lib: ble_conn_params: fix unsafe use of conn_handle as idx into array

It is not safe to assume that connection handles will start at zero
and always stay below the number of max connections. Therefore,
connection handle cannot, and should not, be used to index into
arrays or lists.

Fix this by using the nrf_sdh_ble_idx_get function to return
an index that has been assigned to the connection handle
by the softdevice handler.

Signed-off-by: Andreas Moltumyr <[email protected]>

Author: anhmolt

include/ble_conn_params.h

@@ -119,7 +119,6 @@ int ble_conn_params_override(uint16_t conn_handle, const ble_gap_conn_params_t *
  *
  * @return 0 On success.
  * @return -EINVAL Invalid ATT MTU or connection handle.
- * @return -ENOTCONN Peer is not connected.
  */
 int ble_conn_params_att_mtu_set(uint16_t conn_handle, uint16_t att_mtu);
 
@@ -132,7 +131,6 @@ int ble_conn_params_att_mtu_set(uint16_t conn_handle, uint16_t att_mtu);
  * @return 0 On success.
  * @return -EINVAL Invalid connection handle.
  * @return -EFAULT @p att_mtu is @c NULL.
- * @return -ENOTCONN Peer is not connected.
  */
 int ble_conn_params_att_mtu_get(uint16_t conn_handle, uint16_t *att_mtu);
 
@@ -147,7 +145,6 @@ int ble_conn_params_att_mtu_get(uint16_t conn_handle, uint16_t *att_mtu);
  *
  * @return 0 On success.
  * @return -EINVAL Invalid data length or connection handle.
- * @return -ENOTCONN Peer is not connected.
  */
 int ble_conn_params_data_length_set(uint16_t conn_handle, uint8_t data_length);
 
@@ -160,7 +157,6 @@ int ble_conn_params_data_length_set(uint16_t conn_handle, uint8_t data_length);
  * @return 0 On success.
  * @return -EINVAL Invalid connection handle.
  * @return -EFAULT @p data_length is @c NULL.
- * @return -ENOTCONN Peer is not connected.
  */
 int ble_conn_params_data_length_get(uint16_t conn_handle, uint8_t *data_length);
 
@@ -175,7 +171,6 @@ int ble_conn_params_data_length_get(uint16_t conn_handle, uint8_t *data_length);
  *
  * @return 0 On success.
  * @return -EINVAL Invalid data length or connection handle.
- * @return -ENOTCONN Peer is not connected.
  */
 int ble_conn_params_phy_radio_mode_set(uint16_t conn_handle, ble_gap_phys_t phy_pref);
 
@@ -188,6 +183,5 @@ int ble_conn_params_phy_radio_mode_set(uint16_t conn_handle, ble_gap_phys_t phy_
  * @return 0 On success.
  * @return -EINVAL Invalid connection handle.
  * @return -EFAULT @p phy_pref is @c NULL.
- * @return -ENOTCONN Peer is not connected.
  */
 int ble_conn_params_phy_radio_mode_get(uint16_t conn_handle, ble_gap_phys_t *phy_pref);

lib/ble_conn_params/att_mtu.c

@@ -17,141 +17,149 @@ extern void ble_conn_params_event_send(const struct ble_conn_params_evt *evt);
 static struct {
 	uint16_t att_mtu;
 	uint8_t att_mtu_exchange_pending : 1;
-	uint8_t connected : 1;
 } links[CONFIG_NRF_SDH_BLE_TOTAL_LINK_COUNT] = {
 	[0 ... CONFIG_NRF_SDH_BLE_TOTAL_LINK_COUNT - 1] = {
 		.att_mtu = CONFIG_BLE_CONN_PARAMS_ATT_MTU,
 	}
 };
 
-static void mtu_exchange_request(uint16_t conn_handle)
+static void mtu_exchange_request(uint16_t conn_handle, int idx)
 {
 	int err;
 
-	err = sd_ble_gattc_exchange_mtu_request(conn_handle, links[conn_handle].att_mtu);
+	err = sd_ble_gattc_exchange_mtu_request(conn_handle, links[idx].att_mtu);
 	if (!err) {
 		return;
 	}
 
 	if (err == NRF_ERROR_BUSY) {
 		/* Retry */
 		LOG_DBG("Another procedure is ongoing, will retry");
-		links[conn_handle].att_mtu_exchange_pending = true;
+		links[idx].att_mtu_exchange_pending = true;
 	} else if (err) {
 		LOG_ERR("Failed to initiate ATT MTU exchange, nrf_error %#x", err);
 	}
 }
 
