espressif/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2026-04-27 19:13:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(bt/bluedroid): fixed multiple high-severity issues from AI code review in HID

Browse Source
This commit is contained in:
Jin Cheng
2026-03-19 16:42:58 +08:00
parent 495871916e
commit 419f6aa7f5
7 changed files with 72 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files
components/bt/host/bluedroid/bta/hd/bta_hd_act.c
+35 -4
View File
@@ -27,6 +27,7 @@
#include "bta/bta_sys.h"
#include "bta_hd_int.h"
#include "bta/utl.h"
#include "osi/allocator.h"
#include "osi/osi.h"
#include "stack/btm_api.h"
@@ -42,7 +43,7 @@ static bool check_descriptor(uint8_t *data, uint16_t length, bool *has_report_id
uint8_t item = *ptr++;
switch (item) {
case 0xfe: // long item indicator
if (ptr < data + length) {
if ((ptr < data + length) && ((*ptr) + 2 <= (data + length - ptr))) {
ptr += ((*ptr) + 2);
} else {
return false;
@@ -522,6 +523,10 @@ extern void bta_hd_close_act(tBTA_HD_DATA *p_data)
extern void bta_hd_intr_data_act(tBTA_HD_DATA *p_data)
{
tBTA_HD_CBACK_DATA *p_cback = (tBTA_HD_CBACK_DATA *)p_data;
if (!p_cback || !p_cback->p_data) {
return;
}
BT_HDR *p_msg = p_cback->p_data;
uint16_t len = p_msg->len;
uint8_t *p_buf = (uint8_t *)(p_msg + 1) + p_msg->offset;
@@ -530,6 +535,9 @@ extern void bta_hd_intr_data_act(tBTA_HD_DATA *p_data)
APPL_TRACE_API("%s", __func__);
if (bta_hd_cb.use_report_id || bta_hd_cb.boot_mode) {
if (len < 1) {
goto _exit;
}
ret.report_id = *p_buf;
len--;
p_buf++;
@@ -540,6 +548,8 @@ extern void bta_hd_intr_data_act(tBTA_HD_DATA *p_data)
ret.len = len;
ret.p_data = p_buf;
(*bta_hd_cb.p_cback)(BTA_HD_INTR_DATA_EVT, (tBTA_HD *)&ret);
_exit:
if (p_msg) {
osi_free(p_msg);
}
@@ -557,6 +567,10 @@ extern void bta_hd_intr_data_act(tBTA_HD_DATA *p_data)
extern void bta_hd_get_report_act(tBTA_HD_DATA *p_data)
{
tBTA_HD_CBACK_DATA *p_cback = (tBTA_HD_CBACK_DATA *)p_data;
if (!p_cback || !p_cback->p_data) {
return;
}
bool rep_size_follows = p_cback->data;
BT_HDR *p_msg = p_cback->p_data;
uint8_t *p_buf = (uint8_t *)(p_msg + 1) + p_msg->offset;
@@ -566,7 +580,7 @@ extern void bta_hd_get_report_act(tBTA_HD_DATA *p_data)
APPL_TRACE_API("%s", __func__);
if (remaining_len < 1) {
APPL_TRACE_ERROR("%s invalid data, remaining_len:%d", __func__, remaining_len);
return;
goto _exit;
}
ret.report_type = *p_buf & HID_PAR_REP_TYPE_MASK;
@@ -576,7 +590,7 @@ extern void bta_hd_get_report_act(tBTA_HD_DATA *p_data)
if (bta_hd_cb.use_report_id) {
if (remaining_len < 1) {
APPL_TRACE_ERROR("%s invalid data, remaining_len:%d", __func__, remaining_len);
