espressif/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2026-04-27 19:13:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'bugfix/misc_improvement' into 'master'

Browse Source 
fix(bt/bluedroid): fixed multiple high-severity issues from AI code review in Bluedroid

See merge request espressif/esp-idf!46833
This commit is contained in:
Wang Meng Yang
2026-03-31 09:55:29 +08:00
parent 614ef754fd 6702e66dd8
commit 4cac5e157a
13 changed files with 83 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files
components/bt/host/bluedroid/api/esp_bt_main.c
+2
View File
@@ -92,6 +92,7 @@ esp_err_t esp_bluedroid_disable(void)
if (btc_transfer_context(&msg, NULL, 0, NULL, NULL) != BT_STATUS_SUCCESS) {
LOG_ERROR("Bluedroid disable failed\n");
future_free(*future_p);
s_bt_host_state = ESP_BLUEDROID_STATUS_ENABLED;
return ESP_FAIL;
}
@@ -260,6 +261,7 @@ esp_err_t esp_bluedroid_deinit(void)
if (btc_transfer_context(&msg, NULL, 0, NULL, NULL) != BT_STATUS_SUCCESS) {
LOG_ERROR("Bluedroid de-initialise failed\n");
future_free(*future_p);
return ESP_FAIL;
}
components/bt/host/bluedroid/bta/dm/bta_dm_pm.c
+8
View File
@@ -522,6 +522,10 @@ static void bta_dm_pm_set_mode(BD_ADDR peer_addr, tBTA_DM_PM_ACTION pm_request,
}
}
if (j > p_bta_dm_pm_cfg[0].app_id) {
continue;
}
p_pm_cfg = &p_bta_dm_pm_cfg[j];
p_pm_spec = &p_bta_dm_pm_spec[p_pm_cfg->spec_idx];
p_act0 = &p_pm_spec->actn_tbl[p_srvcs->state][0];
@@ -757,6 +761,10 @@ static void bta_dm_pm_ssr(BD_ADDR peer_addr)
}
}
if (j > p_bta_dm_pm_cfg[0].app_id) {
continue;
}
/* find the ssr index with the smallest max latency. */
p_spec_cur = &p_bta_dm_ssr_spec[p_bta_dm_pm_spec[p_bta_dm_pm_cfg[j].spec_idx].ssr];
p_spec = &p_bta_dm_ssr_spec[ssr];
components/bt/host/bluedroid/bta/sdp/bta_sdp_act.c
+11 -3
View File
@@ -425,7 +425,10 @@ static void bta_sdp_search_cback(UINT16 result, void *user_data)
bta_sdp_cb.sdp_active = BTA_SDP_ACTIVE_NONE;
if (bta_sdp_cb.p_dm_cback == NULL) {
if ((bta_sdp_cb.p_dm_cback == NULL) || (user_data == NULL)) {
if (user_data) {
osi_free(user_data);
}
return;
}
@@ -517,12 +520,15 @@ void bta_sdp_enable(tBTA_SDP_MSG *p_data)
void bta_sdp_search(tBTA_SDP_MSG *p_data)
{
int x = 0;
// TODO: Leaks!!! but needed as user-data pointer
tBT_UUID *bta_sdp_search_uuid = osi_malloc(sizeof(tBT_UUID));
if (p_data == NULL) {
APPL_TRACE_DEBUG("SDP control block handle is null\n");
return;
}
tBT_UUID *bta_sdp_search_uuid = osi_malloc(sizeof(tBT_UUID));
if (bta_sdp_search_uuid == NULL) {
APPL_TRACE_DEBUG("SDP search param malloc failed\n");
return;
}
tBTA_SDP_STATUS status = BTA_SDP_FAILURE;
APPL_TRACE_DEBUG("%s in, sdp_active:%d\n", __func__, bta_sdp_cb.sdp_active);
