From: island Date: Wed, 7 Jun 2017 12:06:49 +0000 (+0800) Subject: component/bt: Fix crash problem while using invalid control parameter X-Git-Tag: v2.1-rc1~61^2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=30783d481d102679415144ed8a77e1f018d0cf43;p=esp-idf component/bt: Fix crash problem while using invalid control parameter - Fix crash problem while using invalid control parameter to set gatt characteristic or descriptor --- diff --git a/components/bt/bluedroid/api/esp_gatts_api.c b/components/bt/bluedroid/api/esp_gatts_api.c index aaf93533c2..802256f775 100644 --- a/components/bt/bluedroid/api/esp_gatts_api.c +++ b/components/bt/bluedroid/api/esp_gatts_api.c @@ -23,6 +23,8 @@ #if (GATTS_INCLUDED == TRUE) #define COPY_TO_GATTS_ARGS(_gatt_args, _arg, _arg_type) memcpy(_gatt_args, _arg, sizeof(_arg_type)) +static esp_err_t esp_ble_gatts_add_char_desc_param_check(esp_attr_value_t *char_val, esp_attr_control_t *control); + esp_err_t esp_ble_gatts_register_callback(esp_gatts_cb_t callback) { @@ -138,30 +140,16 @@ esp_err_t esp_ble_gatts_add_char(uint16_t service_handle, esp_bt_uuid_t *char_ { btc_msg_t msg; btc_ble_gatts_args_t arg; + esp_err_t status; if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } /* parameter validation check */ - if ((control != NULL) && (control->auto_rsp == GATT_STACK_RSP)){ - if (char_val == NULL){ - LOG_ERROR("Error in %s, line=%d, for stack respond attribute, char_val should not be NULL here\n",\ - __func__, __LINE__); - return ESP_ERR_INVALID_ARG; - } else if (char_val->attr_max_len == 0){ - LOG_ERROR("Error in %s, line=%d, for stack respond attribute, attribute max length should not be 0\n",\ - __func__, __LINE__); - return ESP_ERR_INVALID_ARG; - } - } - - if (char_val != NULL){ - if (char_val->attr_len > char_val->attr_max_len){ - LOG_ERROR("Error in %s, line=%d,attribute actual length (%d) should not be larger than max length (%d)\n",\ - __func__, __LINE__, char_val->attr_len, char_val->attr_max_len); - return ESP_ERR_INVALID_ARG; - } + status = esp_ble_gatts_add_char_desc_param_check(char_val, control); + if (status != ESP_OK){ + return status; } memset(&arg, 0, sizeof(btc_ble_gatts_args_t)); @@ -193,33 +181,17 @@ esp_err_t esp_ble_gatts_add_char_descr (uint16_t service_handle, { btc_msg_t msg; btc_ble_gatts_args_t arg; + esp_err_t status; if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } /* parameter validation check */ - if ((control != NULL) && (control->auto_rsp == GATT_STACK_RSP)){ - if (char_descr_val == NULL){ - LOG_ERROR("Error in %s, line=%d, for stack respond attribute, char_descr_val should not be NULL here\n",\ - __func__, __LINE__); - return ESP_ERR_INVALID_ARG; - } - else if (char_descr_val->attr_max_len == 0){ - LOG_ERROR("Error in %s, line=%d, for stack respond attribute, attribute max length should not be 0\n",\ - __func__, __LINE__); - return ESP_ERR_INVALID_ARG; - } - } - - if (char_descr_val != NULL){ - if (char_descr_val->attr_len > char_descr_val->attr_max_len){ - LOG_ERROR("Error in %s, line=%d,attribute actual length (%d) should not be larger than max length (%d)\n",\ - __func__, __LINE__, char_descr_val->attr_len, char_descr_val->attr_max_len); - return