return;
goto _exit;
}
ret.report_id = *p_buf;
p_buf++;
@@ -586,12 +600,14 @@ extern void bta_hd_get_report_act(tBTA_HD_DATA *p_data)
if (rep_size_follows) {
if (remaining_len < 2) {
APPL_TRACE_ERROR("%s invalid data, remaining_len:%d", __func__, remaining_len);
return;
goto _exit;
}
ret.buffer_size = *p_buf | (*(p_buf + 1) << 8);
}
(*bta_hd_cb.p_cback)(BTA_HD_GET_REPORT_EVT, (tBTA_HD *)&ret);
_exit:
if (p_msg) {
osi_free(p_msg);
}
@@ -609,6 +625,10 @@ extern void bta_hd_get_report_act(tBTA_HD_DATA *p_data)
extern void bta_hd_set_report_act(tBTA_HD_DATA *p_data)
{
tBTA_HD_CBACK_DATA *p_cback = (tBTA_HD_CBACK_DATA *)p_data;
if (!p_cback || !p_cback->p_data) {
return;
}
BT_HDR *p_msg = p_cback->p_data;
uint16_t len = p_msg->len;
uint8_t *p_buf = (uint8_t *)(p_msg + 1) + p_msg->offset;
@@ -616,11 +636,18 @@ extern void bta_hd_set_report_act(tBTA_HD_DATA *p_data)
APPL_TRACE_API("%s", __func__);
if (len < 1) {
goto _exit;
}
ret.report_type = *p_buf & HID_PAR_REP_TYPE_MASK;
p_buf++;
len--;
if (bta_hd_cb.use_report_id || bta_hd_cb.boot_mode) {
if (len < 1) {
goto _exit;
}
ret.report_id = *p_buf;
len--;
p_buf++;
@@ -631,6 +658,8 @@ extern void bta_hd_set_report_act(tBTA_HD_DATA *p_data)
ret.len = len;
ret.p_data = p_buf;
(*bta_hd_cb.p_cback)(BTA_HD_SET_REPORT_EVT, (tBTA_HD *)&ret);
_exit:
if (p_msg) {
osi_free(p_msg);
}
@@ -804,6 +833,8 @@ static void bta_hd_cback(BD_ADDR bd_addr, uint8_t event, uint32_t data, BT_HDR *
p_buf->p_data = pdata;
bta_sys_sendmsg(p_buf);
} else {
utl_freebuf((void **)&pdata);
}
}
#endif /* BTA_HD_INCLUDED */
components/bt/host/bluedroid/bta/hh/bta_hh_act.c
+5 -1
View File
@@ -104,7 +104,9 @@ void bta_hh_api_enable(tBTA_HH_DATA *p_data)
#endif
{
/* signal BTA call back event */
(* bta_hh_cb.p_cback)(BTA_HH_ENABLE_EVT, (tBTA_HH *)&status);
if (bta_hh_cb.p_cback) {
(* bta_hh_cb.p_cback)(BTA_HH_ENABLE_EVT, (tBTA_HH *)&status);
}
}
}
/*******************************************************************************
@@ -1192,6 +1194,8 @@ static void bta_hh_cback (UINT8 dev_handle, BD_ADDR addr, UINT8 event,
p_buf->p_data = pdata;
bta_sys_sendmsg(p_buf);
} else {
utl_freebuf((void **)&pdata);
}
}
components/bt/host/bluedroid/bta/hh/bta_hh_api.c
+4 -2
View File
@@ -177,6 +177,8 @@ static void bta_hh_snd_write_dev(UINT8 dev_handle, UINT8 t_type, UINT8 param,
p_buf->rpt_id = rpt_id;
bta_sys_sendmsg(p_buf);
} else {
utl_freebuf((void **)&p_data);
}
}
/*******************************************************************************
@@ -336,7 +338,7 @@ void BTA_HhGetDscpInfo(UINT8 dev_handle)
