[Coverity CID :218744] Out-of-bounds access in subsys/bluetooth/host/gatt.c

[zephyrbot]

Static code scan issues found in file:

https://github.com/zephyrproject-rtos/zephyr/tree/fe7c2efca800a0cf1bccf23aefe08b3c4beb88bf/subsys/bluetooth/host/gatt.c#L1386

Category: Memory - corruptions
Function: bt_gatt_attr_value_handle
Component: Bluetooth
CID: 218744

Details:

1380     } __packed;
1381    
1382     uint16_t bt_gatt_attr_value_handle(const struct bt_gatt_attr *attr)
1383     {
1384         uint16_t handle = 0;
1385    
>>>     CID 218744:  Memory - corruptions  (OVERRUN)
>>>     Overrunning array "struct bt_uuid_16 [1]({{.uuid = {BT_UUID_TYPE_16}, .val = 10243}})" of 4 bytes by passing it to a function which accesses it at byte offset 16.
1386         if (attr != NULL && bt_uuid_cmp(attr->uuid, BT_UUID_GATT_CHRC) == 0) {
1387             struct bt_gatt_chrc *chrc = attr->user_data;
1388    
1389             handle = chrc->value_handle;
1390             if (handle == 0) {
1391                 /* Fall back to Zephyr value handle policy */

Please fix or provide comments in coverity using the link:

https://scan9.coverity.com/reports.htm#v32951/p12996.

Note: This issue was created automatically. Priority was set based on classification
of the file affected and the impact field in coverity. Assignees were set using the CODEOWNERS file.

[joerchan]

Passing bt_uuid_16 with type BT_UUID_TYPE_16 will not take case branch BT_UUID_TYPE_128 in uuid_to_uuid128