@@ -537,6 +543,7 @@ void bta_sdp_search(tBTA_SDP_MSG *p_data)
result.status = status;
bta_sdp_cb.p_dm_cback(BTA_SDP_SEARCH_COMP_EVT, (tBTA_SDP *)&result, NULL);
}
osi_free(bta_sdp_search_uuid);
return;
}
@@ -560,6 +567,7 @@ void bta_sdp_search(tBTA_SDP_MSG *p_data)
if (!SDP_ServiceSearchAttributeRequest2(p_data->get_search.bd_addr, p_bta_sdp_cfg->p_sdp_db,
bta_sdp_search_cback, (void *)bta_sdp_search_uuid)) {
osi_free(bta_sdp_search_uuid);
bta_sdp_cb.sdp_active = BTA_SDP_ACTIVE_NONE;
/* failed to start SDP. report the failure right away */
components/bt/host/bluedroid/bta/sdp/bta_sdp_api.c
+19 -13
View File
@@ -62,6 +62,11 @@ tBTA_SDP_STATUS BTA_SdpEnable(tBTA_SDP_DM_CBACK *p_cback)
APPL_TRACE_API("%s\n", __FUNCTION__);
/* do not allocate sdp_db / raw buffers unless we can run the enable path */
if (p_cback == NULL || bta_sys_is_register(BTA_ID_SDP)) {
return BTA_SDP_FAILURE;
}
#if BTA_DYNAMIC_MEMORY == TRUE
/* Malloc buffer for SDP configuration structure */
p_bta_sdp_cfg->p_sdp_db = (tSDP_DISCOVERY_DB *)osi_malloc(p_bta_sdp_cfg->sdp_db_size);
@@ -72,19 +77,20 @@ tBTA_SDP_STATUS BTA_SdpEnable(tBTA_SDP_DM_CBACK *p_cback)
}
#endif
if (p_cback && FALSE == bta_sys_is_register(BTA_ID_SDP)) {
memset(&bta_sdp_cb, 0, sizeof(tBTA_SDP_CB));
memset(&bta_sdp_cb, 0, sizeof(tBTA_SDP_CB));
/* register with BTA system manager */
if ((p_buf = (tBTA_SDP_API_ENABLE *) osi_malloc(sizeof(tBTA_SDP_API_ENABLE))) != NULL) {
/* register with BTA system manager only after buffer alloc succeeds */
bta_sys_register(BTA_ID_SDP, &bta_sdp_reg);
if (p_cback &&
(p_buf = (tBTA_SDP_API_ENABLE *) osi_malloc(sizeof(tBTA_SDP_API_ENABLE))) != NULL) {
p_buf->hdr.event = BTA_SDP_API_ENABLE_EVT;
p_buf->p_cback = p_cback;
bta_sys_sendmsg(p_buf);
status = BTA_SDP_SUCCESS;
}
p_buf->hdr.event = BTA_SDP_API_ENABLE_EVT;
p_buf->p_cback = p_cback;
bta_sys_sendmsg(p_buf);
status = BTA_SDP_SUCCESS;
} else {
#if BTA_DYNAMIC_MEMORY == TRUE
/* undo sdp_db / sdp_raw_data from above; not registered yet */
BTA_SdpCleanup();
#endif
}
return (status);
}
@@ -104,12 +110,12 @@ tBTA_SDP_STATUS BTA_SdpEnable(tBTA_SDP_DM_CBACK *p_cback)
tBTA_SDP_STATUS BTA_SdpDisable(void)
{
BT_HDR *p_buf = NULL;
tBTA_SDP_STATUS status = BTA_SDP_SUCCESS;
tBTA_SDP_STATUS status = BTA_SDP_FAILURE;
if ((p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR))) != NULL) {
p_buf->event = BTA_SDP_API_DISABLE_EVT;
bta_sys_sendmsg(p_buf);
status = BTA_SDP_FAILURE;
status = BTA_SDP_SUCCESS;
}
return status;
components/bt/host/bluedroid/btc/profile/std/gap/btc_gap_bt.c
+10 -1
View File
@@ -1057,6 +1057,9 @@ static void btc_gap_bt_get_dev_name_callback(UINT8 status, char *name)
