Test: Incremental Build with patches - FAIL
Desc: Incremental build per patch in the series
Output:
monitor/packet.c: In function ‘print_le_states’:
monitor/packet.c:2836:17: error: comparison of integer expressions of different signedness: ‘int’ and ‘long unsigned int’ [-Werror=sign-compare]
 2836 |   for (n = 0; n < ARRAY_SIZE(le_states_desc_table); n++) {
      |                 ^
cc1: all warnings being treated as errors
make[1]: *** [Makefile:7277: monitor/packet.o] Error 1
make: *** [Makefile:4310: all] Error 2




---
Regards,
Linux Bluetooth

RE: Fix bugs found by SVACE static analisys tool

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 998 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=628188

---Test result---

Test Summary:
CheckPatch                    PASS      8.20 seconds
GitLint                       PASS      5.62 seconds
Prep - Setup ELL              PASS      39.64 seconds
Build - Prep                  PASS      0.69 seconds
Build - Configure             PASS      7.87 seconds
Build - Make                  PASS      1330.57 seconds
Make Check                    PASS      11.64 seconds
Make Check w/Valgrind         PASS      404.30 seconds
Make Distcheck                PASS      209.94 seconds
Build w/ext ELL - Configure   PASS      7.88 seconds
Build w/ext ELL - Make        PASS      1278.53 seconds
Incremental Build with patchesPASS      8064.66 seconds



---
Regards,
Linux Bluetooth

RE: Fix bugs found by SVACE static analisys tool

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 5273 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=628169

---Test result---

Test Summary:
CheckPatch                    PASS      9.84 seconds
GitLint                       PASS      6.66 seconds
Prep - Setup ELL              PASS      43.31 seconds
Build - Prep                  PASS      0.69 seconds
Build - Configure             PASS      8.81 seconds
Build - Make                  FAIL      79.44 seconds
Make Check                    FAIL      1.17 seconds
Make Check w/Valgrind         FAIL      65.80 seconds
Make Distcheck                PASS      231.36 seconds
Build w/ext ELL - Configure   PASS      8.78 seconds
Build w/ext ELL - Make        FAIL      79.82 seconds
Incremental Build with patchesFAIL      4376.50 seconds

Details
##############################
Test: Build - Make - FAIL
Desc: Build the BlueZ source tree
Output:
tools/bluemoon.c: In function ‘request_firmware’:
tools/bluemoon.c:495:17: error: comparison of integer expressions of different signedness: ‘__off_t’ {aka ‘long int’} and ‘long unsigned int’ [-Werror=sign-compare]
  495 |  if (st.st_size > (SIZE_MAX - 4)) {
      |                 ^
tools/bluemoon.c: In function ‘analyze_firmware’:
tools/bluemoon.c:884:17: error: comparison of integer expressions of different signedness: ‘__off_t’ {aka ‘long int’} and ‘long unsigned int’ [-Werror=sign-compare]
  884 |  if (st.st_size > (SIZE_MAX - 3)) {
      |                 ^
cc1: all warnings being treated as errors
make[1]: *** [Makefile:7277: tools/bluemoon.o] Error 1
make: *** [Makefile:4310: all] Error 2


##############################
Test: Make Check - FAIL
Desc: Run 'make check'
Output:
tools/bluemoon.c: In function ‘request_firmware’:
tools/bluemoon.c:495:17: error: comparison of integer expressions of different signedness: ‘__off_t’ {aka ‘long int’} and ‘long unsigned int’ [-Werror=sign-compare]
  495 |  if (st.st_size > (SIZE_MAX - 4)) {
      |                 ^
tools/bluemoon.c: In function ‘analyze_firmware’:
tools/bluemoon.c:884:17: error: comparison of integer expressions of different signedness: ‘__off_t’ {aka ‘long int’} and ‘long unsigned int’ [-Werror=sign-compare]
  884 |  if (st.st_size > (SIZE_MAX - 3)) {
      |                 ^
cc1: all warnings being treated as errors
make[1]: *** [Makefile:7277: tools/bluemoon.o] Error 1
make: *** [Makefile:11283: check] Error 2


##############################
Test: Make Check w/Valgrind - FAIL
Desc: Run 'make check' with Valgrind
Output:
tools/bluemoon.c: In function ‘request_firmware’:
tools/bluemoon.c:495:17: error: comparison of integer expressions of different signedness: ‘__off_t’ {aka ‘long int’} and ‘long unsigned int’ [-Werror=sign-compare]
  495 |  if (st.st_size > (SIZE_MAX - 4)) {
      |                 ^
tools/bluemoon.c: In function ‘analyze_firmware’:
tools/bluemoon.c:884:17: error: comparison of integer expressions of different signedness: ‘__off_t’ {aka ‘long int’} and ‘long unsigned int’ [-Werror=sign-compare]
  884 |  if (st.st_size > (SIZE_MAX - 3)) {
      |                 ^
cc1: all warnings being treated as errors
make[1]: *** [Makefile:7277: tools/bluemoon.o] Error 1
make: *** [Makefile:4310: all] Error 2


##############################
Test: Build w/ext ELL - Make - FAIL
Desc: Build BlueZ source with '--enable-external-ell' configuration
Output:
tools/bluemoon.c: In function ‘request_firmware’:
tools/bluemoon.c:495:17: error: comparison of integer expressions of different signedness: ‘__off_t’ {aka ‘long int’} and ‘long unsigned int’ [-Werror=sign-compare]
  495 |  if (st.st_size > (SIZE_MAX - 4)) {
      |                 ^
tools/bluemoon.c: In function ‘analyze_firmware’:
tools/bluemoon.c:884:17: error: comparison of integer expressions of different signedness: ‘__off_t’ {aka ‘long int’} and ‘long unsigned int’ [-Werror=sign-compare]
  884 |  if (st.st_size > (SIZE_MAX - 3)) {
      |                 ^
cc1: all warnings being treated as errors
make[1]: *** [Makefile:7277: tools/bluemoon.o] Error 1
make: *** [Makefile:4310: all] Error 2


##############################
Test: Incremental Build with patches - FAIL
Desc: Incremental build per patch in the series
Output:
tools/bluemoon.c: In function ‘request_firmware’:
tools/bluemoon.c:495:17: error: comparison of integer expressions of different signedness: ‘__off_t’ {aka ‘long int’} and ‘long unsigned int’ [-Werror=sign-compare]
  495 |  if (st.st_size > (SIZE_MAX - 4)) {
      |                 ^
tools/bluemoon.c: In function ‘analyze_firmware’:
tools/bluemoon.c:884:17: error: comparison of integer expressions of different signedness: ‘__off_t’ {aka ‘long int’} and ‘long unsigned int’ [-Werror=sign-compare]
  884 |  if (st.st_size > (SIZE_MAX - 3)) {
      |                 ^
cc1: all warnings being treated as errors
make[1]: *** [Makefile:7277: tools/bluemoon.o] Error 1
make: *** [Makefile:4310: all] Error 2




---
Regards,
Linux Bluetooth