Merge pull request #1493 from NickeZ/nickez/review-fixes

review: Various review fixes

Author: NickeZ

src/bootloader/bootloader.c

@@ -359,7 +359,7 @@ void bootloader_render_default_screen(void)
 
 #if PLATFORM_BITBOX02PLUS
 extern bool bootloader_pairing_request;
-extern uint8_t bootloader_pairing_code_bytes[16];
+extern uint8_t bootloader_pairing_code_bytes[4];
 
 void bootloader_render_ble_confirm_screen(bool confirmed)
 {

src/bootloader/startup.c

@@ -61,7 +61,7 @@ uint32_t __stack_chk_guard = 0;
 #if PLATFORM_BITBOX02PLUS == 1
 extern volatile bool measurement_done_touch;
 int bootloader_pairing_request = false;
-uint8_t bootloader_pairing_code_bytes[16] = {0};
+uint8_t bootloader_pairing_code_bytes[4] = {0};
 // Must be power of 2, must fit bond_db
 #define UART_OUT_BUF_LEN 2048
 struct ringbuffer uart_write_queue;

src/da14531/da14531.c

@@ -23,7 +23,7 @@ void da14531_reset(struct ringbuffer* uart_out)
 {
     util_log("da14531_reset");
     uint8_t payload = CTRL_CMD_BLE_CHIP_RESET;
-    uint8_t buf[10] = {0};
+    uint8_t buf[12 + sizeof(payload) * 2] = {0};
     uint16_t len = da14531_protocol_format(
         &buf[0], sizeof(buf), DA14531_PROTOCOL_PACKET_TYPE_CTRL_DATA, &payload, 1);
     ASSERT(len <= sizeof(buf));
@@ -37,7 +37,7 @@ void da14531_power_down(struct ringbuffer* uart_out)
 {
     util_log("da14531_power_down");
     uint8_t payload[2] = {CTRL_CMD_BLE_POWER_DOWN, 0};
-    uint8_t buf[10] = {0};
+    uint8_t buf[12 + sizeof(payload) * 2] = {0};
     uint16_t len = da14531_protocol_format(
         &buf[0], sizeof(buf), DA14531_PROTOCOL_PACKET_TYPE_CTRL_DATA, &payload[0], sizeof(payload));
     ASSERT(len <= sizeof(buf));
@@ -57,7 +57,7 @@ void da14531_set_product(
     for (int i = 0; i < product_len; i++) {
         payload[1 + i] = product[i];
     }
-    uint8_t tmp[128];
+    uint8_t tmp[12 + sizeof(payload) * 2];
     uint16_t tmp_len = da14531_protocol_format(
         &tmp[0], sizeof(tmp), DA14531_PROTOCOL_PACKET_TYPE_CTRL_DATA, &payload[0], 1 + product_len);
     ASSERT(tmp_len <= sizeof(tmp));
@@ -72,7 +72,7 @@ void da14531_set_name(const char* name, size_t name_len, struct ringbuffer* uart
     uint8_t payload[64] = {0};
     payload[0] = CTRL_CMD_DEVICE_NAME;
     memcpy(&payload[1], name, name_len);
-    uint8_t tmp[128];
+    uint8_t tmp[12 + sizeof(payload) * 2];
     uint16_t tmp_len = da14531_protocol_format(
         &tmp[0], sizeof(tmp), DA14531_PROTOCOL_PACKET_TYPE_CTRL_DATA, &payload[0], 1 + name_len);
     ASSERT(tmp_len <= sizeof(tmp));
@@ -85,7 +85,7 @@ void da14531_set_name(const char* name, size_t name_len, struct ringbuffer* uart
 void da14531_get_connection_state(struct ringbuffer* uart_out)
 {
     uint8_t payload = CTRL_CMD_BLE_STATUS;
-    uint8_t tmp[16];
+    uint8_t tmp[12 + sizeof(payload) * 2];
     uint16_t tmp_len = da14531_protocol_format(
         &tmp[0], sizeof(tmp), DA14531_PROTOCOL_PACKET_TYPE_CTRL_DATA, &payload, 1);
     ASSERT(tmp_len <= sizeof(tmp));

src/da14531/da14531_handler.c

@@ -57,7 +57,7 @@ static void _ble_pairing_callback(bool ok, void* param)
     memcpy(&payload[1], &data->key[0], sizeof(data->key));
     payload[17] = ok ? 1 : 0; /* 1 yes, 0 no */
 
