[Coverity CID :218729] Out-of-bounds access in subsys/bluetooth/host/gatt.c

[zephyrbot]

Static code scan issues found in file:

https:/zephyrproject-rtos/zephyr/tree/fe7c2efca800a0cf1bccf23aefe08b3c4beb88bf/subsys/bluetooth/host/gatt.c#L2177

Category: Memory - corruptions
Function: bt_gatt_notify_cb
Component: Bluetooth
CID: 218729

Details:

2171             if (!gatt_find_by_uuid(&data, params->uuid)) {
2172                 return -ENOENT;
2173             }
2174         }
2175    
2176         /* Check if attribute is a characteristic then adjust the handle */
>>>     CID 218729:  Memory - corruptions  (OVERRUN)
>>>     Overrunning array "struct bt_uuid_16 [1]({{.uuid = {BT_UUID_TYPE_16}, .val = 10243}})" of 4 bytes by passing it to a function which accesses it at byte offset 16.
2177         if (!bt_uuid_cmp(data.attr->uuid, BT_UUID_GATT_CHRC)) {
2178             struct bt_gatt_chrc *chrc = data.attr->user_data;
2179    
2180             if (!(chrc->properties & BT_GATT_CHRC_NOTIFY)) {
2181                 return -EINVAL;
2182             }

Please fix or provide comments in coverity using the link:

https://scan9.coverity.com/reports.htm#v32951/p12996.

Note: This issue was created automatically. Priority was set based on classification
of the file affected and the impact field in coverity. Assignees were set using the CODEOWNERS file.

[joerchan]

Passing bt_uuid_16 with type BT_UUID_TYPE_16 will not take case branch BT_UUID_TYPE_128 in uuid_to_uuid128