fix(ble/bluedroid): Fix potential uint32_t overflow in BLE btu_start_timer

esp-zhp · esp-zhp · commit a9286567f045 · 2025-03-27T16:59:12.000+08:00
diff --git a/components/bt/host/bluedroid/api/include/api/esp_gap_ble_api.h b/components/bt/host/bluedroid/api/include/api/esp_gap_ble_api.h
@@ -1850,7 +1850,8 @@ esp_err_t esp_ble_gap_set_scan_params(esp_ble_scan_params_t *scan_params);
 /**
  * @brief           This procedure keep the device scanning the peer device which advertising on the air
  *
- * @param[in]       duration: Keeping the scanning time, the unit is second.
+ * @param[in]       duration: The scanning duration in seconds.
+ *                            Set to 0 for continuous scanning until explicitly stopped.
  *
  * @return
  *                  - ESP_OK : success
diff --git a/components/bt/host/bluedroid/stack/btu/btu_task.c b/components/bt/host/bluedroid/stack/btu/btu_task.c
@@ -453,7 +453,7 @@ void btu_start_timer(TIMER_LIST_ENT *p_tle, UINT16 type, UINT32 timeout_sec)
     // NOTE: This value is in seconds but stored in a ticks field.
     p_tle->ticks = timeout_sec;
     p_tle->in_use = TRUE;
-    osi_alarm_set(alarm, (period_ms_t)(timeout_sec * 1000));
+    osi_alarm_set(alarm, (period_ms_t)((period_ms_t)timeout_sec * 1000));
 }
 
 
diff --git a/examples/bluetooth/bluedroid/ble/ble_eddystone_receiver/main/esp_eddystone_demo.c b/examples/bluetooth/bluedroid/ble/ble_eddystone_receiver/main/esp_eddystone_demo.c
@@ -84,6 +84,7 @@ static void esp_gap_cb(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t* par
     switch(event)
     {
         case ESP_GAP_BLE_SCAN_PARAM_SET_COMPLETE_EVT: {
+            // the unit of the duration is second, 0 means scan permanently
             uint32_t duration = 0;
             esp_ble_gap_start_scanning(duration);
             break;
diff --git a/examples/bluetooth/bluedroid/ble/ble_ibeacon/main/ibeacon_demo.c b/examples/bluetooth/bluedroid/ble/ble_ibeacon/main/ibeacon_demo.c
@@ -73,7 +73,7 @@ static void esp_gap_cb(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *par
     }
     case ESP_GAP_BLE_SCAN_PARAM_SET_COMPLETE_EVT: {
 #if (IBEACON_MODE == IBEACON_RECEIVER)
-        //the unit of the duration is second, 0 means scan permanently
+        // the unit of the duration is second, 0 means scan permanently
         uint32_t duration = 0;
         esp_ble_gap_start_scanning(duration);
 #endif
diff --git a/examples/bluetooth/bluedroid/ble/ble_spp_client/main/spp_client_demo.c b/examples/bluetooth/bluedroid/ble/ble_spp_client/main/spp_client_demo.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2021-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2021-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Unlicense OR CC0-1.0
  */
@@ -216,9 +216,8 @@ static void esp_gap_cb(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *par
             ESP_LOGE(GATTC_TAG, "Scan param set failed: %s", esp_err_to_name(err));
             break;
         }
-        //the unit of the duration is second
-        uint32_t duration = 0xFFFF;
-        ESP_LOGI(GATTC_TAG, "Enable Ble Scan:during time %04" PRIx32 " minutes.",duration);
+        // the unit of the duration is second, 0 means scan permanently
+        uint32_t duration = 0;
         esp_ble_gap_start_scanning(duration);
         break;
     }
diff --git a/examples/bluetooth/bluedroid/ble/gatt_client/main/gattc_demo.c b/examples/bluetooth/bluedroid/ble/gatt_client/main/gattc_demo.c
@@ -328,7 +328,9 @@ static void esp_gap_cb(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *par
     uint8_t adv_name_len = 0;
     switch (event) {
     case ESP_GAP_BLE_SCAN_PARAM_SET_COMPLETE_EVT: {
-        //the unit of the duration is second
+        // The unit of duration is seconds.
+        // If duration is set to 0, scanning will continue indefinitely
+        // until esp_ble_gap_stop_scanning is explicitly called.
         uint32_t duration = 30;
         esp_ble_gap_start_scanning(duration);
         break;
diff --git a/examples/bluetooth/bluedroid/ble/gatt_security_client/main/example_ble_sec_gattc_demo.c b/examples/bluetooth/bluedroid/ble/gatt_security_client/main/example_ble_sec_gattc_demo.c
@@ -385,7 +385,7 @@ static void esp_gap_cb(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *par
         }
         break;
     case ESP_GAP_BLE_SCAN_PARAM_SET_COMPLETE_EVT: {
-        //the unit of the duration is second
+        // the unit of the duration is second, 0 means scan permanently
         uint32_t duration = 30;
         esp_ble_gap_start_scanning(duration);
         break;
diff --git a/examples/bluetooth/bluedroid/ble/gattc_multi_connect/main/gattc_multi_connect.c b/examples/bluetooth/bluedroid/ble/gattc_multi_connect/main/gattc_multi_connect.c
@@ -775,7 +775,7 @@ static void esp_gap_cb(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *par
                   param->update_conn_params.timeout);
         break;
     case ESP_GAP_BLE_SCAN_PARAM_SET_COMPLETE_EVT: {
-        //the unit of the duration is second
+        // the unit of the duration is second, 0 means scan permanently
         uint32_t duration = 30;
         esp_ble_gap_start_scanning(duration);
         break;
diff --git a/examples/bluetooth/bluedroid/coex/gattc_gatts_coex/main/gattc_gatts_coex.c b/examples/bluetooth/bluedroid/coex/gattc_gatts_coex/main/gattc_gatts_coex.c
@@ -278,7 +278,7 @@ static void gap_event_handler(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param
         break;
     case ESP_GAP_BLE_SCAN_PARAM_SET_COMPLETE_EVT: {
         ESP_LOGI(COEX_TAG, "ESP_GAP_BLE_SCAN_PARAM_SET_COMPLETE_EVT, set scan sparameters complete");
-        //the unit of the duration is second
+        // the unit of the duration is second, 0 means scan permanently
         uint32_t duration = 120;
         esp_ble_gap_start_scanning(duration);
         break;

