Skip to content

Commit 43ed49c

Browse files
Andries Kruithofnashif
Andries Kruithof
authored and
nashif
committed
Bluetooth: tests: edtt: fix buffer overflow error
HCI/GEV/BV-01-C tries to send 255 bytes over HCI, as part of sending an unknown/unsupported command, but the default buffer size is 65, which results in a buffer overflow and undefined behaviour. Instead of crashing hard we now check the buffer length. In order for EDTT tests to pass we set the buffer size to 255 Signed-off-by: Andries Kruithof <[email protected]>
1 parent e11077d commit 43ed49c

File tree

5 files changed

+12
-0
lines changed

5 files changed

+12
-0
lines changed

subsys/bluetooth/host/hci_raw.c

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -302,6 +302,10 @@ int bt_send(struct net_buf *buf)
302302
{
303303
BT_DBG("buf %p len %u", buf, buf->len);
304304

305+
if (buf->len == 0) {
306+
return BT_HCI_ERR_INVALID_PARAM;
307+
}
308+
305309
bt_monitor_send(bt_monitor_opcode(buf), buf->data, buf->len);
306310

307311
if (IS_ENABLED(CONFIG_BT_HCI_RAW_CMD_EXT) &&

tests/bluetooth/bsim_bt/edtt_ble_test_app/hci_test_app/prj_dut.conf

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,8 +10,10 @@ CONFIG_BT_DEBUG_LOG=y
1010
CONFIG_BT_ECC=y
1111
CONFIG_BT_TINYCRYPT_ECC=y
1212

13+
# BUF_CMD_TX_SIZE must be 255 because of HCI/GEV/BV-01-C
1314
CONFIG_BT_BUF_ACL_RX_SIZE=60
1415
CONFIG_BT_BUF_ACL_TX_SIZE=60
16+
CONFIG_BT_BUF_CMD_TX_SIZE=255
1517

1618
##
1719
## Enabling BT_CTRL_DTM_HCI requires BT_LL_SW_SPLIT which requires BT_CTRL

tests/bluetooth/bsim_bt/edtt_ble_test_app/hci_test_app/prj_dut_llcp.conf

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,8 +10,10 @@ CONFIG_BT_DEBUG_LOG=y
1010
CONFIG_BT_ECC=y
1111
CONFIG_BT_TINYCRYPT_ECC=y
1212

13+
# BUF_CMD_TX_SIZE must be 255 because of HCI/GEV/BV-01-C
1314
CONFIG_BT_BUF_ACL_RX_SIZE=60
1415
CONFIG_BT_BUF_ACL_TX_SIZE=60
16+
CONFIG_BT_BUF_CMD_TX_SIZE=255
1517

1618
##
1719
## Enabling BT_CTRL_DTM_HCI requires BT_LL_SW_SPLIT which requires BT_CTRL

tests/bluetooth/bsim_bt/edtt_ble_test_app/hci_test_app/prj_tst.conf

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,10 @@ CONFIG_BT_DEBUG_LOG=y
88
CONFIG_BT_ECC=y
99
CONFIG_BT_TINYCRYPT_ECC=y
1010

11+
# BUF_CMD_TX_SIZE must be 255 because of HCI/GEV/BV-01-C
1112
CONFIG_BT_BUF_ACL_RX_SIZE=60
1213
CONFIG_BT_BUF_ACL_TX_SIZE=60
14+
CONFIG_BT_BUF_CMD_TX_SIZE=255
1315

1416
##
1517
## Enabling BT_CTRL_DTM_HCI requires BT_LL_SW which requires BT_CTRL

tests/bluetooth/bsim_bt/edtt_ble_test_app/hci_test_app/prj_tst_llcp.conf

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,10 @@ CONFIG_BT_DEBUG_LOG=y
88
CONFIG_BT_ECC=y
99
CONFIG_BT_TINYCRYPT_ECC=y
1010

11+
# BUF_CMD_TX_SIZE must be 255 because of HCI/GEV/BV-01-C
1112
CONFIG_BT_BUF_ACL_RX_SIZE=60
1213
CONFIG_BT_BUF_ACL_TX_SIZE=60
14+
CONFIG_BT_BUF_CMD_TX_SIZE=255
1315

1416
##
1517
## Enabling BT_CTRL_DTM_HCI requires BT_LL_SW_SPLIT which requires BT_CTRL

0 commit comments

Comments
 (0)