-    uint8_t tmp[32];
+    uint8_t tmp[12 + sizeof(payload) * 2];
     uint16_t len = da14531_protocol_format(
         &tmp[0], sizeof(tmp), DA14531_PROTOCOL_PACKET_TYPE_CTRL_DATA, payload, sizeof(payload));
     ASSERT(len <= sizeof(tmp));
@@ -72,12 +72,11 @@ static void _ble_pairing_callback(bool ok, void* param)
 #else
 #include <bootloader/bootloader.h>
 extern bool bootloader_pairing_request;
-extern uint8_t bootloader_pairing_code_bytes[16];
+extern uint8_t bootloader_pairing_code_bytes[4];
 #endif
 
 static void _ctrl_handler(struct da14531_ctrl_frame* frame, struct ringbuffer* queue)
 {
-    uint8_t tmp[1152]; // 1024 + some margin (128)
     switch (frame->cmd) {
     case CTRL_CMD_DEVICE_NAME: {
         // util_log("da14531: get device name");
@@ -90,6 +89,7 @@ static void _ctrl_handler(struct da14531_ctrl_frame* frame, struct ringbuffer* q
 #else
         memory_get_device_name((char*)&response[1]);
 #endif
+        uint8_t tmp[12 + sizeof(response) * 2];
         uint16_t len = da14531_protocol_format(
             &tmp[0],
             sizeof(tmp),
@@ -109,6 +109,7 @@ static void _ctrl_handler(struct da14531_ctrl_frame* frame, struct ringbuffer* q
         int16_t len = memory_get_ble_bond_db(&response[1]);
         // util_log("da14531: bond db len %d", len);
         uint16_t tmp_len;
+        uint8_t tmp[12 + sizeof(response) * 2];
         if (len != -1) {
             tmp_len = da14531_protocol_format(
                 &tmp[0],
@@ -128,13 +129,18 @@ static void _ctrl_handler(struct da14531_ctrl_frame* frame, struct ringbuffer* q
     } break;
     case CTRL_CMD_BOND_DB_SET:
         // util_log("da14531: set bond db");
-        // util_log("da14531: bond db len %d", frame->payload_length - 1);
+        if (frame->payload_length < 2) {
+            util_log("da14531: set bond db, invalid length");
+            ASSERT(false);
+            break;
+        }
         memory_set_ble_bond_db(&frame->cmd_data[0], frame->payload_length - 1);
         break;
     case CTRL_CMD_PAIRING_CODE: {
         if (frame->payload_length < 5) {
-            // TODO handle error.
-            Abort("Invalid payload length for BLE pairing code");
+            util_log("da14531: pairing code, invalid length");
+            ASSERT(false);
+            break;
         }
 #if !defined(BOOTLOADER)
         memcpy(
@@ -163,6 +169,11 @@ static void _ctrl_handler(struct da14531_ctrl_frame* frame, struct ringbuffer* q
 #endif
     } break;
     case CTRL_CMD_BLE_STATUS:
+        if (frame->payload_length < 2) {
+            util_log("da14531: ble status, invalid length");
+            ASSERT(false);
+            break;
+        }
         if (frame->cmd_data[0] <= DA14531_CONNECTED_CONNECTED_SECURED) {
             da14531_connected_state = frame->cmd_data[0];
         }
@@ -200,6 +211,7 @@ static void _ctrl_handler(struct da14531_ctrl_frame* frame, struct ringbuffer* q
         uint8_t response[1 + MEMORY_BLE_IRK_LEN] = {0}; //+1 for cmd
         response[0] = CTRL_CMD_IRK;
         memory_get_ble_irk(&response[1]);
+        uint8_t tmp[12 + sizeof(response) * 2];
         uint16_t len = da14531_protocol_format(
             &tmp[0],
             sizeof(tmp),
@@ -223,6 +235,7 @@ static void _ctrl_handler(struct da14531_ctrl_frame* frame, struct ringbuffer* q
         uint8_t response[1 + MEMORY_BLE_ADDR_LEN] = {0};
         response[0] = CTRL_CMD_IDENTITY_ADDRESS;
         memory_get_ble_identity_address(&response[1]);
+        uint8_t tmp[12 + sizeof(response) * 2];
         uint16_t len = da14531_protocol_format(
             &tmp[0],
             sizeof(tmp),
@@ -235,8 +248,9 @@ static void _ctrl_handler(struct da14531_ctrl_frame* frame, struct ringbuffer* q
             ringbuffer_put(queue, tmp[i]);
         }
     } break;
+#if !defined(NDEBUG)
     case CTRL_CMD_PAIRING_SUCCESSFUL:
-        // util_log("da14531: pairing successful");
+        util_log("da14531: pairing successful");
         break;
     case CTRL_CMD_DEBUG:
         util_log(
@@ -245,6 +259,7 @@ static void _ctrl_handler(struct da14531_ctrl_frame* frame, struct ringbuffer* q
             &frame->cmd_data[0],
             frame->payload_length - 1);
         break;
+#endif
     default:
         break;
     }

