Commit ac3dec52 authored by Théo Battrel's avatar Théo Battrel Committed by Stephanos Ioannidis
Browse files

Bluetooth: Host: Check returned value by `LE_READ_BUFFER_SIZE` 



`rp->le_max_num` was passed unchecked into `k_sem_init()`, this could
lead to the value being uninitialized and an unknown behavior.

To fix that issue, the `rp->le_max_num` value is checked the same way as
`bt_dev.le.acl_mtu` was already checked. The same things has been done
for `rp->acl_max_num` and `rp->iso_max_num` in
`read_buffer_size_v2_complete()` function.

Signed-off-by: default avatarThéo Battrel <theo.battrel@nordicsemi.no>
parent 5b9a2ef3

subsys/bluetooth/host/hci_core.c

+20 −10
Original line number Diff line number Diff line
@@ -2602,11 +2602,14 @@ static void le_read_buffer_size_complete(struct net_buf *buf) 
	LOG_DBG("status 0x%02x", rp->status);



#if defined(CONFIG_BT_CONN)

	bt_dev.le.acl_mtu = sys_le16_to_cpu(rp->le_max_len);

	if (!bt_dev.le.acl_mtu) {

	uint16_t acl_mtu = sys_le16_to_cpu(rp->le_max_len);



	if (!acl_mtu || !rp->le_max_num) {

		return;

	}



	bt_dev.le.acl_mtu = acl_mtu;



	LOG_DBG("ACL LE buffers: pkts %u mtu %u", rp->le_max_num, bt_dev.le.acl_mtu);



	k_sem_init(&bt_dev.le.acl_pkts, rp->le_max_num, rp->le_max_num);
@@ -2621,22 +2624,25 @@ static void read_buffer_size_v2_complete(struct net_buf *buf) 
	LOG_DBG("status %u", rp->status);



#if defined(CONFIG_BT_CONN)

	bt_dev.le.acl_mtu = sys_le16_to_cpu(rp->acl_max_len);

	if (!bt_dev.le.acl_mtu) {

		return;

	}

	uint16_t acl_mtu = sys_le16_to_cpu(rp->acl_max_len);



	if (acl_mtu && rp->acl_max_num) {

		bt_dev.le.acl_mtu = acl_mtu;

		LOG_DBG("ACL LE buffers: pkts %u mtu %u", rp->acl_max_num, bt_dev.le.acl_mtu);



		k_sem_init(&bt_dev.le.acl_pkts, rp->acl_max_num, rp->acl_max_num);

	}

#endif /* CONFIG_BT_CONN */



	bt_dev.le.iso_mtu = sys_le16_to_cpu(rp->iso_max_len);

	if (!bt_dev.le.iso_mtu) {

	uint16_t iso_mtu = sys_le16_to_cpu(rp->iso_max_len);



	if (!iso_mtu || !rp->iso_max_num) {

		LOG_ERR("ISO buffer size not set");

		return;

	}



	bt_dev.le.iso_mtu = iso_mtu;



	LOG_DBG("ISO buffers: pkts %u mtu %u", rp->iso_max_num, bt_dev.le.iso_mtu);



	k_sem_init(&bt_dev.le.iso_pkts, rp->iso_max_num, rp->iso_max_num);
@@ -2910,6 +2916,7 @@ static int le_init_iso(void) 
		if (err) {

			return err;

		}



		read_buffer_size_v2_complete(rsp);



		net_buf_unref(rsp);
@@ -2923,6 +2930,7 @@ static int le_init_iso(void) 
		if (err) {

			return err;

		}



		le_read_buffer_size_complete(rsp);



		net_buf_unref(rsp);
@@ -2966,7 +2974,9 @@ static int le_init(void) 
		if (err) {

			return err;

		}



		le_read_buffer_size_complete(rsp);



		net_buf_unref(rsp);

	}

CRA Git | Maintained and supported by SUSTech CRA and CCSE