Merge pull request #13785 from pan-/ble-fix-prep-write-queue-access

0xc0170 · web-flow · commit 27d10506e08f · 2020-10-20T11:10:11.000+01:00
BLE: Fix access to attcCb.onDeck and  attsCb.prepWriteQueue access
diff --git a/connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/stack/att/attc_main.c b/connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/stack/att/attc_main.c
@@ -591,9 +591,9 @@ static void attcConnCback(attCcb_t *pCcb, dmEvt_t *pDmEvt)
     }
 
     /* free any req on deck */
-    if (attcCb.onDeck[pCcb->connId].hdr.event != ATTC_MSG_API_NONE)
+    if (attcCb.onDeck[pCcb->connId - 1].hdr.event != ATTC_MSG_API_NONE)
     {
-      attcReqClear(pCcb->connId, &attcCb.onDeck[pCcb->connId], status);
+      attcReqClear(pCcb->connId, &attcCb.onDeck[pCcb->connId - 1], status);
     }
 
     for (i = 0; i < ATT_BEARER_MAX; i++)
@@ -672,7 +672,7 @@ void attcMsgCback(attcApiMsg_t *pMsg)
     /* verify no API request already waiting on deck, in progress, or no pending write command
        already for this handle */
     if (((pCcb->slot == ATT_BEARER_SLOT_ID) &&
-         (attcCb.onDeck[pCcb->connId].hdr.event != ATTC_MSG_API_NONE)) ||
+         (attcCb.onDeck[pCcb->connId - 1].hdr.event != ATTC_MSG_API_NONE)) ||
         (pCcb->outReq.hdr.event > ATTC_MSG_API_MTU)   ||
         ((pMsg->hdr.event == ATTC_MSG_API_WRITE_CMD)  &&
          attcPendWriteCmd(pCcb, pMsg->handle)))
@@ -686,7 +686,7 @@ void attcMsgCback(attcApiMsg_t *pMsg)
     if ((pCcb->slot == ATT_BEARER_SLOT_ID) && (pCcb->outReq.hdr.event == ATTC_MSG_API_MTU))
     {
       /* put request "on deck" for processing later */
-      attcCb.onDeck[pCcb->connId] = *pMsg;
+      attcCb.onDeck[pCcb->connId - 1] = *pMsg;
     }
     /* otherwise ready to send; set up request */
     else
@@ -706,9 +706,9 @@ void attcMsgCback(attcApiMsg_t *pMsg)
     }
     /* else free any req on deck */
     else if ((pCcb->slot == ATT_BEARER_SLOT_ID) &
-             (attcCb.onDeck[pCcb->connId].hdr.event != ATTC_MSG_API_NONE))
+             (attcCb.onDeck[pCcb->connId - 1].hdr.event != ATTC_MSG_API_NONE))
     {
-      attcReqClear(pCcb->connId, &attcCb.onDeck[pCcb->connId], ATT_ERR_CANCELLED);
+      attcReqClear(pCcb->connId, &attcCb.onDeck[pCcb->connId - 1], ATT_ERR_CANCELLED);
     }
   }
   /* else if timeout */
diff --git a/connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/stack/att/attc_proc.c b/connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/stack/att/attc_proc.c
@@ -410,13 +410,13 @@ void attcProcRsp(attcCcb_t *pCcb, uint16_t len, uint8_t *pPacket)
     }
     /* else if api is on deck */
     else if ((pCcb->slot == ATT_BEARER_SLOT_ID) &&
-             (attcCb.onDeck[pCcb->connId].hdr.event != ATTC_MSG_API_NONE))
+             (attcCb.onDeck[pCcb->connId - 1].hdr.event != ATTC_MSG_API_NONE))
     {
       /* set up and send request */
-      attcSetupReq(pCcb, &attcCb.onDeck[pCcb->connId]);
+      attcSetupReq(pCcb, &attcCb.onDeck[pCcb->connId - 1]);
 
