hci_transport_h4: fix payload size check

This commit is contained in:
Matthias Ringwald 2019-07-13 15:35:46 +02:00
parent 6ea073fee9
commit ea374553cc
2 changed files with 8 additions and 8 deletions

View File

@ -437,8 +437,8 @@ static void hci_transport_em9304_spi_block_read(void){
case H4_W4_EVENT_HEADER:
hci_transport_em9304_spi_bytes_to_read = hci_packet[2];
// check ACL length
if (HCI_EVENT_HEADER_SIZE + hci_transport_em9304_spi_bytes_to_read > HCI_INCOMING_PACKET_BUFFER_SIZE){
// check Event length
if (bytes_to_read > (HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_EVENT_HEADER_SIZE)){
log_error("invalid Event len %d - only space for %u", hci_transport_em9304_spi_bytes_to_read, HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_EVENT_HEADER_SIZE);
hci_transport_em9304_spi_reset_statemachine();
break;
@ -449,7 +449,7 @@ static void hci_transport_em9304_spi_block_read(void){
case H4_W4_ACL_HEADER:
hci_transport_em9304_spi_bytes_to_read = little_endian_read_16( hci_packet, 3);
// check ACL length
if (HCI_ACL_HEADER_SIZE + hci_transport_em9304_spi_bytes_to_read > HCI_INCOMING_PACKET_BUFFER_SIZE){
if (bytes_to_read > (HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_ACL_HEADER_SIZE)){
log_error("invalid ACL payload len %d - only space for %u", hci_transport_em9304_spi_bytes_to_read, HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_ACL_HEADER_SIZE);
hci_transport_em9304_spi_reset_statemachine();
break;

View File

@ -140,8 +140,8 @@ static void (*packet_handler)(uint8_t packet_type, uint8_t *packet, uint16_t si
// packet reader state machine
static H4_STATE h4_state;
static int bytes_to_read;
static int read_pos;
static uint16_t bytes_to_read;
static uint16_t read_pos;
// incoming packet buffer
static uint8_t hci_packet_with_pre_buffer[HCI_INCOMING_PRE_BUFFER_SIZE + HCI_INCOMING_PACKET_BUFFER_SIZE + 1]; // packet type + max(acl header + acl payload, event header + event data)
@ -225,7 +225,7 @@ static void hci_transport_h4_block_read(void){
case H4_W4_EVENT_HEADER:
bytes_to_read = hci_packet[2];
// check Event length
if (HCI_EVENT_HEADER_SIZE + bytes_to_read > HCI_INCOMING_PACKET_BUFFER_SIZE){
if (bytes_to_read > (HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_EVENT_HEADER_SIZE)){
log_error("hci_transport_h4: invalid Event len %d - only space for %u", bytes_to_read, HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_EVENT_HEADER_SIZE);
hci_transport_h4_reset_statemachine();
break;
@ -236,7 +236,7 @@ static void hci_transport_h4_block_read(void){
case H4_W4_ACL_HEADER:
bytes_to_read = little_endian_read_16( hci_packet, 3);
// check ACL length
if (HCI_ACL_HEADER_SIZE + bytes_to_read > HCI_INCOMING_PACKET_BUFFER_SIZE){
if (bytes_to_read > (HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_ACL_HEADER_SIZE)){
log_error("hci_transport_h4: invalid ACL payload len %d - only space for %u", bytes_to_read, HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_ACL_HEADER_SIZE);
hci_transport_h4_reset_statemachine();
break;
@ -247,7 +247,7 @@ static void hci_transport_h4_block_read(void){
case H4_W4_SCO_HEADER:
bytes_to_read = hci_packet[3];
// check SCO length
if (HCI_SCO_HEADER_SIZE + bytes_to_read > HCI_INCOMING_PACKET_BUFFER_SIZE){
if (bytes_to_read > (HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_SCO_HEADER_SIZE)){
log_error("hci_transport_h4: invalid SCO payload len %d - only space for %u", bytes_to_read, HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_SCO_HEADER_SIZE);
hci_transport_h4_reset_statemachine();
break;