From 2b5067ded877acd8ef8e0089acf8f39be7cd3e9b Mon Sep 17 00:00:00 2001
From: Matthias Ringwald <matthias@ringwald.ch>
Date: Thu, 7 Jan 2016 10:18:04 +0100
Subject: [PATCH] hci_transport: check type of transport config before
 accessing baud rates

---
 chipset/csr/bt_control_csr.c          | 14 ++++++++++----
 platform/posix/src/hci_transport_h4.c | 13 ++++++++++++-
 platform/posix/src/hci_transport_h5.c | 11 ++++++++++-
 port/ios/src/bt_control_iphone.m      | 10 ++++++++++
 4 files changed, 42 insertions(+), 6 deletions(-)

diff --git a/chipset/csr/bt_control_csr.c b/chipset/csr/bt_control_csr.c
index 2a8ed2467..1fd79d824 100644
--- a/chipset/csr/bt_control_csr.c
+++ b/chipset/csr/bt_control_csr.c
@@ -74,14 +74,20 @@ static int bt_control_csr_on(void *config){
 }
 
 // set requested baud rate
-static void bt_control_csr_update_command(hci_transport_config_uart_t *config, uint8_t *hci_cmd_buffer){
+static void bt_control_csr_update_command(void *config, uint8_t *hci_cmd_buffer){
     uint16_t varid = READ_BT_16(hci_cmd_buffer, 10);
     if (varid != 0x7003) return;
     uint16_t key = READ_BT_16(hci_cmd_buffer, 14);
     if (key != 0x01ea) return;
-    uint32_t baudrate = config->baudrate_main;
+
+    // check for hci_transport_config_uart_t
+    if (!config) return;
+    if (((hci_transport_config_t*))->type != HCI_TRANSPORT_CONFIG_UART) return;
+    hci_transport_config_uart_t * hci_transport_config_uart = (hci_transport_config_uart_t*) config;
+
+    uint32_t baudrate = hci_transport_config_uart->baudrate_main;
     if (baudrate == 0){
-        baudrate = config->baudrate_init;
+        baudrate = hci_transport_config_uart->baudrate_init;
     }
     // uint32_t is stored as 2 x uint16_t with most important 16 bits first
     bt_store_16(hci_cmd_buffer, 20, baudrate >> 16);
@@ -104,7 +110,7 @@ static int bt_control_csr_next_cmd(void *config, uint8_t *hci_cmd_buffer){
     memcpy(&hci_cmd_buffer[3], (uint8_t *) &init_script[init_script_offset], payload_len);
 
     // support for on-the-fly configuration updates
-    bt_control_csr_update_command((hci_transport_config_uart_t*)config, hci_cmd_buffer);
+    bt_control_csr_update_command(config, hci_cmd_buffer);
 
     init_script_offset += payload_len;
 
diff --git a/platform/posix/src/hci_transport_h4.c b/platform/posix/src/hci_transport_h4.c
index 27a564fd5..d18dc6cec 100644
--- a/platform/posix/src/hci_transport_h4.c
+++ b/platform/posix/src/hci_transport_h4.c
@@ -63,7 +63,6 @@
 
 static int  h4_process(struct data_source *ds);
 static void dummy_handler(uint8_t packet_type, uint8_t *packet, uint16_t size); 
-static      hci_transport_config_uart_t *hci_transport_config_uart;
 
 typedef enum {
     H4_W4_PACKET_TYPE,
@@ -133,6 +132,18 @@ static int    h4_set_baudrate(uint32_t baudrate){
 }
 
 static int    h4_open(void *transport_config){
+
+    // check for hci_transport_config_uart_t
+    if (!transport_config) {
+        log_error("hci_transport_h4_posix: no config!");
+        return -1;
+    }
+    if (((hci_transport_config_t*)transport_config)->type != HCI_TRANSPORT_CONFIG_UART) {
+        log_error("hci_transport_h4_posix: config not of type != HCI_TRANSPORT_CONFIG_UART!");
+        return -1;
+    }
+    hci_transport_config_uart_t * hci_transport_config_uart = (hci_transport_config_uart_t*) transport_config;
+
     hci_transport_config_uart = (hci_transport_config_uart_t*) transport_config;
     struct termios toptions;
     int flags = O_RDWR | O_NOCTTY | O_NONBLOCK;
diff --git a/platform/posix/src/hci_transport_h5.c b/platform/posix/src/hci_transport_h5.c
index 89e00c1d0..860513b2d 100644
--- a/platform/posix/src/hci_transport_h5.c
+++ b/platform/posix/src/hci_transport_h5.c
@@ -81,12 +81,21 @@ static hci_transport_h5_t * hci_transport_h5 = NULL;
 
 static int  h5_process(struct data_source *ds);
 static void dummy_handler(uint8_t packet_type, uint8_t *packet, int size); 
-static      hci_transport_config_uart_t *hci_transport_config_uart;
 
 static  void (*packet_handler)(uint8_t packet_type, uint8_t *packet, int size) = dummy_handler;
 
 // prototypes
 static int    h5_open(void *transport_config){
+    // check for hci_transport_config_uart_t
+    if (!transport_config) {
+        log_error("hci_transport_h5_posix: no config!");
+        return -1;
+    }
+    if (((hci_transport_config_t*)transport_config)->type != HCI_TRANSPORT_CONFIG_UART) {
+        log_error("hci_transport_h5_posix: config not of type != HCI_TRANSPORT_CONFIG_UART!");
+        return -1;
+    }
+
     hci_transport_config_uart = (hci_transport_config_uart_t*) transport_config;
     struct termios toptions;
     int fd = open(hci_transport_config_uart->device_name, O_RDWR | O_NOCTTY | O_NDELAY);
diff --git a/port/ios/src/bt_control_iphone.m b/port/ios/src/bt_control_iphone.m
index 87c5eaf86..31246de44 100644
--- a/port/ios/src/bt_control_iphone.m
+++ b/port/ios/src/bt_control_iphone.m
@@ -454,6 +454,16 @@ static int iphone_on (void *transport_config){
 
     int err = 0;
 
+    // check for hci_transport_config_uart_t
+    if (!transport_config) {
+        log_error("hci_transport_h5_posix: no config!");
+        return -1;
+    }
+    if (((hci_transport_config_t *)transport_config)->type != HCI_TRANSPORT_CONFIG_UART) {
+        log_error("hci_transport_h5_posix: config not of type != HCI_TRANSPORT_CONFIG_UART!";
+        return -1;
+    }
+
     hci_transport_config_uart_t * hci_transport_config_uart = (hci_transport_config_uart_t*) transport_config;
 
     // get local-mac-addr and transport-speed from IORegistry