-static void on_exchange_mtu_req_evt(uint16_t conn_handle,
+static void on_exchange_mtu_req_evt(uint16_t conn_handle, int idx,
 				    const ble_gatts_evt_exchange_mtu_request_t *evt)
 {
 	int err;
-	uint16_t client_mtu = evt->client_rx_mtu;
 
-	links[conn_handle].att_mtu = MIN(client_mtu, links[conn_handle].att_mtu);
-	links[conn_handle].att_mtu_exchange_pending = false;
+	/* Determine the lowest ATT MTU between our own desired ATT MTU and the peer's. */
+	links[idx].att_mtu = MIN(evt->client_rx_mtu, links[idx].att_mtu);
+	links[idx].att_mtu_exchange_pending = false;
 
-	LOG_INF("Peer %#x requested ATT MTU of %u bytes", conn_handle, client_mtu);
+	LOG_INF("Peer %#x requested ATT MTU of %u bytes", conn_handle, evt->client_rx_mtu);
 
-	err = sd_ble_gatts_exchange_mtu_reply(conn_handle, links[conn_handle].att_mtu);
+	err = sd_ble_gatts_exchange_mtu_reply(conn_handle, links[idx].att_mtu);
 	if (err) {
 		LOG_ERR("Failed to reply to MTU exchange request, nrf_error %#x", err);
 		return;
 	}
 
-	LOG_INF("ATT MTU set to %u bytes for peer %#x", links[conn_handle].att_mtu, conn_handle);
+	LOG_INF("ATT MTU set to %u bytes for peer %#x", links[idx].att_mtu, conn_handle);
 
 	/* The ATT MTU exchange has finished, send an event to the application */
 	const struct ble_conn_params_evt app_evt = {
 		.id = BLE_CONN_PARAMS_EVT_ATT_MTU_UPDATED,
 		.conn_handle = conn_handle,
-		.att_mtu = links[conn_handle].att_mtu,
+		.att_mtu = links[idx].att_mtu,
 	};
 
 	ble_conn_params_event_send(&app_evt);
 }
 
 /* The effective ATT MTU is set to the lowest between what we requested and the peer's response.
- * This events concludes the ATT MTU exchange.
+ * This event concludes the ATT MTU exchange.
  */
-static void on_exchange_mtu_rsp_evt(uint16_t conn_handle,
+static void on_exchange_mtu_rsp_evt(uint16_t conn_handle, int idx,
 				    const ble_gattc_evt_exchange_mtu_rsp_t *evt)
 {
-	uint16_t server_rx_mtu = evt->server_rx_mtu;
+	/* Determine the lowest ATT MTU between our own desired ATT MTU and the peer's. */
+	links[idx].att_mtu = MIN(evt->server_rx_mtu, links[idx].att_mtu);
+	links[idx].att_mtu_exchange_pending = false;
 
-	/* Determine the lowest MTU between our own desired MTU and the peer's */
-	links[conn_handle].att_mtu_exchange_pending = false;
-	links[conn_handle].att_mtu = MIN(server_rx_mtu, links[conn_handle].att_mtu);
+	LOG_INF("ATT MTU set to %u bytes for peer %#x", links[idx].att_mtu, conn_handle);
 
-	LOG_INF("ATT MTU set to %u bytes for peer %#x", links[conn_handle].att_mtu, conn_handle);
-
-	/* Send an event to the application */
+	/* The ATT MTU exchange has finished, send an event to the application. */
 	const struct ble_conn_params_evt app_evt = {
 		.id = BLE_CONN_PARAMS_EVT_ATT_MTU_UPDATED,
 		.conn_handle = conn_handle,
-		.att_mtu = links[conn_handle].att_mtu,
+		.att_mtu = links[idx].att_mtu,
 	};
 
 	ble_conn_params_event_send(&app_evt);
 }
 
-static void on_connected(uint16_t conn_handle, const ble_gap_evt_connected_t *evt)
+static void on_connected(uint16_t conn_handle, int idx, const ble_gap_evt_connected_t *evt)
 {
+	ARG_UNUSED(evt);
+
 	if (IS_ENABLED(CONFIG_BLE_CONN_PARAMS_INITIATE_ATT_MTU_EXCHANGE)) {
 		LOG_INF("Initiating ATT MTU exchange procedure (%u -> %u bytes) for peer %#x",
-			BLE_GATT_ATT_MTU_DEFAULT, links[conn_handle].att_mtu, conn_handle);
+			BLE_GATT_ATT_MTU_DEFAULT, links[idx].att_mtu, conn_handle);
 
-		mtu_exchange_request(conn_handle);
+		mtu_exchange_request(conn_handle, idx);
 	}
-
-	links[conn_handle].connected = true;
 }
 
