Skip to content

Commit 2571b7e

Browse files
lylezhu2012nashif
lylezhu2012
authored and
nashif
committed
Bluetooth: Classic: HFP_HF: Fix invalid indicator index issue
A invalid indicator index will cause the underflow of the array `ag_ind` if the indicator index is not returned by AG in the response of AT command `AT+CIND=?`. Replace hardcoded `-1` values with HFP_HF_INDICATOR_INVALID constant for better code readability and maintainability. Add proper bounds checking to validate indicator indices before accessing the `ag_ind` array using the `ind_table` mapping. Signed-off-by: Lyle Zhu <[email protected]>
1 parent 75ff93a commit 2571b7e

File tree

1 file changed

+17
-4
lines changed

1 file changed

+17
-4
lines changed

subsys/bluetooth/host/classic/hfp_hf.c

Lines changed: 17 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,8 @@ LOG_MODULE_REGISTER(bt_hfp_hf);
3434

3535
#define MAX_IND_STR_LEN 17
3636

37+
#define HFP_HF_INDICATOR_INVALID -1
38+
3739
struct bt_hfp_hf_cb *bt_hf;
3840

3941
NET_BUF_POOL_FIXED_DEFINE(hf_pool, CONFIG_BT_MAX_CONN + 1,
@@ -1336,7 +1338,17 @@ void ag_indicator_handle_values(struct at_client *hf_at, uint32_t index,
13361338

13371339
LOG_DBG("Index :%u, Value :%u", index, value);
13381340

1339-
if (index >= ARRAY_SIZE(ag_ind)) {
1341+
if (index >= ARRAY_SIZE(hf->ind_table)) {
1342+
LOG_ERR("Invalid indicator index: %u", index);
1343+
return;
1344+
}
1345+
1346+
if (hf->ind_table[index] == HFP_HF_INDICATOR_INVALID) {
1347+
LOG_ERR("Indicator index %u not found", index);
1348+
return;
1349+
}
1350+
1351+
if (hf->ind_table[index] >= ARRAY_SIZE(ag_ind)) {
13401352
LOG_ERR("Max only %zu indicators are supported", ARRAY_SIZE(ag_ind));
13411353
return;
13421354
}
@@ -2790,7 +2802,8 @@ int bt_hfp_hf_indicator_status(struct bt_hfp_hf *hf, uint8_t status)
27902802

27912803
bia_status = &buffer[0];
27922804
for (index = 0; index < ARRAY_SIZE(hf->ind_table); index++) {
2793-
if ((hf->ind_table[index] != -1) && (index < NUM_BITS(sizeof(status)))) {
2805+
if ((hf->ind_table[index] != HFP_HF_INDICATOR_INVALID) &&
2806+
(index < NUM_BITS(sizeof(status)))) {
27942807
if (status & BIT(hf->ind_table[index])) {
27952808
*bia_status = '1';
27962809
} else {
@@ -4433,8 +4446,8 @@ static struct bt_hfp_hf *hfp_hf_create(struct bt_conn *conn)
44334446

44344447
k_work_init_delayable(&hf->deferred_work, bt_hf_deferred_work);
44354448

4436-
for (index = 0; index < ARRAY_SIZE(hf->ind_table); index++) {
4437-
hf->ind_table[index] = -1;
4449+
ARRAY_FOR_EACH(hf->ind_table, i) {
4450+
hf->ind_table[i] = HFP_HF_INDICATOR_INVALID;
44384451
}
44394452

44404453
return hf;

0 commit comments

Comments
 (0)