ret = btc_transfer_context(&msg, &param, sizeof(esp_bt_gap_cb_param_t), NULL, NULL);
if (ret != BT_STATUS_SUCCESS) {
BTC_TRACE_ERROR("%s btc_transfer_context failed\n", __func__);
if (param.get_dev_name_cmpl.name) {
osi_free(param.get_dev_name_cmpl.name);
}
}
}
@@ -1395,8 +1398,14 @@ void btc_gap_bt_cb_deep_free(btc_msg_t *msg)
#if (ENC_KEY_SIZE_CTRL_MODE != ENC_KEY_SIZE_CTRL_MODE_NONE)
case BTC_GAP_BT_SET_MIN_ENC_KEY_SIZE_EVT:
#endif /// ENC_KEY_SIZE_CTRL_MODE != ENC_KEY_SIZE_CTRL_MODE_NONE
case BTC_GAP_BT_GET_DEV_NAME_CMPL_EVT:
break;
case BTC_GAP_BT_GET_DEV_NAME_CMPL_EVT: {
char *name = ((esp_bt_gap_cb_param_t *)msg->arg)->get_dev_name_cmpl.name;
if (name) {
osi_free(name);
}
break;
}
default:
BTC_TRACE_ERROR("%s: Unhandled event (%d)!\n", __FUNCTION__, msg->act);
break;
components/bt/host/bluedroid/btc/profile/std/sdp/btc_sdp.c
+2 -2
View File
@@ -55,7 +55,7 @@ static sdp_local_param_t *sdp_local_param_ptr;
#if SDP_DYNAMIC_MEMORY == FALSE
#define is_sdp_init() (sdp_local_param.sdp_slot_mutex != NULL)
#else
#define is_sdp_init() (&sdp_local_param != NULL && sdp_local_param.sdp_slot_mutex != NULL)
#define is_sdp_init() (sdp_local_param_ptr != NULL && sdp_local_param.sdp_slot_mutex != NULL)
#endif
static void btc_sdp_cleanup(void)
@@ -1439,7 +1439,7 @@ void btc_sdp_get_protocol_status(esp_sdp_protocol_status_t *param)
if (is_sdp_init()) {
param->sdp_inited = true;
osi_mutex_lock(&sdp_local_param.sdp_slot_mutex, OSI_MUTEX_MAX_TIMEOUT);
for (size_t i = 0; i <= SDP_MAX_RECORDS; i++) {
for (size_t i = 0; i < SDP_MAX_RECORDS; i++) {
if (sdp_local_param.sdp_slots[i] != NULL && sdp_local_param.sdp_slots[i]->state == SDP_RECORD_ALLOCED) {
param->records_num++;
}
components/bt/host/bluedroid/stack/btm/btm_sco.c
+6 -1
View File
@@ -283,6 +283,7 @@ static void hci_sco_data_to_lower(BT_HDR *p_buf)
if (p_buf->offset == 0) {
BTM_TRACE_ERROR("offset cannot be 0");
osi_free(p_buf);
return;
}
bte_main_hci_send(p_buf, (UINT16)(BT_EVT_TO_LM_HCI_SCO | LOCAL_BLE_CONTROLLER_ID));
@@ -1166,11 +1167,15 @@ UINT16 btm_find_scb_by_handle (UINT16 handle)
tBTM_STATUS BTM_RemoveSco (UINT16 sco_inx)
{
#if (BTM_MAX_SCO_LINKS>0)
if (sco_inx >= BTM_MAX_SCO_LINKS) {
return (BTM_UNKNOWN_ADDR);
}
tSCO_CONN *p = &btm_cb.sco_cb.sco_db[sco_inx];
UINT16 tempstate;
/* Validity check */
if ((sco_inx >= BTM_MAX_SCO_LINKS) || (p->state == SCO_ST_UNUSED)) {
if (p->state == SCO_ST_UNUSED) {
return (BTM_UNKNOWN_ADDR);
}
components/bt/host/bluedroid/stack/gap/gap_conn.c
+3 -4
View File
@@ -130,7 +130,6 @@ UINT16 GAP_ConnOpen (const char *p_serv_name, UINT8 service_id, BOOLEAN is_serve
{
tGAP_CCB *p_ccb;
UINT16 cid;
//tBT_UUID bt_uuid = {2, {GAP_PROTOCOL_ID}};