-static void on_disconnected(uint16_t conn_handle)
+static void on_disconnected(uint16_t conn_handle, int idx)
 {
-	links[conn_handle].connected = false;
+	ARG_UNUSED(conn_handle);
+
+	links[idx].att_mtu = CONFIG_BLE_CONN_PARAMS_ATT_MTU;
+	links[idx].att_mtu_exchange_pending = false;
 }
 
 static void on_ble_evt(const ble_evt_t *evt, void *ctx)
 {
 	const uint16_t conn_handle = evt->evt.common_evt.conn_handle;
+	const int idx = nrf_sdh_ble_idx_get(conn_handle);
+
+	__ASSERT(idx >= 0, "Invalid idx %d for conn_handle %#x, evt_id %#x",
+		 idx, conn_handle, evt->header.evt_id);
 
 	switch (evt->header.evt_id) {
 	case BLE_GAP_EVT_CONNECTED:
-		on_connected(conn_handle, &evt->evt.gap_evt.params.connected);
-		break;
+		on_connected(conn_handle, idx, &evt->evt.gap_evt.params.connected);
+		/* There is no pending ATT MTU exchange or the exchange was just attempted
+		 * and retry is not needed immediately. Return here.
+		 */
+		return;
 	case BLE_GAP_EVT_DISCONNECTED:
-		on_disconnected(conn_handle);
-		break;
+		on_disconnected(conn_handle, idx);
+		/* No neeed to retry ATT MTU exchange if disconnected. Return here. */
+		return;
 
 	case BLE_GATTC_EVT_EXCHANGE_MTU_RSP:
 		on_exchange_mtu_rsp_evt(
-			conn_handle, &evt->evt.gattc_evt.params.exchange_mtu_rsp);
+			conn_handle, idx, &evt->evt.gattc_evt.params.exchange_mtu_rsp);
 		break;
 	case BLE_GATTS_EVT_EXCHANGE_MTU_REQUEST:
 		on_exchange_mtu_req_evt(
-			conn_handle, &evt->evt.gatts_evt.params.exchange_mtu_request);
+			conn_handle, idx, &evt->evt.gatts_evt.params.exchange_mtu_request);
 		break;
 	default:
 		/* Ignore */
 		break;
 	}
 
-	if (conn_handle > CONFIG_NRF_SDH_BLE_TOTAL_LINK_COUNT) {
-		return;
-	}
-
-	/* Retry any procedures that were busy */
-	if (links[conn_handle].connected && links[conn_handle].att_mtu_exchange_pending) {
-		links[conn_handle].att_mtu_exchange_pending = false;
-		mtu_exchange_request(conn_handle);
+	/* Retry the ATT MTU exchange procedure for the current connection handle
+	 * if the SoftDevice was previously busy.
+	 */
+	if (links[idx].att_mtu_exchange_pending) {
+		links[idx].att_mtu_exchange_pending = false;
+		mtu_exchange_request(conn_handle, idx);
 	}
 }
 NRF_SDH_BLE_OBSERVER(ble_observer, on_ble_evt, NULL, 0);
 
 int ble_conn_params_att_mtu_set(uint16_t conn_handle, uint16_t att_mtu)
 {
-	if (conn_handle > ARRAY_SIZE(links)) {
+	const int idx = nrf_sdh_ble_idx_get(conn_handle);
+
+	if (idx < 0) {
 		return -EINVAL;
 	}
 
@@ -160,22 +168,25 @@ int ble_conn_params_att_mtu_set(uint16_t conn_handle, uint16_t att_mtu)
 		return -EINVAL;
 	}
 
-	links[conn_handle].att_mtu = att_mtu;
-	mtu_exchange_request(conn_handle);
+	links[idx].att_mtu = att_mtu;
+	mtu_exchange_request(conn_handle, idx);
 
 	return 0;
 }
 
 int ble_conn_params_att_mtu_get(uint16_t conn_handle, uint16_t *att_mtu)
 {
-	if (conn_handle > ARRAY_SIZE(links)) {
+	const int idx = nrf_sdh_ble_idx_get(conn_handle);
+
+	if (idx < 0) {
 		return -EINVAL;
 	}
+
 	if (!att_mtu) {
 		return -EFAULT;
 	}
 
-	*att_mtu = links[conn_handle].att_mtu;
+	*att_mtu = links[idx].att_mtu;
 
 	return 0;
 }

lib/ble_conn_params/conn_param.c

@@ -30,13 +30,13 @@ static struct {
 	}
 };
 
-static void conn_params_negotiate(uint16_t conn_handle)
+static void conn_params_negotiate(uint16_t conn_handle, int idx)
 {
 	int err;
 
 	LOG_DBG("Negotiating desired parameters with peer %#x", conn_handle);
 
