From a3afac2cece35c2aecc73f1db519d034caf7919e Mon Sep 17 00:00:00 2001 From: Joakim Andersson Date: Mon, 18 Nov 2019 15:55:25 +0100 Subject: [PATCH 1/2] Bluetooth: HCI: Add utility to extract PB and BC flags from data header Add utility to extract the flags Packet Boundary and Broadcast to the hci.h together with the rest of the ACL data header definitions. Signed-off-by: Joakim Andersson --- include/bluetooth/hci.h | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/include/bluetooth/hci.h b/include/bluetooth/hci.h index c5532f944b162..4a560eb2082f1 100644 --- a/include/bluetooth/hci.h +++ b/include/bluetooth/hci.h @@ -39,9 +39,15 @@ struct bt_hci_evt_hdr { #define BT_ACL_START_NO_FLUSH 0x00 #define BT_ACL_CONT 0x01 #define BT_ACL_START 0x02 +#define BT_ACL_COMPLETE 0x03 -#define bt_acl_handle(h) ((h) & 0x0fff) +#define BT_ACL_POINT_TO_POINT 0x00 +#define BT_ACL_BROADCAST 0x01 + +#define bt_acl_handle(h) ((h) & BIT_MASK(12)) #define bt_acl_flags(h) ((h) >> 12) +#define bt_acl_flags_pb(f) ((f) & BIT_MASK(2)) +#define bt_acl_flags_bc(f) ((f) >> 2) #define bt_acl_handle_pack(h, f) ((h) | ((f) << 12)) struct bt_hci_acl_hdr { From 6bef109503039592c6808c38d6d7ea12fb1c5d13 Mon Sep 17 00:00:00 2001 From: Joakim Andersson Date: Tue, 19 Nov 2019 17:06:12 +0100 Subject: [PATCH 2/2] Bluetooth: HCI: Handle invalid ACL flags. Handle invalid ACL flags in HCI transport. Only Point to Point is supported over HCI in both directions. Fix flushable start HCI ACL packets not allowed on LE-U connections from Host to controller. Signed-off-by: Joakim Andersson --- subsys/bluetooth/controller/hci/hci.c | 17 +++++++++++++++-- subsys/bluetooth/host/conn.c | 4 ++++ 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/subsys/bluetooth/controller/hci/hci.c b/subsys/bluetooth/controller/hci/hci.c index 2c51f50b828e5..997ed7164aa5f 100644 --- a/subsys/bluetooth/controller/hci/hci.c +++ b/subsys/bluetooth/controller/hci/hci.c @@ -2336,11 +2336,24 @@ int hci_acl_handle(struct net_buf *buf, struct net_buf **evt) pdu_data = (void *)node_tx->pdu; - if (flags == BT_ACL_START_NO_FLUSH || flags == BT_ACL_START) { + if (bt_acl_flags_bc(flags) != BT_ACL_POINT_TO_POINT) { + return -EINVAL; + } + + switch (bt_acl_flags_pb(flags)) { + case BT_ACL_START_NO_FLUSH: pdu_data->ll_id = PDU_DATA_LLID_DATA_START; - } else { + break; + case BT_ACL_CONT: pdu_data->ll_id = PDU_DATA_LLID_DATA_CONTINUE; + break; + default: + /* BT_ACL_START and BT_ACL_COMPLETE not allowed on LE-U + * from Host to Controller + */ + return -EINVAL; } + pdu_data->len = len; memcpy(&pdu_data->lldata[0], buf->data, len); diff --git a/subsys/bluetooth/host/conn.c b/subsys/bluetooth/host/conn.c index e9c0c6010cef5..a4a2634016c79 100644 --- a/subsys/bluetooth/host/conn.c +++ b/subsys/bluetooth/host/conn.c @@ -1168,6 +1168,10 @@ void bt_conn_recv(struct bt_conn *conn, struct net_buf *buf, u8_t flags) break; default: + /* BT_ACL_START_NO_FLUSH and BT_ACL_COMPLETE are not allowed on + * LE-U from Controller to Host. + * Only BT_ACL_POINT_TO_POINT is supported. + */ BT_ERR("Unexpected ACL flags (0x%02x)", flags); bt_conn_reset_rx_state(conn); net_buf_unref(buf);