ESP_ERR_INVALID_ARG; - } + status = esp_ble_gatts_add_char_desc_param_check(char_descr_val, control); + if (status != ESP_OK){ + return status; } - memset(&arg, 0, sizeof(btc_ble_gatts_args_t)); msg.sig = BTC_SIG_API_CALL; @@ -402,4 +374,28 @@ esp_err_t esp_ble_gatts_close(esp_gatt_if_t gatts_if, uint16_t conn_id) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL); } -#endif ///GATTS_INCLUDED \ No newline at end of file + +static esp_err_t esp_ble_gatts_add_char_desc_param_check(esp_attr_value_t *char_val, esp_attr_control_t *control) +{ + if ((control != NULL) && ((control->auto_rsp != ESP_GATT_AUTO_RSP) && (control->auto_rsp != ESP_GATT_RSP_BY_APP))){ + LOG_ERROR("Error in %s, line=%d, control->auto_rsp should be set to ESP_GATT_AUTO_RSP or ESP_GATT_RSP_BY_APP\n",\ + __func__, __LINE__); + return ESP_ERR_INVALID_ARG; + } + + if ((control != NULL) && (control->auto_rsp == ESP_GATT_AUTO_RSP)){ + if (char_val == NULL){ + LOG_ERROR("Error in %s, line=%d, for stack respond attribute, char_val should not be NULL here\n",\ + __func__, __LINE__); + return ESP_ERR_INVALID_ARG; + } else if (char_val->attr_max_len == 0){ + LOG_ERROR("Error in %s, line=%d, for stack respond attribute, attribute max length should not be 0\n",\ + __func__, __LINE__); + return ESP_ERR_INVALID_ARG; + } + } + + return ESP_OK; +} + +#endif ///GATTS_INCLUDED diff --git a/components/bt/bluedroid/stack/gatt/gatt_db.c b/components/bt/bluedroid/stack/gatt/gatt_db.c index ad7a913023..1fe69e0049 100644 --- a/components/bt/bluedroid/stack/gatt/gatt_db.c +++ b/components/bt/bluedroid/stack/gatt/gatt_db.c @@ -46,6 +46,7 @@ static BOOLEAN copy_extra_byte_in_db(tGATT_SVC_DB *p_db, void **p_dst, UINT16 le static BOOLEAN gatts_db_add_service_declaration(tGATT_SVC_DB *p_db, tBT_UUID *p_service, BOOLEAN is_pri); static tGATT_STATUS gatts_send_app_read_request(tGATT_TCB *p_tcb, UINT8 op_code, UINT16 handle, UINT16 offset, UINT32 trans_id, BOOLEAN need_rsp); +static BOOLEAN gatts_add_char_desc_value_check (tGATT_ATTR_VAL *attr_val, tGATTS_ATTR_CONTROL *control); /******************************************************************************* ** @@ -468,27 +469,13 @@ UINT16 gatts_add_characteristic (tGATT_SVC_DB *p_db, tGATT_PERM perm, { tGATT_ATTR16 *p_char_decl, *p_char_val; tBT_UUID uuid = {LEN_UUID_16, {GATT_UUID_CHAR_DECLARE}}; + BOOLEAN status; GATT_TRACE_DEBUG("gatts_add_characteristic perm=0x%0x property=0x%0x\n", perm, property); /* parameter validation check */ - if ((control != NULL) && (control->auto_rsp == GATT_STACK_RSP)){ - if (attr_val == NULL){ - GATT_TRACE_ERROR("Error in %s, line=%d, for stack respond attribute, attr_val should not be NULL here\n",\ - __func__, __LINE__); - return 0; - } else if (attr_val->attr_max_len == 0){ - GATT_TRACE_ERROR("Error in %s, line=%d, for stack respond attribute, attribute max length should not be 0\n",\ - __func__, __LINE__); - return 0; - } - } - - if (attr_val != NULL){ - if (attr_val->attr_len > attr_val->attr_max_len){ - GATT_TRACE_ERROR("Error in %s, line=%d,attribute actual length should not be larger than max length\n",\ - __func__, __LINE__); - return 