**
** Description Add a virtually cabled device into HID-Host device list
** to manage and assign a device handle for future API call,
** host applciation call this API at start-up to initialize its
** host application call this API at start-up to initialize its
** virtually cabled devices.
**
** Returns void
@@ -452,7 +454,7 @@ void BTA_HhParseBootRpt(tBTA_HH_BOOT_RPT *p_data, UINT8 *p_report,
{
p_data->dev_type = BTA_HH_DEVT_UNKNOWN;
if (p_report) {
if (p_report && (report_len > 0)) {
/* first byte is report ID */
switch (p_report[0]) {
case BTA_HH_KEYBD_RPT_ID: /* key board report ID */
components/bt/host/bluedroid/bta/hh/bta_hh_utils.c
+1 -1
View File
@@ -332,7 +332,7 @@ void bta_hh_parse_keybd_rpt(tBTA_HH_BOOT_RPT *p_kb_data, UINT8 *p_report,
p_kb->caps_lock = p_kb->caps_lock ? FALSE : TRUE;
} else if (this_report[xx] == BTA_HH_KB_NUM_LOCK) {
p_kb->num_lock = p_kb->num_lock ? FALSE : TRUE;
} else {
} else if (key_idx < BTA_HH_KB_VKEY_LEN) {
p_data->this_char[key_idx ++] = this_char;
}
components/bt/host/bluedroid/bta/include/bta/bta_hh_api.h
+5 -4
View File
@@ -58,7 +58,7 @@
#define BTA_HH_VC_UNPLUG_EVT 13 /* virtually unplugged */
#define BTA_HH_DATA_EVT 15
#define BTA_HH_API_ERR_EVT 16 /* API error is caught */
#define BTA_HH_UPDATE_SCPP_EVT 17 /* update scan paramter complete */
#define BTA_HH_UPDATE_SCPP_EVT 17 /* update scan parameter complete */
#define BTA_HH_DATA_IND_EVT 18 /* Data on interrupt channel */
typedef UINT16 tBTA_HH_EVT;
@@ -120,7 +120,7 @@ enum {
BTA_HH_HS_HID_NOT_READY, /* handshake error : device not ready */
BTA_HH_HS_INVALID_RPT_ID, /* handshake error : invalid report ID */
BTA_HH_HS_TRANS_NOT_SPT, /* handshake error : transaction not spt */
BTA_HH_HS_INVALID_PARAM, /* handshake error : invalid paremter */
BTA_HH_HS_INVALID_PARAM, /* handshake error : invalid parameter */
BTA_HH_HS_ERROR, /* handshake error : unspecified HS error */
BTA_HH_ERR, /* general BTA HH error */
BTA_HH_ERR_SDP, /* SDP error */
@@ -237,7 +237,8 @@ enum {
/* parsed boot mode keyboard report */
typedef struct {
UINT8 this_char[6]; /* virtual key code */
#define BTA_HH_KB_VKEY_LEN (6)
UINT8 this_char[BTA_HH_KB_VKEY_LEN]; /* virtual key code */
BOOLEAN mod_key[BTA_HH_MOD_MAX_KEY];
/* ctrl, shift, Alt, GUI */
/* modifier key: is Shift key pressed */
@@ -500,7 +501,7 @@ extern void BTA_HhGetDscpInfo(UINT8 dev_handle);
