Commit 847703d9 authored by Johan Hedberg's avatar Johan Hedberg
Browse files

Bluetooth: drivers/nble: Fix on_nble_gatts_read_evt() behavior 



We need to reset len to 0 in case of failure to prevent the nRF
firmware from reading past the end of buffer. At the same time clean
up the code a bit.

Change-Id: I2ac9a86e0f7704ae55c9b2758e02dfadf650f549
Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
parent 81125feb

drivers/bluetooth/nble/gatt.c

+7 −5
Original line number Diff line number Diff line
@@ -1180,18 +1180,19 @@ void on_nble_gatts_read_evt(const struct nble_gatt_rd_evt *ev) 
	struct nble_gatts_rd_reply_params reply_data;

	const struct bt_gatt_attr *attr;

	/* TODO: Replace the following with net_buf */

	uint8_t data[NBLE_BUF_SIZE];

	int len = 0;



	reply_data.status = -EACCES;

	memset(data, 0, sizeof(data));

	uint8_t data[NBLE_BUF_SIZE] = { 0 };

	int len;



	attr = ev->attr;



	BT_DBG("attr %p", attr);



	memset(&reply_data, 0, sizeof(reply_data));



	if (attr->read) {

		len = attr->read(NULL, attr, data, sizeof(data), ev->offset);

	} else {

		len = BT_GATT_ERR(BT_ATT_ERR_NOT_SUPPORTED);

	}



	if (len >= 0) {
@@ -1199,6 +1200,7 @@ void on_nble_gatts_read_evt(const struct nble_gatt_rd_evt *ev) 
		reply_data.offset = ev->offset;

	} else {

		reply_data.status = len;

		len = 0;

	}



	reply_data.conn_handle = ev->conn_handle;

CRA Git | Maintained and supported by SUSTech CRA and CCSE