hci: fix null dereference in hci_send_cmd_packet when hci connection table is full

This commit is contained in:
Matthias Ringwald 2016-07-01 11:28:08 +02:00
parent 41d0c87b0d
commit 2deddeced7

View File

@ -83,7 +83,7 @@ static void hci_connection_timestamp(hci_connection_t *connection);
static int hci_power_control_on(void);
static void hci_power_control_off(void);
static void hci_state_reset(void);
static void hci_emit_connection_complete(hci_connection_t *conn, uint8_t status);
static void hci_emit_connection_complete(bd_addr_t address, hci_con_handle_t con_handle, uint8_t status);
static void hci_emit_l2cap_check_timeout(hci_connection_t *conn);
static void hci_emit_disconnection_complete(hci_con_handle_t con_handle, uint8_t reason);
static void hci_emit_nr_connections_changed(void);
@ -2807,7 +2807,7 @@ int hci_send_cmd_packet(uint8_t *packet, int size){
conn = create_connection_for_bd_addr_and_type(addr, BD_ADDR_TYPE_CLASSIC);
if (!conn){
// notify client that alloc failed
hci_emit_connection_complete(conn, BTSTACK_MEMORY_ALLOC_FAILED);
hci_emit_connection_complete(addr, 0, BTSTACK_MEMORY_ALLOC_FAILED);
return 0; // don't sent packet to controller
}
conn->state = SEND_CREATE_CONNECTION;
@ -2817,7 +2817,7 @@ int hci_send_cmd_packet(uint8_t *packet, int size){
// if connection active exists
case OPEN:
// and OPEN, emit connection complete command, don't send to controller
hci_emit_connection_complete(conn, 0);
hci_emit_connection_complete(addr, 0, 0);
return 0;
case SEND_CREATE_CONNECTION:
// connection created by hci, e.g. dedicated bonding
@ -3010,13 +3010,13 @@ void hci_emit_state(void){
hci_emit_event(event, sizeof(event), 1);
}
static void hci_emit_connection_complete(hci_connection_t *conn, uint8_t status){
static void hci_emit_connection_complete(bd_addr_t address, hci_con_handle_t con_handle, uint8_t status){
uint8_t event[13];
event[0] = HCI_EVENT_CONNECTION_COMPLETE;
event[1] = sizeof(event) - 2;
event[2] = status;
little_endian_store_16(event, 3, conn->con_handle);
reverse_bd_addr(conn->address, &event[5]);
little_endian_store_16(event, 3, con_handle);
reverse_bd_addr(address, &event[5]);
event[11] = 1; // ACL connection
event[12] = 0; // encryption disabled
hci_emit_event(event, sizeof(event), 1);