bluetooth: fix packet pointer may refer to null

chengkai15 · xiaoxiang781216 · commit 3fb63c20d40c · 2024-10-17T18:09:32.000+08:00
rootcasue: when packet is null, packet var in for loop would
refer to null memory.

Signed-off-by: chengkai &lt;chengkai@xiaomi.com&gt;
diff --git a/drivers/wireless/bluetooth/bt_slip.c b/drivers/wireless/bluetooth/bt_slip.c
@@ -777,6 +777,7 @@ static int bt_slip_receive(FAR struct bt_driver_s *drv,
   FAR uint8_t *packet;
   FAR uint8_t *cursor;
   FAR uint8_t *header;
+  FAR uint8_t *pointer;
   uint8_t byte = 0;
   uint16_t checksum;
   size_t remaining;
@@ -818,13 +819,14 @@ static int bt_slip_receive(FAR struct bt_driver_s *drv,
                 break;
               }
 
-            packet = bt_slip_unslip_byte(packet, &byte);
-            if (!packet)
+            pointer = bt_slip_unslip_byte(packet, &byte);
+            if (!pointer)
               {
                 state = PACKET_START;
                 break;
               }
 
+            packet = pointer;
             *cursor++ = byte;
             remaining--;
 
@@ -898,13 +900,14 @@ static int bt_slip_receive(FAR struct bt_driver_s *drv,
           break;
         case PACKET_PAYLOAD:
           {
-            packet = bt_slip_unslip_byte(packet, &byte);
-            if (!packet)
+            pointer = bt_slip_unslip_byte(packet, &byte);
+            if (!pointer)
               {
                 state = PACKET_START;
                 break;
               }
 
+            packet = pointer;
             *cursor++ = byte;
             remaining--;
 
@@ -926,13 +929,14 @@ static int bt_slip_receive(FAR struct bt_driver_s *drv,
           break;
         case PACKET_DICHECK:
           {
-            packet = bt_slip_unslip_byte(packet, &byte);
-            if (!packet)
+            pointer = bt_slip_unslip_byte(packet, &byte);
+            if (!pointer)
               {
                 state = PACKET_START;
                 break;
               }
 
+            packet = pointer;
             *cursor++ = byte;
             remaining--;
 

Original file line number	Diff line number	Diff line change
`@@ -777,6 +777,7 @@ static int bt_slip_receive(FAR struct bt_driver_s *drv,`
`777`	`777`	`FAR uint8_t *packet;`
`778`	`778`	`FAR uint8_t *cursor;`
`779`	`779`	`FAR uint8_t *header;`
	`780`	`+ FAR uint8_t *pointer;`
`780`	`781`	`uint8_t byte = 0;`
`781`	`782`	`uint16_t checksum;`
`782`	`783`	`size_t remaining;`
`@@ -818,13 +819,14 @@ static int bt_slip_receive(FAR struct bt_driver_s *drv,`
`818`	`819`	`break;`
`819`	`820`	`}`
`820`	`821`
`821`		`- packet = bt_slip_unslip_byte(packet, &byte);`
`822`		`- if (!packet)`
	`822`	`+ pointer = bt_slip_unslip_byte(packet, &byte);`
	`823`	`+ if (!pointer)`
`823`	`824`	`{`
`824`	`825`	`state = PACKET_START;`
`825`	`826`	`break;`
`826`	`827`	`}`
`827`	`828`
	`829`	`+ packet = pointer;`
`828`	`830`	`*cursor++ = byte;`
`829`	`831`	`remaining--;`
`830`	`832`
`@@ -898,13 +900,14 @@ static int bt_slip_receive(FAR struct bt_driver_s *drv,`
`898`	`900`	`break;`
`899`	`901`	`case PACKET_PAYLOAD:`
`900`	`902`	`{`
`901`		`- packet = bt_slip_unslip_byte(packet, &byte);`
`902`		`- if (!packet)`
	`903`	`+ pointer = bt_slip_unslip_byte(packet, &byte);`
	`904`	`+ if (!pointer)`
`903`	`905`	`{`
`904`	`906`	`state = PACKET_START;`
`905`	`907`	`break;`
`906`	`908`	`}`
`907`	`909`
	`910`	`+ packet = pointer;`
`908`	`911`	`*cursor++ = byte;`
`909`	`912`	`remaining--;`
`910`	`913`
`@@ -926,13 +929,14 @@ static int bt_slip_receive(FAR struct bt_driver_s *drv,`
`926`	`929`	`break;`
`927`	`930`	`case PACKET_DICHECK:`
`928`	`931`	`{`
`929`		`- packet = bt_slip_unslip_byte(packet, &byte);`
`930`		`- if (!packet)`
	`932`	`+ pointer = bt_slip_unslip_byte(packet, &byte);`
	`933`	`+ if (!pointer)`
`931`	`934`	`{`
`932`	`935`	`state = PACKET_START;`
`933`	`936`	`break;`
`934`	`937`	`}`
`935`	`938`
	`939`	`+ packet = pointer;`
`936`	`940`	`*cursor++ = byte;`
`937`	`941`	`remaining--;`
`938`	`942`