src/da14531/da14531_protocol.c

@@ -182,9 +182,6 @@ static void _firmware_loader_poll(
         break;
     case FIRMWARE_LOADER_STATE_SENT_FIRMWARE:
         if (*buf_in_len == 1) {
-            if (ble_fw == NULL || ble_fw_size == 0) {
-                Abort("ble_fw is NULL");
-            }
             if (buf_in[0] == ble_fw_checksum) {
                 util_log("da14531: checksum success (%x)", buf_in[0]);
                 ASSERT(ringbuffer_num(out_queue) + 1 <= out_queue->size);
@@ -257,13 +254,20 @@ static struct da14531_protocol_frame* _serial_link_in_poll(
                 self->escape_state = ESCAPE_STATE_ACCEPT;
                 if (self->frame_len > 0) {
                     // save the bytes that wasn't consumed
-                    memcpy(&self->buf_in[0], &self->buf_in[i + 1], self->buf_in_len);
+                    memmove(&self->buf_in[0], &self->buf_in[i + 1], self->buf_in_len);
                     self->state = SERIAL_LINK_STATE_CHECK;
                     break;
                 }
                 continue;
             }
 
+            // If we ran out of space while parsing an incoming frame
+            if (self->frame_len >= sizeof(self->frame)) {
+                ASSERT(false);
+                self->frame_len = 0;
+                self->escape_state = ESCAPE_STATE_WAIT;
+            }
+
             switch (self->escape_state) {
             case ESCAPE_STATE_WAIT:
                 break;
@@ -388,7 +392,7 @@ struct da14531_protocol_frame* da14531_protocol_poll(
     struct ringbuffer* out_queue)
 {
     if (hww_data && *hww_data) {
-        uint8_t tmp[128];
+        uint8_t tmp[12 + 64 * 2];
         int len = da14531_protocol_format(
             &tmp[0], sizeof(tmp), DA14531_PROTOCOL_PACKET_TYPE_BLE_DATA, *hww_data, 64);
         ASSERT(len < (int)sizeof(tmp));

src/da14531/da14531_protocol.h

@@ -47,8 +47,21 @@ struct da14531_protocol_frame* da14531_protocol_poll(
     const uint8_t** hww_data,
     struct ringbuffer* out_queue);
 
-/// Formats a packet into buf for sending over serial
-/// Returns number of bytes formatted
+// Formats a packet into buf for sending over serial. Worst case the buf_len needs to fit:
+// SOF - 1 byte
+// type - 1 byte
+// len - 2 bytes
+// payload - payload_len bytes
+// CRC - 2 bytes
+// EOF - 1 byte
+//
+// Type, len, payload and crc will have some bytes escaped so worst case takes twice the space.
+//
+// 2 + (1+2+payload_len+2)*2 = 2 + (5+payload_len)*2 = 12 + 2*payload_len
+//
+// For example, 64 bytes require 140 byte buffer worst case.
+//
+// Returns number of formattedb bytes
 uint16_t da14531_protocol_format(
     uint8_t* buf,
     uint16_t buf_len,

src/memory/memory_shared.c

@@ -180,6 +180,9 @@ int16_t memory_get_ble_bond_db(uint8_t* data)
 bool memory_set_ble_bond_db(uint8_t* data, int16_t data_len)
 {
     ASSERT(data_len <= MEMORY_BLE_BOND_DB_LEN);
+    if (data_len > MEMORY_BLE_BOND_DB_LEN) {
+        return false;
+    }
     chunk_shared_t chunk = {0};
     CLEANUP_CHUNK(chunk);
     memory_read_shared_bootdata(&chunk);