mirror of
https://github.com/espressif/esp-idf.git
synced 2026-04-27 19:13:21 +00:00
fix(bt/bluedroid): fixed multiple high-severity issues from AI code review in SPP
This commit is contained in:
Jin Cheng
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD
|
||||
* SPDX-FileCopyrightText: 2015-2026 Espressif Systems (Shanghai) CO LTD
|
||||
*
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*/
|
||||
@@ -70,14 +70,13 @@ esp_err_t esp_spp_enhanced_init(const esp_spp_cfg_t *cfg)
|
||||
esp_err_t esp_spp_deinit(void)
|
||||
{
|
||||
btc_msg_t msg;
|
||||
btc_spp_args_t arg;
|
||||
ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED);
|
||||
|
||||
msg.sig = BTC_SIG_API_CALL;
|
||||
msg.pid = BTC_PID_SPP;
|
||||
msg.act = BTC_SPP_ACT_UNINIT;
|
||||
|
||||
return (btc_transfer_context(&msg, &arg, sizeof(btc_spp_args_t), NULL, NULL) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL);
|
||||
return (btc_transfer_context(&msg, NULL, 0, NULL, NULL) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL);
|
||||
}
|
||||
|
||||
|
||||
@@ -242,27 +241,25 @@ esp_err_t esp_spp_write(uint32_t handle, int len, uint8_t *p_data)
|
||||
esp_err_t esp_spp_vfs_register(void)
|
||||
{
|
||||
btc_msg_t msg;
|
||||
btc_spp_args_t arg;
|
||||
ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED);
|
||||
|
||||
msg.sig = BTC_SIG_API_CALL;
|
||||
msg.pid = BTC_PID_SPP;
|
||||
msg.act = BTC_SPP_ACT_VFS_REGISTER;
|
||||
|
||||
return (btc_transfer_context(&msg, &arg, sizeof(btc_spp_args_t), NULL, NULL) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL);
|
||||
return (btc_transfer_context(&msg, NULL, 0, NULL, NULL) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL);
|
||||
}
|
||||
|
||||
esp_err_t esp_spp_vfs_unregister(void)
|
||||
{
|
||||
btc_msg_t msg;
|
||||
btc_spp_args_t arg;
|
||||
ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED);
|
||||
|
||||
msg.sig = BTC_SIG_API_CALL;
|
||||
msg.pid = BTC_PID_SPP;
|
||||
msg.act = BTC_SPP_ACT_VFS_UNREGISTER;
|
||||
|
||||
return (btc_transfer_context(&msg, &arg, sizeof(btc_spp_args_t), NULL, NULL) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL);
|
||||
return (btc_transfer_context(&msg, NULL, 0, NULL, NULL) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL);
|
||||
}
|
||||
|
||||
esp_err_t esp_spp_get_profile_status(esp_spp_profile_status_t *profile_status)
|
||||
|
||||
@@ -288,8 +288,7 @@ tBTA_JV_RFC_CB *bta_jv_rfc_port_to_cb(UINT16 port_handle)
|
||||
p_cb = &bta_jv_cb.rfc_cb[handle - 1];
|
||||
}
|
||||
} else {
|
||||
APPL_TRACE_WARNING("bta_jv_rfc_port_to_cb(port_handle:0x%x):jv handle:0x%x not"
|
||||
" FOUND", port_handle, bta_jv_cb.port_cb[port_handle - 1].handle);
|
||||
APPL_TRACE_WARNING("bta_jv_rfc_port_to_cb(port_handle:0x%x)", port_handle);
|
||||
}
|
||||
return p_cb;
|
||||
}
|
||||
@@ -980,8 +979,11 @@ static void bta_jv_start_discovery_cback(UINT16 result, void *user_data)
|
||||
} else {
|
||||
dcomp.service_name[dcomp.scn_num] = NULL;
|
||||
}
|
||||
dcomp.scn_num++;
|
||||
status = BTA_JV_SUCCESS;
|
||||
dcomp.scn_num++;
|
||||
if (dcomp.scn_num == BTA_JV_MAX_SCN) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
} while (p_sdp_rec);
|
||||
}
|
||||