GAP_TRACE_EVENT ("GAP_CONN - Open Request");
@@ -149,6 +148,7 @@ UINT16 GAP_ConnOpen (const char *p_serv_name, UINT8 service_id, BOOLEAN is_serve
memcpy (&p_ccb->rem_dev_address[0], p_rem_bda, BD_ADDR_LEN);
} else if (!is_server) {
/* remote addr is not specified and is not a server -> bad */
gap_release_ccb (p_ccb);
return (GAP_INVALID_HANDLE);
}
@@ -234,7 +234,7 @@ UINT16 GAP_ConnOpen (const char *p_serv_name, UINT8 service_id, BOOLEAN is_serve
}
/* Check if L2CAP started the connection process */
if (p_rem_bda && ((cid = L2CA_CONNECT_REQ (p_ccb->psm, p_rem_bda, &p_ccb->ertm_info, &bt_uuid)) != 0)) {
if (p_rem_bda && ((cid = L2CA_CONNECT_REQ (p_ccb->psm, p_rem_bda, &p_ccb->ertm_info, NULL)) != 0)) {
p_ccb->connection_id = cid;
return (p_ccb->gap_handle);
} else {
@@ -721,7 +721,6 @@ static void gap_connect_ind (BD_ADDR bd_addr, UINT16 l2cap_cid, UINT16 psm, UIN
{
UINT16 xx;
tGAP_CCB *p_ccb;
//tBT_UUID bt_uuid = {2, {GAP_PROTOCOL_ID}};
/* See if we have a CCB listening for the connection */
for (xx = 0, p_ccb = gap_cb.conn.ccb_pool; xx < GAP_MAX_CONNECTIONS; xx++, p_ccb++) {
@@ -751,7 +750,7 @@ static void gap_connect_ind (BD_ADDR bd_addr, UINT16 l2cap_cid, UINT16 psm, UIN
p_ccb->connection_id = l2cap_cid;
/* Send response to the L2CAP layer. */
L2CA_CONNECT_RSP (bd_addr, l2cap_id, l2cap_cid, L2CAP_CONN_OK, L2CAP_CONN_OK, &p_ccb->ertm_info, &bt_uuid);
L2CA_CONNECT_RSP (bd_addr, l2cap_id, l2cap_cid, L2CAP_CONN_OK, L2CAP_CONN_OK, &p_ccb->ertm_info, NULL);
GAP_TRACE_EVENT("GAP_CONN - Rcvd L2CAP conn ind, CID: 0x%x", p_ccb->connection_id);
components/bt/host/bluedroid/stack/l2cap/l2c_ucd.c
+9 -9
View File
@@ -185,7 +185,7 @@ static void l2c_ucd_config_cfm_cback (UINT16 cid, tL2CAP_CFG_INFO *p_cfg)
**
** Parameters: tL2CAP_UCD_CB_INFO
**
** Return value: TRUE if successs
** Return value: TRUE if success
**
*******************************************************************************/
BOOLEAN L2CA_UcdRegister ( UINT16 psm, tL2CAP_UCD_CB_INFO *p_cb_info )
@@ -242,12 +242,12 @@ BOOLEAN L2CA_UcdRegister ( UINT16 psm, tL2CAP_UCD_CB_INFO *p_cb_info )
**
** Parameters: PSM
**
** Return value: TRUE if successs
** Return value: TRUE if success
**
*******************************************************************************/
BOOLEAN L2CA_UcdDeregister_In_CCB_List (void *p_ccb_node, void * context)
{
p_ccb = (tL2C_CCB *)p_ccb_node;
tL2C_CCB *p_ccb = (tL2C_CCB *)p_ccb_node;
if (( p_ccb->in_use )
&& ( p_ccb->local_cid == L2CAP_CONNECTIONLESS_CID )) {
l2cu_release_ccb (p_ccb);
@@ -301,7 +301,7 @@ BOOLEAN L2CA_UcdDeregister ( UINT16 psm )