       /* clear on deck */
-      attcCb.onDeck[pCcb->connId].hdr.event = ATTC_MSG_API_NONE;
+      attcCb.onDeck[pCcb->connId - 1].hdr.event = ATTC_MSG_API_NONE;
     }
   }
 }
diff --git a/connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/stack/att/attc_sign.c b/connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/stack/att/attc_sign.c
@@ -178,7 +178,7 @@ static void attcSignMsgCback(attcCcb_t *pCcb, attcSignMsg_t *pMsg)
     /* verify no API request already waiting on deck or in progress,
      * and no signed write already in progress
      */
-    if ((attcCb.onDeck[pCcb->connId].hdr.event != ATTC_MSG_API_NONE) ||
+    if ((attcCb.onDeck[pCcb->connId - 1].hdr.event != ATTC_MSG_API_NONE) ||
         (pCcb->outReq.hdr.event > ATTC_MSG_API_MTU) ||
         (attcSignCbByConnId((dmConnId_t) pMsg->hdr.param) != NULL))
     {
@@ -238,7 +238,7 @@ static void attcSignMsgCback(attcCcb_t *pCcb, attcSignMsg_t *pMsg)
           pCcb->pMainCcb->sccb[ATT_BEARER_SLOT_ID].control & ATT_CCB_STATUS_FLOW_DISABLED)
       {
         /* put request "on deck" for processing later */
-        attcCb.onDeck[pCcb->connId] = pCb->msg;
+        attcCb.onDeck[pCcb->connId - 1] = pCb->msg;
       }
       /* otherwise ready to send */
       else
diff --git a/connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/stack/att/atts_main.c b/connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/stack/att/atts_main.c
@@ -366,7 +366,7 @@ void attsClearPrepWrites(attsCcb_t *pCcb)
 {
   void *pBuf;
 
-  while ((pBuf = WsfQueueDeq(&attsCb.prepWriteQueue[pCcb->connId])) != NULL)
+  while ((pBuf = WsfQueueDeq(&attsCb.prepWriteQueue[pCcb->connId - 1])) != NULL)
   {
     WsfBufFree(pBuf);
   }
diff --git a/connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/stack/att/atts_write.c b/connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/stack/att/atts_write.c
@@ -265,7 +265,7 @@ void attsProcPrepWriteReq(attsCcb_t *pCcb, uint16_t len, uint8_t *pPacket)
     err = ATT_ERR_LENGTH;
   }
   /* verify prepare write queue limit not reached */
-  else if (WsfQueueCount(&attsCb.prepWriteQueue[pCcb->connId]) >= pAttCfg->numPrepWrites)
+  else if (WsfQueueCount(&attsCb.prepWriteQueue[pCcb->connId - 1]) >= pAttCfg->numPrepWrites)
   {
     err = ATT_ERR_QUEUE_FULL;
   }
@@ -288,7 +288,7 @@ void attsProcPrepWriteReq(attsCcb_t *pCcb, uint16_t len, uint8_t *pPacket)
     pPrep->handle = handle;
     pPrep->offset = offset;
     memcpy(pPrep->packet, pPacket, writeLen);
-    WsfQueueEnq(&attsCb.prepWriteQueue[pCcb->connId], pPrep);
+    WsfQueueEnq(&attsCb.prepWriteQueue[pCcb->connId - 1], pPrep);
 
     /* allocate response buffer */
     if ((pBuf = attMsgAlloc(L2C_PAYLOAD_START + ATT_PREP_WRITE_RSP_LEN + writeLen)) != NULL)
@@ -342,7 +342,7 @@ void attsProcExecWriteReq(attsCcb_t *pCcb, uint16_t len, uint8_t *pPacket)
   else if (*pPacket == ATT_EXEC_WRITE_ALL)
   {
     /* iterate over prepare write queue and verify offset and length */
-    for (pPrep = attsCb.prepWriteQueue[pCcb->connId].pHead; pPrep != NULL; pPrep = pPrep->pNext)
+    for (pPrep = attsCb.prepWriteQueue[pCcb->connId - 1].pHead; pPrep != NULL; pPrep = pPrep->pNext)
     {
       /* find attribute */
       if ((pAttr = attsFindByHandle(pPrep->handle, &pGroup)) != NULL)
@@ -371,7 +371,7 @@ void attsProcExecWriteReq(attsCcb_t *pCcb, uint16_t len, uint8_t *pPacket)
     if (err == ATT_SUCCESS)
     {
       /* for each buffer */
-      while ((pPrep = WsfQueueDeq(&attsCb.prepWriteQueue[pCcb->connId])) != NULL)
+      while ((pPrep = WsfQueueDeq(&attsCb.prepWriteQueue[pCcb->connId - 1])) != NULL)
       {
         /* write buffer */
         if ((err = attsExecPrepWrite(pCcb, pPrep)) != ATT_SUCCESS)