@@ -2847,6 +2849,7 @@ static void fcchan_conn_chng_cbk(UINT16 chan, BD_ADDR bd_addr, BOOLEAN connected
|
||||
open_evt.l2c_open.status = BTA_JV_SUCCESS;
|
||||
} else {
|
||||
fcclient_free(t);
|
||||
t = NULL;
|
||||
open_evt.l2c_open.status = BTA_JV_FAILURE;
|
||||
}
|
||||
}
|
||||
@@ -2858,7 +2861,7 @@ static void fcchan_conn_chng_cbk(UINT16 chan, BD_ADDR bd_addr, BOOLEAN connected
|
||||
//call this with lock taken so socket does not disappear from under us */
|
||||
if (p_cback) {
|
||||
p_cback(BTA_JV_L2CAP_OPEN_EVT, &open_evt, user_data);
|
||||
if (!t->p_cback) { /* no callback set, means they do not want this one... */
|
||||
if (t && !t->p_cback) { /* no callback set, means they do not want this one... */
|
||||
fcclient_free(t);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -74,6 +74,14 @@ tBTA_JV_STATUS BTA_JvEnable(tBTA_JV_DM_CBACK *p_cback)
|
||||
p_bta_jv_cfg->p_sdp_raw_data = (UINT8 *)osi_malloc(p_bta_jv_cfg->sdp_raw_size);
|
||||
p_bta_jv_cfg->p_sdp_db = (tSDP_DISCOVERY_DB *)osi_malloc(p_bta_jv_cfg->sdp_db_size);
|
||||
if (p_bta_jv_cfg->p_sdp_raw_data == NULL || p_bta_jv_cfg->p_sdp_db == NULL) {
|
||||
if (p_bta_jv_cfg->p_sdp_raw_data) {
|
||||
osi_free(p_bta_jv_cfg->p_sdp_raw_data);
|
||||
p_bta_jv_cfg->p_sdp_raw_data = NULL;
|
||||
}
|
||||
if (p_bta_jv_cfg->p_sdp_db) {
|
||||
osi_free( p_bta_jv_cfg->p_sdp_db);
|
||||
p_bta_jv_cfg->p_sdp_db = NULL;
|
||||
}
|
||||
return BTA_JV_NO_DATA;
|
||||
}
|
||||
#endif
|
||||
@@ -292,7 +300,9 @@ tBTA_JV_STATUS BTA_JvStartDiscovery(BD_ADDR bd_addr, UINT16 num_uuid,
|
||||
p_msg->hdr.event = BTA_JV_API_START_DISCOVERY_EVT;
|
||||
bdcpy(p_msg->bd_addr, bd_addr);
|
||||
p_msg->num_uuid = num_uuid;
|
||||
memcpy(p_msg->uuid_list, p_uuid_list, num_uuid * sizeof(tSDP_UUID));
|
||||
if (p_uuid_list && (num_uuid > 0)) {
|
||||
memcpy(p_msg->uuid_list, p_uuid_list, num_uuid * sizeof(tSDP_UUID));
|
||||
}
|
||||
p_msg->num_attr = 0;
|
||||
p_msg->user_data = user_data;
|
||||
bta_sys_sendmsg(p_msg);
|
||||
@@ -323,7 +333,12 @@ tBTA_JV_STATUS BTA_JvCreateRecordByUser(const char *name, UINT32 channel, void *
|
||||
if ((p_msg = (tBTA_JV_API_CREATE_RECORD *)osi_malloc(sizeof(tBTA_JV_API_CREATE_RECORD))) != NULL) {
|
||||
p_msg->hdr.event = BTA_JV_API_CREATE_RECORD_EVT;
|
||||
p_msg->user_data = user_data;
|
||||
strcpy(p_msg->name, name);
|
||||
if (name) {
|
||||
strncpy(p_msg->name, name, ESP_SDP_SERVER_NAME_MAX);
|
||||
p_msg->name[ESP_SDP_SERVER_NAME_MAX] = '\0';
|
||||
} else {
|
||||
p_msg->name[0] = '\0';
|
||||
}
|
||||
p_msg->channel = channel;
|
||||
bta_sys_sendmsg(p_msg);
|
||||
status = BTA_JV_SUCCESS;
|
||||
|
||||
@@ -62,13 +62,13 @@ static void rfc_set_port_state(tPORT_STATE *port_pars, MX_FRAME *p_frame);
|
||||
*******************************************************************************/
|
||||
void rfc_port_sm_execute (tPORT *p_port, UINT16 event, void *p_data)
|
||||
{
|
||||
RFCOMM_TRACE_DEBUG("%s st:%d, evt:%d\n", __func__, p_port->rfc.state, event);
|
||||
|
||||
if (!p_port) {
|
||||
RFCOMM_TRACE_WARNING ("NULL port event %d", event);
|
||||
return;
|
||||
}
|
||||
|
||||
RFCOMM_TRACE_DEBUG("%s st:%d, evt:%d\n", __func__, p_port->rfc.state, event);
|
||||
|
||||
switch (p_port->rfc.state) {
|
||||
case RFC_STATE_CLOSED:
