diff --git a/src/hci_transport_em9304_spi.c b/src/hci_transport_em9304_spi.c index 4191a7c70..9072c3603 100644 --- a/src/hci_transport_em9304_spi.c +++ b/src/hci_transport_em9304_spi.c @@ -437,8 +437,8 @@ static void hci_transport_em9304_spi_block_read(void){ case H4_W4_EVENT_HEADER: hci_transport_em9304_spi_bytes_to_read = hci_packet[2]; - // check ACL length - if (HCI_EVENT_HEADER_SIZE + hci_transport_em9304_spi_bytes_to_read > HCI_INCOMING_PACKET_BUFFER_SIZE){ + // check Event length + if (bytes_to_read > (HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_EVENT_HEADER_SIZE)){ log_error("invalid Event len %d - only space for %u", hci_transport_em9304_spi_bytes_to_read, HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_EVENT_HEADER_SIZE); hci_transport_em9304_spi_reset_statemachine(); break; @@ -449,7 +449,7 @@ static void hci_transport_em9304_spi_block_read(void){ case H4_W4_ACL_HEADER: hci_transport_em9304_spi_bytes_to_read = little_endian_read_16( hci_packet, 3); // check ACL length - if (HCI_ACL_HEADER_SIZE + hci_transport_em9304_spi_bytes_to_read > HCI_INCOMING_PACKET_BUFFER_SIZE){ + if (bytes_to_read > (HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_ACL_HEADER_SIZE)){ log_error("invalid ACL payload len %d - only space for %u", hci_transport_em9304_spi_bytes_to_read, HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_ACL_HEADER_SIZE); hci_transport_em9304_spi_reset_statemachine(); break; diff --git a/src/hci_transport_h4.c b/src/hci_transport_h4.c index a7a34a224..2baca18da 100644 --- a/src/hci_transport_h4.c +++ b/src/hci_transport_h4.c @@ -140,8 +140,8 @@ static void (*packet_handler)(uint8_t packet_type, uint8_t *packet, uint16_t si // packet reader state machine static H4_STATE h4_state; -static int bytes_to_read; -static int read_pos; +static uint16_t bytes_to_read; +static uint16_t read_pos; // incoming packet buffer static uint8_t hci_packet_with_pre_buffer[HCI_INCOMING_PRE_BUFFER_SIZE + HCI_INCOMING_PACKET_BUFFER_SIZE + 1]; // packet type + max(acl header + acl payload, event header + event data) @@ -225,7 +225,7 @@ static void hci_transport_h4_block_read(void){ case H4_W4_EVENT_HEADER: bytes_to_read = hci_packet[2]; // check Event length - if (HCI_EVENT_HEADER_SIZE + bytes_to_read > HCI_INCOMING_PACKET_BUFFER_SIZE){ + if (bytes_to_read > (HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_EVENT_HEADER_SIZE)){ log_error("hci_transport_h4: invalid Event len %d - only space for %u", bytes_to_read, HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_EVENT_HEADER_SIZE); hci_transport_h4_reset_statemachine(); break; @@ -236,7 +236,7 @@ static void hci_transport_h4_block_read(void){ case H4_W4_ACL_HEADER: bytes_to_read = little_endian_read_16( hci_packet, 3); // check ACL length - if (HCI_ACL_HEADER_SIZE + bytes_to_read > HCI_INCOMING_PACKET_BUFFER_SIZE){ + if (bytes_to_read > (HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_ACL_HEADER_SIZE)){ log_error("hci_transport_h4: invalid ACL payload len %d - only space for %u", bytes_to_read, HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_ACL_HEADER_SIZE); hci_transport_h4_reset_statemachine(); break; @@ -247,7 +247,7 @@ static void hci_transport_h4_block_read(void){ case H4_W4_SCO_HEADER: bytes_to_read = hci_packet[3]; // check SCO length - if (HCI_SCO_HEADER_SIZE + bytes_to_read > HCI_INCOMING_PACKET_BUFFER_SIZE){ + if (bytes_to_read > (HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_SCO_HEADER_SIZE)){ log_error("hci_transport_h4: invalid SCO payload len %d - only space for %u", bytes_to_read, HCI_INCOMING_PACKET_BUFFER_SIZE - HCI_SCO_HEADER_SIZE); hci_transport_h4_reset_statemachine(); break;