Skip to content

Commit ac3dec5

Browse files
theob-prostephanosio
theob-pro
authored and
stephanosio
committed
Bluetooth: Host: Check returned value by LE_READ_BUFFER_SIZE
`rp->le_max_num` was passed unchecked into `k_sem_init()`, this could lead to the value being uninitialized and an unknown behavior. To fix that issue, the `rp->le_max_num` value is checked the same way as `bt_dev.le.acl_mtu` was already checked. The same things has been done for `rp->acl_max_num` and `rp->iso_max_num` in `read_buffer_size_v2_complete()` function. Signed-off-by: Théo Battrel <[email protected]>
1 parent 5b9a2ef commit ac3dec5

File tree

1 file changed

+20
-10
lines changed

1 file changed

+20
-10
lines changed

subsys/bluetooth/host/hci_core.c

Lines changed: 20 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -2602,11 +2602,14 @@ static void le_read_buffer_size_complete(struct net_buf *buf)
26022602
LOG_DBG("status 0x%02x", rp->status);
26032603

26042604
#if defined(CONFIG_BT_CONN)
2605-
bt_dev.le.acl_mtu = sys_le16_to_cpu(rp->le_max_len);
2606-
if (!bt_dev.le.acl_mtu) {
2605+
uint16_t acl_mtu = sys_le16_to_cpu(rp->le_max_len);
2606+
2607+
if (!acl_mtu || !rp->le_max_num) {
26072608
return;
26082609
}
26092610

2611+
bt_dev.le.acl_mtu = acl_mtu;
2612+
26102613
LOG_DBG("ACL LE buffers: pkts %u mtu %u", rp->le_max_num, bt_dev.le.acl_mtu);
26112614

26122615
k_sem_init(&bt_dev.le.acl_pkts, rp->le_max_num, rp->le_max_num);
@@ -2621,22 +2624,25 @@ static void read_buffer_size_v2_complete(struct net_buf *buf)
26212624
LOG_DBG("status %u", rp->status);
26222625

26232626
#if defined(CONFIG_BT_CONN)
2624-
bt_dev.le.acl_mtu = sys_le16_to_cpu(rp->acl_max_len);
2625-
if (!bt_dev.le.acl_mtu) {
2626-
return;
2627-
}
2627+
uint16_t acl_mtu = sys_le16_to_cpu(rp->acl_max_len);
26282628

2629-
LOG_DBG("ACL LE buffers: pkts %u mtu %u", rp->acl_max_num, bt_dev.le.acl_mtu);
2629+
if (acl_mtu && rp->acl_max_num) {
2630+
bt_dev.le.acl_mtu = acl_mtu;
2631+
LOG_DBG("ACL LE buffers: pkts %u mtu %u", rp->acl_max_num, bt_dev.le.acl_mtu);
26302632

2631-
k_sem_init(&bt_dev.le.acl_pkts, rp->acl_max_num, rp->acl_max_num);
2633+
k_sem_init(&bt_dev.le.acl_pkts, rp->acl_max_num, rp->acl_max_num);
2634+
}
26322635
#endif /* CONFIG_BT_CONN */
26332636

2634-
bt_dev.le.iso_mtu = sys_le16_to_cpu(rp->iso_max_len);
2635-
if (!bt_dev.le.iso_mtu) {
2637+
uint16_t iso_mtu = sys_le16_to_cpu(rp->iso_max_len);
2638+
2639+
if (!iso_mtu || !rp->iso_max_num) {
26362640
LOG_ERR("ISO buffer size not set");
26372641
return;
26382642
}
26392643

2644+
bt_dev.le.iso_mtu = iso_mtu;
2645+
26402646
LOG_DBG("ISO buffers: pkts %u mtu %u", rp->iso_max_num, bt_dev.le.iso_mtu);
26412647

26422648
k_sem_init(&bt_dev.le.iso_pkts, rp->iso_max_num, rp->iso_max_num);
@@ -2910,6 +2916,7 @@ static int le_init_iso(void)
29102916
if (err) {
29112917
return err;
29122918
}
2919+
29132920
read_buffer_size_v2_complete(rsp);
29142921

29152922
net_buf_unref(rsp);
@@ -2923,6 +2930,7 @@ static int le_init_iso(void)
29232930
if (err) {
29242931
return err;
29252932
}
2933+
29262934
le_read_buffer_size_complete(rsp);
29272935

29282936
net_buf_unref(rsp);
@@ -2966,7 +2974,9 @@ static int le_init(void)
29662974
if (err) {
29672975
return err;
29682976
}
2977+
29692978
le_read_buffer_size_complete(rsp);
2979+
29702980
net_buf_unref(rsp);
29712981
}
29722982

0 commit comments

Comments
 (0)