** L2CAP_UCD_INFO_TYPE_MTU
**
**
** Return value: TRUE if successs
** Return value: TRUE if success
**
*******************************************************************************/
BOOLEAN L2CA_UcdDiscover ( UINT16 psm, BD_ADDR rem_bda, UINT8 info_type )
@@ -450,7 +450,7 @@ UINT16 L2CA_UcdDataWrite (UINT16 psm, BD_ADDR rem_bda, BT_HDR *p_buf, UINT16 fla
** Parameters: BD Addr
** Timeout in second
**
** Return value: TRUE if successs
** Return value: TRUE if success
**
*******************************************************************************/
BOOLEAN L2CA_UcdSetIdleTimeout ( BD_ADDR rem_bda, UINT16 timeout )
@@ -517,7 +517,7 @@ BOOLEAN L2CA_UCDSetTxPriority ( BD_ADDR rem_bda, tL2CAP_CHNL_PRIORITY priority )
**
** Parameters: BD_ADDR of remote device
**
** Return value: TRUE if successs
** Return value: TRUE if success
**
*******************************************************************************/
static BOOLEAN l2c_ucd_connect ( BD_ADDR rem_bda )
@@ -597,7 +597,7 @@ static BOOLEAN l2c_ucd_connect ( BD_ADDR rem_bda )
void l2c_ucd_delete_sec_pending_q(tL2C_LCB *p_lcb)
{
/* clean up any security pending UCD */
while (p_lcb->ucd_out_sec_pending_q.p_first) {
while (!fixed_queue_is_empty(p_lcb->ucd_out_sec_pending_q)) {
osi_free(fixed_queue_dequeue(p_lcb->ucd_out_sec_pending_q, 0));
}
fixed_queue_free(p_lcb->ucd_out_sec_pending_q, NULL);
@@ -606,7 +606,7 @@ void l2c_ucd_delete_sec_pending_q(tL2C_LCB *p_lcb)
while (! fixed_queue_is_empty(p_lcb->ucd_in_sec_pending_q)) {
osi_free(fixed_queue_dequeue(p_lcb->ucd_in_sec_pending_q, 0));
}
fixed_queue_free(p_lcb->ucd_in_sec_pending_q);
fixed_queue_free(p_lcb->ucd_in_sec_pending_q, NULL);
p_lcb->ucd_in_sec_pending_q = NULL;
}
@@ -797,7 +797,7 @@ BOOLEAN l2c_ucd_check_pending_in_sec_q(tL2C_CCB *p_ccb)
*******************************************************************************/
void l2c_ucd_send_pending_in_sec_q(tL2C_CCB *p_ccb)
{
BT_HDR *p_buf = (BT_HDR*)fixed_queue_dequeue(p_ccb->p_lcb->ucd_in_sec_pending_q, 0)
BT_HDR *p_buf = (BT_HDR*)fixed_queue_dequeue(p_ccb->p_lcb->ucd_in_sec_pending_q, 0);
if (p_buf != NULL) {
p_ccb->p_rcb->ucd.cb_info.pL2CA_UCD_Data_Cb(p_ccb->p_lcb->remote_bd_addr, (BT_HDR *)p_buf);
components/bt/host/bluedroid/stack/l2cap/l2cap_client.c
+3 -3
View File
@@ -107,7 +107,7 @@ l2cap_client_t *l2cap_client_new(const l2cap_client_callbacks_t *callbacks, void
ret->remote_mtu = L2CAP_MTU_DEFAULT;
ret->outbound_fragments = list_new(NULL);
if (!ret) {
if (!ret->outbound_fragments) {
L2CAP_TRACE_ERROR("%s unable to allocate outbound L2CAP fragment list.", __func__);
goto error;
}
@@ -393,7 +393,7 @@ static void fragment_packet(l2cap_client_t *client, buffer_t *packet)
assert(packet != NULL);
// TODO(sharvil): eliminate copy into BT_HDR.