0; - } + status = gatts_add_char_desc_value_check(attr_val, control); + if (status == FALSE){ + return 0; } @@ -621,31 +608,16 @@ UINT16 gatts_add_char_descr (tGATT_SVC_DB *p_db, tGATT_PERM perm, tBT_UUID *p_descr_uuid, tGATT_ATTR_VAL *attr_val, tGATTS_ATTR_CONTROL *control) { tGATT_ATTR16 *p_char_dscptr; + BOOLEAN status; GATT_TRACE_DEBUG("gatts_add_char_descr uuid=0x%04x\n", p_descr_uuid->uu.uuid16); /* parameter validation check */ - if ((control != NULL) && (control->auto_rsp == GATT_STACK_RSP)){ - if (attr_val == NULL){ - GATT_TRACE_ERROR("Error in %s, line=%d, for stack respond attribute, attr_val should not be NULL here\n",\ - __func__, __LINE__); - return 0; - } else if (attr_val->attr_max_len == 0){ - GATT_TRACE_ERROR("Error in %s, line=%d, for stack respond attribute, attribute max length should not be 0\n",\ - __func__, __LINE__); - return 0; - } - } - - if (attr_val != NULL){ - if (attr_val->attr_len > attr_val->attr_max_len){ - GATT_TRACE_ERROR("Error in %s, line=%d,attribute actual length (%d) should not be larger than max length (%d)\n",\ - __func__, __LINE__, attr_val->attr_len, attr_val->attr_max_len); - return 0; - } + status = gatts_add_char_desc_value_check(attr_val, control); + if (status == FALSE){ + return 0; } - /* Add characteristic descriptors */ if ((p_char_dscptr = (tGATT_ATTR16 *)allocate_attr_in_db(p_db, p_descr_uuid, perm)) == NULL) { deallocate_attr_in_db(p_db, p_char_dscptr); @@ -1465,4 +1437,47 @@ static BOOLEAN gatts_db_add_service_declaration(tGATT_SVC_DB *p_db, tBT_UUID *p_ return rt; } +/******************************************************************************* +** +** Function gatts_add_char_desc_value_check +** +** Description parameters validation check for gatts add char/descriptor functions +** +** Parameter attr_val: attribute value for char/descriptor. +** control: control variable for char/descriptor. +** +** Returns void +** +*******************************************************************************/ +static BOOLEAN gatts_add_char_desc_value_check (tGATT_ATTR_VAL *attr_val, tGATTS_ATTR_CONTROL *control) +{ + if ((control != NULL) && ((control->auto_rsp != GATT_RSP_BY_APP) && (control->auto_rsp != GATT_RSP_BY_STACK))){ + GATT_TRACE_ERROR("Error in %s, line=%d, control->auto_rsp should be set to GATT_RSP_BY_APP or GATT_RSP_BY_STACK here\n",\ + __func__, __LINE__); + return FALSE; + } + + if ((control != NULL) && (control->auto_rsp == GATT_RSP_BY_STACK)){ + if (attr_val == NULL){ + GATT_TRACE_ERROR("Error in %s, line=%d, for stack respond attribute, attr_val should not be NULL here\n",\ + __func__, __LINE__); + return FALSE; + } else if (attr_val->attr_max_len == 0){ + GATT_TRACE_ERROR("Error in %s, line=%d, for stack respond attribute, attribute max length should not be 0\n",\ + __func__, __LINE__); + return FALSE; + } + } + + if (attr_val != NULL){ + if (attr_val->attr_len > attr_val->attr_max_len){ + GATT_TRACE_ERROR("Error in %s, line=%d,attribute actual length should not be larger than max length\n",\ + __func__, __LINE__); + return FALSE; + } + } + + return TRUE ; +} + #endif /* BLE_INCLUDED == TRUE && GATTS_INCLUDED == TRUE */