Original file line number	Diff line number	Diff line change
`@@ -591,9 +591,9 @@ static void attcConnCback(attCcb_t pCcb, dmEvt_t pDmEvt)`
`591`	`591`	`}`
`592`	`592`
`593`	`593`	`/* free any req on deck */`
`594`		`- if (attcCb.onDeck[pCcb->connId].hdr.event != ATTC_MSG_API_NONE)`
	`594`	`+ if (attcCb.onDeck[pCcb->connId - 1].hdr.event != ATTC_MSG_API_NONE)`
`595`	`595`	`{`
`596`		`- attcReqClear(pCcb->connId, &attcCb.onDeck[pCcb->connId], status);`
	`596`	`+ attcReqClear(pCcb->connId, &attcCb.onDeck[pCcb->connId - 1], status);`
`597`	`597`	`}`
`598`	`598`
`599`	`599`	`for (i = 0; i < ATT_BEARER_MAX; i++)`
`@@ -672,7 +672,7 @@ void attcMsgCback(attcApiMsg_t *pMsg)`
`672`	`672`	`/* verify no API request already waiting on deck, in progress, or no pending write command`
`673`	`673`	`already for this handle */`
`674`	`674`	`if (((pCcb->slot == ATT_BEARER_SLOT_ID) &&`
`675`		`- (attcCb.onDeck[pCcb->connId].hdr.event != ATTC_MSG_API_NONE)) \|\|`
	`675`	`+ (attcCb.onDeck[pCcb->connId - 1].hdr.event != ATTC_MSG_API_NONE)) \|\|`
`676`	`676`	`(pCcb->outReq.hdr.event > ATTC_MSG_API_MTU) \|\|`
`677`	`677`	`((pMsg->hdr.event == ATTC_MSG_API_WRITE_CMD) &&`
`678`	`678`	`attcPendWriteCmd(pCcb, pMsg->handle)))`
`@@ -686,7 +686,7 @@ void attcMsgCback(attcApiMsg_t *pMsg)`
`686`	`686`	`if ((pCcb->slot == ATT_BEARER_SLOT_ID) && (pCcb->outReq.hdr.event == ATTC_MSG_API_MTU))`
`687`	`687`	`{`
`688`	`688`	`/* put request "on deck" for processing later */`
`689`		`- attcCb.onDeck[pCcb->connId] = *pMsg;`
	`689`	`+ attcCb.onDeck[pCcb->connId - 1] = *pMsg;`
`690`	`690`	`}`
`691`	`691`	`/* otherwise ready to send; set up request */`
`692`	`692`	`else`
`@@ -706,9 +706,9 @@ void attcMsgCback(attcApiMsg_t *pMsg)`
`706`	`706`	`}`
`707`	`707`	`/* else free any req on deck */`
`708`	`708`	`else if ((pCcb->slot == ATT_BEARER_SLOT_ID) &`
`709`		`- (attcCb.onDeck[pCcb->connId].hdr.event != ATTC_MSG_API_NONE))`
	`709`	`+ (attcCb.onDeck[pCcb->connId - 1].hdr.event != ATTC_MSG_API_NONE))`
`710`	`710`	`{`
`711`		`- attcReqClear(pCcb->connId, &attcCb.onDeck[pCcb->connId], ATT_ERR_CANCELLED);`
	`711`	`+ attcReqClear(pCcb->connId, &attcCb.onDeck[pCcb->connId - 1], ATT_ERR_CANCELLED);`
`712`	`712`	`}`
`713`	`713`	`}`
`714`	`714`	`/* else if timeout */`
Original file line number	Diff line number	Diff line change
`@@ -410,13 +410,13 @@ void attcProcRsp(attcCcb_t pCcb, uint16_t len, uint8_t pPacket)`
`410`	`410`	`}`
`411`	`411`	`/* else if api is on deck */`
`412`	`412`	`else if ((pCcb->slot == ATT_BEARER_SLOT_ID) &&`
`413`		`- (attcCb.onDeck[pCcb->connId].hdr.event != ATTC_MSG_API_NONE))`
	`413`	`+ (attcCb.onDeck[pCcb->connId - 1].hdr.event != ATTC_MSG_API_NONE))`
`414`	`414`	`{`
`415`	`415`	`/* set up and send request */`
`416`		`- attcSetupReq(pCcb, &attcCb.onDeck[pCcb->connId]);`
	`416`	`+ attcSetupReq(pCcb, &attcCb.onDeck[pCcb->connId - 1]);`
`417`	`417`
`418`	`418`	`/* clear on deck */`
`419`		`- attcCb.onDeck[pCcb->connId].hdr.event = ATTC_MSG_API_NONE;`
	`419`	`+ attcCb.onDeck[pCcb->connId - 1].hdr.event = ATTC_MSG_API_NONE;`
`420`	`420`	`}`
`421`	`421`	`}`
`422`	`422`	`}`
Original file line number	Diff line number	Diff line change
`@@ -178,7 +178,7 @@ static void attcSignMsgCback(attcCcb_t pCcb, attcSignMsg_t pMsg)`
`178`	`178`	`/* verify no API request already waiting on deck or in progress,`
`179`	`179`	`* and no signed write already in progress`