Original file line number	Diff line number	Diff line change
`@@ -1850,7 +1850,8 @@ esp_err_t esp_ble_gap_set_scan_params(esp_ble_scan_params_t *scan_params);`
`1850`	`1850`	`/**`
`1851`	`1851`	`* @brief This procedure keep the device scanning the peer device which advertising on the air`
`1852`	`1852`	`*`
`1853`		`- * @param[in] duration: Keeping the scanning time, the unit is second.`
	`1853`	`+ * @param[in] duration: The scanning duration in seconds.`
	`1854`	`+ * Set to 0 for continuous scanning until explicitly stopped.`
`1854`	`1855`	`*`
`1855`	`1856`	`* @return`
`1856`	`1857`	`* - ESP_OK : success`
Original file line number	Diff line number	Diff line change
`@@ -453,7 +453,7 @@ void btu_start_timer(TIMER_LIST_ENT *p_tle, UINT16 type, UINT32 timeout_sec)`
`453`	`453`	`// NOTE: This value is in seconds but stored in a ticks field.`
`454`	`454`	`p_tle->ticks = timeout_sec;`
`455`	`455`	`p_tle->in_use = TRUE;`
`456`		`- osi_alarm_set(alarm, (period_ms_t)(timeout_sec * 1000));`
	`456`	`+ osi_alarm_set(alarm, (period_ms_t)((period_ms_t)timeout_sec * 1000));`
`457`	`457`	`}`
`458`	`458`
`459`	`459`
Original file line number	Diff line number	Diff line change
`@@ -84,6 +84,7 @@ static void esp_gap_cb(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t* par`
`84`	`84`	`switch(event)`
`85`	`85`	`{`
`86`	`86`	`case ESP_GAP_BLE_SCAN_PARAM_SET_COMPLETE_EVT: {`
	`87`	`+ // the unit of the duration is second, 0 means scan permanently`
`87`	`88`	`uint32_t duration = 0;`
`88`	`89`	`esp_ble_gap_start_scanning(duration);`
`89`	`90`	`break;`
Original file line number	Diff line number	Diff line change
`@@ -73,7 +73,7 @@ static void esp_gap_cb(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *par`
`73`	`73`	`}`
`74`	`74`	`case ESP_GAP_BLE_SCAN_PARAM_SET_COMPLETE_EVT: {`
`75`	`75`	`#if (IBEACON_MODE == IBEACON_RECEIVER)`
`76`		`- //the unit of the duration is second, 0 means scan permanently`
	`76`	`+ // the unit of the duration is second, 0 means scan permanently`
`77`	`77`	`uint32_t duration = 0;`
`78`	`78`	`esp_ble_gap_start_scanning(duration);`
`79`	`79`	`#endif`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`/*`
`2`		`- * SPDX-FileCopyrightText: 2021-2024 Espressif Systems (Shanghai) CO LTD`
	`2`	`+ * SPDX-FileCopyrightText: 2021-2025 Espressif Systems (Shanghai) CO LTD`
`3`	`3`	`*`
`4`	`4`	`* SPDX-License-Identifier: Unlicense OR CC0-1.0`
`5`	`5`	`*/`
`@@ -216,9 +216,8 @@ static void esp_gap_cb(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *par`
`216`	`216`	`ESP_LOGE(GATTC_TAG, "Scan param set failed: %s", esp_err_to_name(err));`
`217`	`217`	`break;`
`218`	`218`	`}`
`219`		`- //the unit of the duration is second`
`220`		`- uint32_t duration = 0xFFFF;`
`221`		`- ESP_LOGI(GATTC_TAG, "Enable Ble Scan:during time %04" PRIx32 " minutes.",duration);`
	`219`	`+ // the unit of the duration is second, 0 means scan permanently`
	`220`	`+ uint32_t duration = 0;`
`222`	`221`	`esp_ble_gap_start_scanning(duration);`
`223`	`222`	`break;`
`224`	`223`	`}`
Original file line number	Diff line number	Diff line change
`@@ -385,7 +385,7 @@ static void esp_gap_cb(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param_t *par`
`385`	`385`	`}`
`386`	`386`	`break;`
`387`	`387`	`case ESP_GAP_BLE_SCAN_PARAM_SET_COMPLETE_EVT: {`
`388`		`- //the unit of the duration is second`
	`388`	`+ // the unit of the duration is second, 0 means scan permanently`
`389`	`389`	`uint32_t duration = 30;`
`390`	`390`	`esp_ble_gap_start_scanning(duration);`
`391`	`391`	`break;`