-	err = sd_ble_gap_conn_param_update(conn_handle, &links[conn_handle].ppcp);
+	err = sd_ble_gap_conn_param_update(conn_handle, &links[idx].ppcp);
 	if (err) {
 		LOG_ERR("Failed to request GAP connection parameters update, nrf_error %#x", err);
 	}
@@ -87,23 +87,22 @@ static bool conn_params_can_agree(const ble_gap_conn_params_t *conn_params)
 	return true;
 }
 
-static void on_connected(uint16_t conn_handle, const ble_gap_evt_connected_t *evt)
+static void on_connected(uint16_t conn_handle, int idx, const ble_gap_evt_connected_t *evt)
 {
-	const uint8_t role = evt->role;
-
-	links[conn_handle].retries = CONFIG_BLE_CONN_PARAMS_NEGOTIATION_RETRIES;
+	links[idx].retries = CONFIG_BLE_CONN_PARAMS_NEGOTIATION_RETRIES;
 
 	/* Copy default ppcp */
-	memcpy(&links[conn_handle].ppcp, &ppcp, sizeof(ble_gap_conn_params_t));
+	memcpy(&links[idx].ppcp, &ppcp, sizeof(ble_gap_conn_params_t));
 
-	if (role == BLE_GAP_ROLE_PERIPH) {
+	if (evt->role == BLE_GAP_ROLE_PERIPH) {
 		if (!conn_params_can_agree(&evt->conn_params)) {
-			conn_params_negotiate(conn_handle);
+			conn_params_negotiate(conn_handle, idx);
 		}
 	}
 }
 
-static void on_conn_params_update(uint16_t conn_handle, const ble_gap_evt_conn_param_update_t *evt)
+static void on_conn_params_update(uint16_t conn_handle, int idx,
+				  const ble_gap_evt_conn_param_update_t *evt)
 {
 	LOG_DBG("GAP connection params updated, conn. interval min %u max %u,"
 		" slave latency %u, sup. timeout %u",
@@ -125,9 +124,9 @@ static void on_conn_params_update(uint16_t conn_handle, const ble_gap_evt_conn_p
 	/** TODO: should use a timer here
 	 *  what is this really used for
 	 */
-	if (links[conn_handle].retries) {
-		links[conn_handle].retries--;
-		conn_params_negotiate(conn_handle);
+	if (links[idx].retries) {
+		links[idx].retries--;
+		conn_params_negotiate(conn_handle, idx);
 		return;
 	}
 
@@ -145,26 +144,24 @@ static void on_conn_params_update(uint16_t conn_handle, const ble_gap_evt_conn_p
 	}
 }
 
-static void on_disconnected(uint16_t conn_handle, const ble_gap_evt_disconnected_t *evt)
-{
-}
-
 static void on_ble_evt(const ble_evt_t *evt, void *ctx)
 {
 	const uint16_t conn_handle = evt->evt.common_evt.conn_handle;
+	const int idx = nrf_sdh_ble_idx_get(conn_handle);
+
+	__ASSERT(idx >= 0, "Invalid idx %d for conn_handle %#x, evt_id %#x",
+		 idx, conn_handle, evt->header.evt_id);
 
 	switch (evt->header.evt_id) {
 	case BLE_GAP_EVT_CONNECTED:
-		on_connected(conn_handle, &evt->evt.gap_evt.params.connected);
+		on_connected(conn_handle, idx, &evt->evt.gap_evt.params.connected);
 		break;
 
 	case BLE_GAP_EVT_DISCONNECTED:
-		on_disconnected(conn_handle, &evt->evt.gap_evt.params.disconnected);
 		break;
 
 	case BLE_GAP_EVT_CONN_PARAM_UPDATE:
-		on_conn_params_update(
-			conn_handle, &evt->evt.gap_evt.params.conn_param_update);
+		on_conn_params_update(conn_handle, idx, &evt->evt.gap_evt.params.conn_param_update);
 		break;
 
 	default:
@@ -198,15 +195,16 @@ NRF_SDH_STATE_EVT_OBSERVER(ble_conn_params_sdh_state_observer, on_state_evt, NUL
 int ble_conn_params_override(uint16_t conn_handle, const ble_gap_conn_params_t *conn_params)
 {
 	int err;
+	const int idx = nrf_sdh_ble_idx_get(conn_handle);
 
-	if (conn_handle > ARRAY_SIZE(links)) {
+	if (idx < 0) {
 		return -EINVAL;
 	}
 	if (!conn_params) {
 		return -EFAULT;
 	}
 
-	links[conn_handle].ppcp = *conn_params;
+	links[idx].ppcp = *conn_params;
 	err = sd_ble_gap_conn_param_update(conn_handle, conn_params);
 	if (err) {
 		return -EINVAL;