`180`	`180`	`*/`
`181`		`- if ((attcCb.onDeck[pCcb->connId].hdr.event != ATTC_MSG_API_NONE) \|\|`
	`181`	`+ if ((attcCb.onDeck[pCcb->connId - 1].hdr.event != ATTC_MSG_API_NONE) \|\|`
`182`	`182`	`(pCcb->outReq.hdr.event > ATTC_MSG_API_MTU) \|\|`
`183`	`183`	`(attcSignCbByConnId((dmConnId_t) pMsg->hdr.param) != NULL))`
`184`	`184`	`{`
`@@ -238,7 +238,7 @@ static void attcSignMsgCback(attcCcb_t pCcb, attcSignMsg_t pMsg)`
`238`	`238`	`pCcb->pMainCcb->sccb[ATT_BEARER_SLOT_ID].control & ATT_CCB_STATUS_FLOW_DISABLED)`
`239`	`239`	`{`
`240`	`240`	`/* put request "on deck" for processing later */`
`241`		`- attcCb.onDeck[pCcb->connId] = pCb->msg;`
	`241`	`+ attcCb.onDeck[pCcb->connId - 1] = pCb->msg;`
`242`	`242`	`}`
`243`	`243`	`/* otherwise ready to send */`
`244`	`244`	`else`
Original file line number	Diff line number	Diff line change
`@@ -366,7 +366,7 @@ void attsClearPrepWrites(attsCcb_t *pCcb)`
`366`	`366`	`{`
`367`	`367`	`void *pBuf;`
`368`	`368`
`369`		`- while ((pBuf = WsfQueueDeq(&attsCb.prepWriteQueue[pCcb->connId])) != NULL)`
	`369`	`+ while ((pBuf = WsfQueueDeq(&attsCb.prepWriteQueue[pCcb->connId - 1])) != NULL)`
`370`	`370`	`{`
`371`	`371`	`WsfBufFree(pBuf);`
`372`	`372`	`}`
Original file line number	Diff line number	Diff line change
`@@ -265,7 +265,7 @@ void attsProcPrepWriteReq(attsCcb_t pCcb, uint16_t len, uint8_t pPacket)`
`265`	`265`	`err = ATT_ERR_LENGTH;`
`266`	`266`	`}`
`267`	`267`	`/* verify prepare write queue limit not reached */`
`268`		`- else if (WsfQueueCount(&attsCb.prepWriteQueue[pCcb->connId]) >= pAttCfg->numPrepWrites)`
	`268`	`+ else if (WsfQueueCount(&attsCb.prepWriteQueue[pCcb->connId - 1]) >= pAttCfg->numPrepWrites)`
`269`	`269`	`{`
`270`	`270`	`err = ATT_ERR_QUEUE_FULL;`
`271`	`271`	`}`
`@@ -288,7 +288,7 @@ void attsProcPrepWriteReq(attsCcb_t pCcb, uint16_t len, uint8_t pPacket)`
`288`	`288`	`pPrep->handle = handle;`
`289`	`289`	`pPrep->offset = offset;`
`290`	`290`	`memcpy(pPrep->packet, pPacket, writeLen);`
`291`		`- WsfQueueEnq(&attsCb.prepWriteQueue[pCcb->connId], pPrep);`
	`291`	`+ WsfQueueEnq(&attsCb.prepWriteQueue[pCcb->connId - 1], pPrep);`
`292`	`292`
`293`	`293`	`/* allocate response buffer */`
`294`	`294`	`if ((pBuf = attMsgAlloc(L2C_PAYLOAD_START + ATT_PREP_WRITE_RSP_LEN + writeLen)) != NULL)`
`@@ -342,7 +342,7 @@ void attsProcExecWriteReq(attsCcb_t pCcb, uint16_t len, uint8_t pPacket)`
`342`	`342`	`else if (*pPacket == ATT_EXEC_WRITE_ALL)`
`343`	`343`	`{`
`344`	`344`	`/* iterate over prepare write queue and verify offset and length */`
`345`		`- for (pPrep = attsCb.prepWriteQueue[pCcb->connId].pHead; pPrep != NULL; pPrep = pPrep->pNext)`
	`345`	`+ for (pPrep = attsCb.prepWriteQueue[pCcb->connId - 1].pHead; pPrep != NULL; pPrep = pPrep->pNext)`
`346`	`346`	`{`
`347`	`347`	`/* find attribute */`
`348`	`348`	`if ((pAttr = attsFindByHandle(pPrep->handle, &pGroup)) != NULL)`
`@@ -371,7 +371,7 @@ void attsProcExecWriteReq(attsCcb_t pCcb, uint16_t len, uint8_t pPacket)`
`371`	`371`	`if (err == ATT_SUCCESS)`
`372`	`372`	`{`
`373`	`373`	`/* for each buffer */`
`374`		`- while ((pPrep = WsfQueueDeq(&attsCb.prepWriteQueue[pCcb->connId])) != NULL)`
	`374`	`+ while ((pPrep = WsfQueueDeq(&attsCb.prepWriteQueue[pCcb->connId - 1])) != NULL)`
`375`	`375`	`{`
`376`	`376`	`/* write buffer */`
`377`	`377`	`if ((err = attsExecPrepWrite(pCcb, pPrep)) != ATT_SUCCESS)`