|
||||
rfc_port_sm_state_closed (p_port, event, p_data);
|
||||
@@ -240,7 +240,7 @@ void rfc_port_sm_sabme_wait_ua (tPORT *p_port, UINT16 event, void *p_data)
|
||||
**
|
||||
** Description This function handles events for the port in the
|
||||
** WAIT_SEC_CHECK state. SABME has been received from the
|
||||
** peer and Security Manager verifes BD_ADDR, before we can
|
||||
** peer and Security Manager verifies BD_ADDR, before we can
|
||||
** send ESTABLISH_IND to the Port entity
|
||||
**
|
||||
** Returns void
|
||||
|
||||
@@ -179,8 +179,17 @@ void rfc_send_buf_uih (tRFC_MCB *p_mcb, UINT8 dlci, BT_HDR *p_buf)
|
||||
UINT8 cr = RFCOMM_CR(p_mcb->is_initiator, TRUE);
|
||||
UINT8 credits;
|
||||
|
||||
if (p_buf->offset < RFCOMM_CTRL_FRAME_LEN) {
|
||||
osi_free(p_buf);
|
||||
return;
|
||||
}
|
||||
|
||||
p_buf->offset -= RFCOMM_CTRL_FRAME_LEN;
|
||||
if (p_buf->len > 127) {
|
||||
if (p_buf->offset < 1) {
|
||||
osi_free(p_buf);
|
||||
return;
|
||||
}
|
||||
p_buf->offset--;
|
||||
}
|
||||
|
||||
@@ -191,6 +200,10 @@ void rfc_send_buf_uih (tRFC_MCB *p_mcb, UINT8 dlci, BT_HDR *p_buf)
|
||||
}
|
||||
|
||||
if (credits) {
|
||||
if (p_buf->offset < 1) {
|
||||
osi_free(p_buf);
|
||||
return;
|
||||
}
|
||||
p_buf->offset--;
|
||||
}
|
||||
|
||||
@@ -558,8 +571,26 @@ void rfc_send_test (tRFC_MCB *p_mcb, BOOLEAN is_command, BT_HDR *p_buf)
|
||||
UINT16 xx;
|
||||
UINT8 *p_src, *p_dest;
|
||||
|
||||
if (p_buf->offset + sizeof(BT_HDR) >= RFCOMM_CMD_BUF_SIZE) {
|
||||
osi_free(p_buf);
|
||||
return;
|
||||
}
|
||||
|
||||
UINT16 max_len = RFCOMM_CMD_BUF_SIZE - sizeof(BT_HDR) - p_buf->offset;
|
||||
if (p_buf->offset < (L2CAP_MIN_OFFSET + RFCOMM_MIN_OFFSET + 2)) {
|
||||
if (max_len < (L2CAP_MIN_OFFSET + RFCOMM_MIN_OFFSET + 2 - p_buf->offset)) {
|
||||
osi_free(p_buf);
|
||||
return;
|
||||
}
|
||||
max_len -= (L2CAP_MIN_OFFSET + RFCOMM_MIN_OFFSET + 2 - p_buf->offset);
|
||||
}
|
||||
if (p_buf->len > max_len) {
|
||||
p_buf->len = max_len;
|
||||
}
|
||||
|
||||
BT_HDR *p_buf_new;
|
||||
if ((p_buf_new = (BT_HDR *)osi_malloc(RFCOMM_CMD_BUF_SIZE)) == NULL) {
|
||||
osi_free(p_buf);
|
||||
return;
|
||||
}
|
||||
memcpy(p_buf_new, p_buf, sizeof(BT_HDR) + p_buf->offset + p_buf->len);
|
||||
|
||||
@@ -491,18 +491,21 @@ void rfc_check_send_cmd(tRFC_MCB *p_mcb, BT_HDR *p_buf)
|
||||
RFCOMM_TRACE_ERROR("%s: empty queue: p_mcb = %p p_mcb->lcid = %u cached p_mcb = %p",
|
||||
__func__, p_mcb, p_mcb->lcid,
|
||||
rfc_find_lcid_mcb(p_mcb->lcid));
|
||||
osi_free(p_buf);
|
||||
} else {
|
||||
fixed_queue_enqueue(p_mcb->cmd_q, p_buf, FIXED_QUEUE_MAX_TIMEOUT);
|
||||
}
|
||||
fixed_queue_enqueue(p_mcb->cmd_q, p_buf, FIXED_QUEUE_MAX_TIMEOUT);
|
||||
}
|
||||
|
||||
/* handle queue if L2CAP not congested */
|
||||
while (p_mcb->l2cap_congested == FALSE) {
|
||||
if ((p = (BT_HDR *)fixed_queue_dequeue(p_mcb->cmd_q, 0)) == NULL) {
|
||||
break;
|
||||
if (p_mcb->cmd_q) {
|
||||
while (p_mcb->l2cap_congested == FALSE) {
|
||||
if ((p = (BT_HDR *)fixed_queue_dequeue(p_mcb->cmd_q, 0)) == NULL) {
|
||||
break;
|
||||
}
|
||||
|
||||
L2CA_DataWrite (p_mcb->lcid, p);
|
||||
}
|
||||
|
||||
|
||||
L2CA_DataWrite (p_mcb->lcid, p);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user