espressif/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2026-04-27 11:03:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(bt/bluedroid): fixed an OOB bug in btm_delete_stored_link_key_complete

Browse Source
This commit is contained in:
Jin Cheng
2025-10-13 09:21:34 +08:00
parent 3e299a98ec
commit 3ab391c7ae
3 changed files with 9 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
components/bt/host/bluedroid/stack/btm/btm_devctl.c
+7 -1
View File
@@ -1006,7 +1006,7 @@ tBTM_STATUS BTM_DeleteStoredLinkKey(BD_ADDR bd_addr, tBTM_CMPL_CB *p_cb)
** Returns void
**
*******************************************************************************/
void btm_delete_stored_link_key_complete (UINT8 *p)
void btm_delete_stored_link_key_complete (UINT8 *p, UINT16 evt_len)
{
tBTM_CMPL_CB *p_cb = btm_cb.devcb.p_stored_link_key_cmpl_cb;
tBTM_DELETE_STORED_LINK_KEY_COMPLETE result;
@@ -1018,10 +1018,16 @@ void btm_delete_stored_link_key_complete (UINT8 *p)
/* Set the call back event to indicate command complete */
result.event = BTM_CB_EVT_DELETE_STORED_LINK_KEYS;
if (evt_len < 3) {
BTM_TRACE_ERROR("Malformatted event packet, too short");
result.status = BTM_ERR_PROCESSING;
goto err_out;
}
/* Extract the result fields from the HCI event */
STREAM_TO_UINT8 (result.status, p);
STREAM_TO_UINT16 (result.num_keys, p);
err_out:
/* Call the call back and pass the result */
(*p_cb)(&result);
}
components/bt/host/bluedroid/stack/btm/include/btm_int.h
+1 -1
View File
@@ -1147,7 +1147,7 @@ void btm_vsc_complete (UINT8 *p, UINT16 cc_opcode, UINT16 evt_len,
void btm_inq_db_reset (void);
void btm_vendor_specific_evt (UINT8 *p, UINT8 evt_len);
#if (CLASSIC_BT_INCLUDED == TRUE)
void btm_delete_stored_link_key_complete (UINT8 *p);
void btm_delete_stored_link_key_complete (UINT8 *p, UINT16 evt_len);
#endif // (CLASSIC_BT_INCLUDED == TRUE)
void btm_report_device_status (tBTM_DEV_STATUS status);
void btm_set_afh_channels_complete (UINT8 *p);
components/bt/host/bluedroid/stack/btu/btu_hcif.c
+1 -1
View File
@@ -964,7 +964,7 @@ static void btu_hcif_hdl_command_complete (UINT16 opcode, UINT8 *p, UINT16 evt_l
break;
#if (CLASSIC_BT_INCLUDED == TRUE)
case HCI_DELETE_STORED_LINK_KEY:
btm_delete_stored_link_key_complete (p);
btm_delete_stored_link_key_complete (p, evt_len);
break;
#endif // (CLASSIC_BT_INCLUDED == TRUE)