**
** Description Add a virtually cabled device into HID-Host device list
** to manage and assign a device handle for future API call,
** host applciation call this API at start-up to initialize its
** host application call this API at start-up to initialize its
** virtually cabled devices.
**
** Returns void
components/bt/host/bluedroid/btc/profile/std/hid/btc_hd.c
+19 -6
View File
@@ -312,9 +312,19 @@ static void btc_hd_register_app(esp_hidd_app_param_t *p_app_param, esp_hidd_qos_
break;
}
if ((btc_hd_cb.app_info.p_name = (char *)osi_malloc(BTC_HD_APP_NAME_LEN)) == NULL ||
(btc_hd_cb.app_info.p_description = (char *)osi_malloc(BTC_HD_APP_DESCRIPTION_LEN)) == NULL ||
(btc_hd_cb.app_info.p_provider = (char *)osi_malloc(BTC_HD_APP_PROVIDER_LEN)) == NULL ||
if (!p_app_param->name || !p_app_param->description || !p_app_param->provider ||
!p_app_param->desc_list || (p_app_param->desc_list_len <= 0)) {
ret = ESP_HIDD_ERROR;
break;
}
size_t name_len = strnlen(p_app_param->name, BTC_HD_APP_NAME_LEN);
size_t description_len = strnlen(p_app_param->description, BTC_HD_APP_DESCRIPTION_LEN);
size_t provider_len = strnlen(p_app_param->provider, BTC_HD_APP_PROVIDER_LEN);
if ((btc_hd_cb.app_info.p_name = (char *)osi_malloc(name_len + 1)) == NULL ||
(btc_hd_cb.app_info.p_description = (char *)osi_malloc(description_len + 1)) == NULL ||
(btc_hd_cb.app_info.p_provider = (char *)osi_malloc(provider_len + 1)) == NULL ||
(btc_hd_cb.app_info.descriptor.dsc_list = (uint8_t *)osi_malloc(p_app_param->desc_list_len)) == NULL) {
BTC_TRACE_ERROR(
"%s malloc app_info failed! p_name:%p, p_description:%p, p_provider:%p, descriptor.dsc_list:%p",
@@ -323,9 +333,12 @@ static void btc_hd_register_app(esp_hidd_app_param_t *p_app_param, esp_hidd_qos_
ret = ESP_HIDD_NO_RES;
break;
}
memcpy(btc_hd_cb.app_info.p_name, p_app_param->name, BTC_HD_APP_NAME_LEN);
memcpy(btc_hd_cb.app_info.p_description, p_app_param->description, BTC_HD_APP_DESCRIPTION_LEN);
memcpy(btc_hd_cb.app_info.p_provider, p_app_param->provider, BTC_HD_APP_PROVIDER_LEN);
memcpy(btc_hd_cb.app_info.p_name, p_app_param->name, name_len);
btc_hd_cb.app_info.p_name[name_len] = '\0';
memcpy(btc_hd_cb.app_info.p_description, p_app_param->description, description_len);
btc_hd_cb.app_info.p_description[description_len] = '\0';
memcpy(btc_hd_cb.app_info.p_provider, p_app_param->provider, provider_len);
btc_hd_cb.app_info.p_provider[provider_len] = '\0';
memcpy(btc_hd_cb.app_info.descriptor.dsc_list, p_app_param->desc_list, p_app_param->desc_list_len);
btc_hd_cb.app_info.subclass = p_app_param->subclass;
btc_hd_cb.app_info.descriptor.dl_len = p_app_param->desc_list_len;
components/bt/host/bluedroid/btc/profile/std/hid/btc_hh.c
+3 -3
View File
@@ -1487,7 +1487,7 @@ void btc_hh_cb_handler(btc_msg_t *msg)
BTC_TRACE_DEBUG("status = %d, handle = %d", p_data->dev_status.status, p_data->dev_status.handle);
param.set_idle.handle = p_data->dev_status.handle;
param.set_idle.status = p_data->dev_status.status;
btc_hh_cb_to_app(BTA_HH_SET_IDLE_EVT, &param);
btc_hh_cb_to_app(ESP_HIDH_SET_IDLE_EVT, &param);
break;
case BTA_HH_ADD_DEV_EVT:
BTC_TRACE_DEBUG("status = %d, handle = %d", p_data->dev_info.status, p_data->dev_info.handle);
@@ -1516,8 +1516,8 @@ void btc_hh_cb_handler(btc_msg_t *msg)
break;
case BTA_HH_RMV_DEV_EVT:
BTC_TRACE_DEBUG("status = %d, handle = %d", p_data->dev_info.status, p_data->dev_info.handle);
param.rmv_dev.handle = p_data->dev_info.status;
param.rmv_dev.status = p_data->dev_info.handle;
param.rmv_dev.handle = p_data->dev_info.handle;
param.rmv_dev.status = p_data->dev_info.status;
memcpy(param.rmv_dev.bd_addr, p_data->dev_info.bda, BD_ADDR_LEN);
btc_hh_cb_to_app(ESP_HIDH_RMV_DEV_EVT, &param);
break;