BT_HDR *bt_packet = osi_malloc(buffer_length(packet) + L2CAP_MIN_OFFSET);
BT_HDR *bt_packet = osi_malloc(sizeof(BT_HDR) + buffer_length(packet) + L2CAP_MIN_OFFSET);
bt_packet->offset = L2CAP_MIN_OFFSET;
bt_packet->len = buffer_length(packet);
memcpy(bt_packet->data + bt_packet->offset, buffer_ptr(packet), buffer_length(packet));
@@ -408,7 +408,7 @@ static void fragment_packet(l2cap_client_t *client, buffer_t *packet)
break;
}
BT_HDR *fragment = osi_malloc(client->remote_mtu + L2CAP_MIN_OFFSET);
BT_HDR *fragment = osi_malloc(sizeof(BT_HDR) + client->remote_mtu + L2CAP_MIN_OFFSET);
fragment->offset = L2CAP_MIN_OFFSET;
fragment->len = client->remote_mtu;
memcpy(fragment->data + fragment->offset, bt_packet->data + bt_packet->offset, client->remote_mtu);
components/bt/host/bluedroid/stack/sdp/sdp_db.c
+2 -6
View File
@@ -360,9 +360,7 @@ BOOLEAN SDP_DeleteRecord (UINT32 handle)
if (handle == 0 || sdp_cb.server_db.num_records == 0) {
/* Delete all records in the database */
sdp_cb.server_db.num_records = 0;
for (p_node = list_begin(sdp_cb.server_db.p_record_list); p_node; p_node = list_next(p_node)) {
list_remove(sdp_cb.server_db.p_record_list, p_node);
}
list_clear(sdp_cb.server_db.p_record_list);
/* require new DI record to be created in SDP_SetLocalDiRecord */
sdp_cb.server_db.di_primary_handle = 0;
@@ -488,15 +486,13 @@ BOOLEAN SDP_AddAttribute (UINT32 handle, UINT16 attr_id, UINT8 attr_type,
p_attr->type = attr_type;
p_attr->len = attr_len;
if (p_rec->free_pad_ptr + attr_len >= SDP_MAX_PAD_LEN) {
if (p_rec->free_pad_ptr + attr_len > SDP_MAX_PAD_LEN) {
/* do truncate only for text string type descriptor */
if (attr_type == TEXT_STR_DESC_TYPE) {
SDP_TRACE_WARNING("SDP_AddAttribute: attr_len:%d too long. truncate to (%d)\n",
attr_len, SDP_MAX_PAD_LEN - p_rec->free_pad_ptr );
attr_len = SDP_MAX_PAD_LEN - p_rec->free_pad_ptr;
p_val[SDP_MAX_PAD_LEN - p_rec->free_pad_ptr] = '\0';
p_val[SDP_MAX_PAD_LEN - p_rec->free_pad_ptr + 1] = '\0';
} else {
attr_len = 0;
}
components/bt/host/bluedroid/stack/sdp/sdp_discovery.c
+7 -2
View File
@@ -305,6 +305,9 @@ static void process_service_search_rsp (tCONN_CB *p_ccb, UINT8 *p_reply, UINT8 *
if (p_ccb->num_handles > sdp_cb.max_recs_per_search) {
p_ccb->num_handles = sdp_cb.max_recs_per_search;
}
if (p_ccb->num_handles > SDP_MAX_DISC_SERVER_RECS) {
p_ccb->num_handles = SDP_MAX_DISC_SERVER_RECS;
}
if (p_reply + ((p_ccb->num_handles - orig) * 4) + 1 > p_reply_end) {
sdp_disconnect(p_ccb, SDP_GENERIC_ERROR);
@@ -424,8 +427,10 @@ static void process_service_attr_rsp (tCONN_CB *p_ccb, UINT8 *p_reply, UINT8 *p_
/* If p_reply is NULL, we were called after the records handles were read */
if (p_reply) {
#if (SDP_DEBUG_RAW == TRUE)
SDP_TRACE_WARNING("ID & len: 0x%02x-%02x-%02x-%02x\n",
p_reply[0], p_reply[1], p_reply[2], p_reply[3]);
if (p_reply + 4 <= p_reply_end) {
SDP_TRACE_WARNING("ID & len: 0x%02x-%02x-%02x-%02x\n",
p_reply[0], p_reply[1], p_reply[2], p_reply[3]);
}
#endif
/* Skip transaction ID and length */
p_reply += 4;
components/bt/host/bluedroid/stack/sdp/sdp_server.c
+1 -1
View File
@@ -226,7 +226,7 @@ static void process_service_search (tCONN_CB *p_ccb, UINT16 trans_num,
return;
}
if (*p_req) {
if (*p_req++ != SDP_CONTINUATION_LEN || (p_req >= p_req_end)) {
if (*p_req++ != SDP_CONTINUATION_LEN || (p_req + 2 > p_req_end)) {
sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_CONT_STATE,
SDP_TEXT_BAD_CONT_LEN);
return;