mirror/btstack
1
0
Fork 0
mirror of https://github.com/bluekitchen/btstack.git synced 2025-03-14 01:27:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

hci transport: verify ACL packet payload len

Browse Source
This commit is contained in:
Matthias Ringwald 2016-02-03 11:12:57 +01:00
parent 8ab4656a5b
commit bcca056723
3 changed files with 32 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
platforms/posix/src/hci_transport_h4.c
View File

@ -236,15 +236,18 @@ static void h4_register_packet_handler(void (*handler)(uint8_t packet_type, ui
packet_handler = handler;
}
static void h4_deliver_packet(void){
if (read_pos < 3) return; // sanity check
packet_handler(hci_packet[0], &hci_packet[1], read_pos-1);
static void h4_reset_statemachine(void){
h4_state = H4_W4_PACKET_TYPE;
read_pos = 0;
bytes_to_read = 1;
}
static void h4_deliver_packet(void){
if (read_pos < 3) return; // sanity check
packet_handler(hci_packet[0], &hci_packet[1], read_pos-1);
h4_reset_statemachine();
}
static void h4_statemachine(void){
switch (h4_state) {
@ -264,8 +267,7 @@ static void h4_statemachine(void){
break;
default:
log_error("h4_process: invalid packet type 0x%02x", hci_packet[0]);
read_pos = 0;
bytes_to_read = 1;
h4_reset_statemachine();
break;
}
break;
@ -277,6 +279,12 @@ static void h4_statemachine(void){
case H4_W4_ACL_HEADER:
bytes_to_read = READ_BT_16( hci_packet, 3);
// check ACL length
if (HCI_ACL_HEADER_SIZE + bytes_to_read > HCI_PACKET_BUFFER_SIZE){
log_error("h4_process: invalid ACL payload len %u - only space for %u", bytes_to_read, HCI_PACKET_BUFFER_SIZE - HCI_ACL_HEADER_SIZE);
h4_reset_statemachine();
break;
}
h4_state = H4_W4_PAYLOAD;
break;

12
src/hci_transport_h4_dma.c
View File

@ -180,10 +180,8 @@ static void h4_block_received(void){
break;
default:
log_error("h4_process: invalid packet type 0x%02x", hci_packet[0]);
read_pos = 0;
h4_state = H4_W4_PACKET_TYPE;
bytes_to_read = 1;
break;
h4_init_sm();
return;
}
break;
@ -198,6 +196,12 @@ static void h4_block_received(void){
case H4_W4_ACL_HEADER:
bytes_to_read = READ_BT_16( hci_packet, 3);
// check ACL length
if (HCI_ACL_HEADER_SIZE + bytes_to_read > HCI_PACKET_BUFFER_SIZE){
log_error("h4_process: invalid ACL payload len %u - only space for %u", bytes_to_read, HCI_PACKET_BUFFER_SIZE - HCI_ACL_HEADER_SIZE);
h4_init_sm();
return;
}
if (bytes_to_read == 0) {
h4_state = H4_PACKET_RECEIVED;
break;

16
src/hci_transport_h4_ehcill_dma.c
View File

@ -246,19 +246,23 @@ static void h4_block_received(void){
case EHCILL_WAKE_UP_IND:
case EHCILL_WAKE_UP_ACK:
ehcill_handle(hci_packet[0]);
read_pos = 0;
bytes_to_read = 1;
break;
h4_rx_init_sm();
return;
default:
log_error("h4_process: invalid packet type 0x%02x", hci_packet[0]);
read_pos = 0;
bytes_to_read = 1;
break;
h4_rx_init_sm();
return;
}
break;
case H4_W4_EVENT_HEADER:
bytes_to_read = hci_packet[2];
// check ACL length
if (HCI_ACL_HEADER_SIZE + bytes_to_read > HCI_PACKET_BUFFER_SIZE){
log_error("h4_process: invalid ACL payload len %u - only space for %u", bytes_to_read, HCI_PACKET_BUFFER_SIZE - HCI_ACL_HEADER_SIZE);
h4_rx_init_sm();
return;
}
if (bytes_to_read) {
h4_state = H4_W4_PAYLOAD;
break;