diff --git a/components/bt/host/bluedroid/Kconfig.in b/components/bt/host/bluedroid/Kconfig.in index 52a0ea6a46..90e4abc996 100644 --- a/components/bt/host/bluedroid/Kconfig.in +++ b/components/bt/host/bluedroid/Kconfig.in @@ -1443,11 +1443,11 @@ config BT_BLE_FEAT_ISO_60_EN Enable iso 6.0 feature config BT_BLE_FEAT_ISO_BIG_BROCASTER - bool "Enable BLE iso BIG brocaster" + bool "Enable BLE iso BIG broadcaster" depends on BT_BLE_FEAT_ISO_EN default y help - Enable BLE 5.2 BIG brocaster + Enable BLE 5.2 BIG broadcaster config BT_BLE_FEAT_ISO_BIG_SYNCER bool "Enable BLE iso BIG syncer" diff --git a/components/bt/host/bluedroid/api/esp_ble_cte_api.c b/components/bt/host/bluedroid/api/esp_ble_cte_api.c index 37503c4746..5d2078f782 100644 --- a/components/bt/host/bluedroid/api/esp_ble_cte_api.c +++ b/components/bt/host/bluedroid/api/esp_ble_cte_api.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2025-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -15,6 +15,9 @@ esp_err_t esp_ble_cte_register_callback(esp_ble_cte_cb_t callback) { + if (callback == NULL) { + return ESP_ERR_INVALID_ARG; + } ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); return (btc_profile_cb_set(BTC_PID_BLE_CTE, callback) == 0 ? ESP_OK : ESP_FAIL); @@ -22,6 +25,9 @@ esp_err_t esp_ble_cte_register_callback(esp_ble_cte_cb_t callback) esp_ble_cte_cb_t esp_ble_cte_get_callback(void) { + if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { + return NULL; + } return (esp_ble_cte_cb_t) btc_profile_cb_get(BTC_PID_BLE_CTE); } @@ -30,6 +36,7 @@ esp_err_t esp_ble_cte_set_connectionless_trans_params(esp_ble_cte_connless_trans { btc_msg_t msg; btc_ble_cte_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -38,6 +45,21 @@ esp_err_t esp_ble_cte_set_connectionless_trans_params(esp_ble_cte_connless_trans if ((cte_trans_params == NULL) || (cte_trans_params->antenna_ids == NULL)) { return ESP_ERR_INVALID_ARG; } + if ((cte_trans_params->switching_pattern_len < ESP_BLE_CTE_MIN_SWITCHING_PATTERN_LENGTH) || + (cte_trans_params->switching_pattern_len > ESP_BLE_CTE_MAX_SWITCHING_PATTERN_LENGTH)) { + return ESP_ERR_INVALID_ARG; + } + if ((cte_trans_params->cte_len < ESP_BLE_CTE_MIN_CTE_LENGTH) || + (cte_trans_params->cte_len > ESP_BLE_CTE_MAX_CTE_LENGTH)) { + return ESP_ERR_INVALID_ARG; + } + if (cte_trans_params->cte_type > ESP_BLE_CTE_TYPE_AOD_WITH_2US) { + return ESP_ERR_INVALID_ARG; + } + if ((cte_trans_params->cte_count < ESP_BLE_CTE_MIN_CTE_COUNT) || + (cte_trans_params->cte_count > ESP_BLE_CTE_MAX_CTE_COUNT)) { + return ESP_ERR_INVALID_ARG; + } msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_BLE_CTE; @@ -57,6 +79,7 @@ esp_err_t esp_ble_cte_set_connectionless_trans_enable(esp_ble_cte_trans_enable_p { btc_msg_t msg; btc_ble_cte_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -65,6 +88,10 @@ esp_err_t esp_ble_cte_set_connectionless_trans_enable(esp_ble_cte_trans_enable_p if (cte_trans_enable == NULL) { return ESP_ERR_INVALID_ARG; } + if ((cte_trans_enable->cte_enable != ESP_BLE_CTE_ADV_WITH_CTE_DISABLE) && + (cte_trans_enable->cte_enable != ESP_BLE_CTE_ADV_WITH_CTE_ENABLE)) { + return ESP_ERR_INVALID_ARG; + } msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_BLE_CTE; @@ -80,14 +107,39 @@ esp_err_t esp_ble_cte_set_connectionless_iq_sampling_enable(esp_ble_cte_iq_sampl { btc_msg_t msg; btc_ble_cte_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } - - if ((iq_sampling_en == NULL) || (iq_sampling_en->antenna_ids == NULL)) { + // iq_sampling_en must not be NULL + if (iq_sampling_en == NULL) { return ESP_ERR_INVALID_ARG; } + // Sampling enable must be either disable or enable + if ((iq_sampling_en->sampling_en != ESP_BLE_CTE_SAMPLING_DISABLE) && + (iq_sampling_en->sampling_en != ESP_BLE_CTE_SAMPLING_ENABLE)) { + return ESP_ERR_INVALID_ARG; + } + /* When sampling is enabled, antenna_ids and switching_pattern_len are required; when disabled they are ignored by the controller */ + if (iq_sampling_en->sampling_en == ESP_BLE_CTE_SAMPLING_ENABLE) { + // Slot duration must be either 1us or 2us + if ((iq_sampling_en->slot_dur != ESP_BLE_CTE_SLOT_DURATION_1US) && + (iq_sampling_en->slot_dur != ESP_BLE_CTE_SLOT_DURATION_2US)) { + return ESP_ERR_INVALID_ARG; + } + // Max sampled Ctes must be between 0 and 16 + if (iq_sampling_en->max_sampled_ctes > ESP_BLE_CTE_MAX_SAMPLED_CTES) { + return ESP_ERR_INVALID_ARG; + } + if (iq_sampling_en->antenna_ids == NULL) { + return ESP_ERR_INVALID_ARG; + } + if ((iq_sampling_en->switching_pattern_len < ESP_BLE_CTE_MIN_SWITCHING_PATTERN_LENGTH) || + (iq_sampling_en->switching_pattern_len > ESP_BLE_CTE_MAX_SWITCHING_PATTERN_LENGTH)) { + return ESP_ERR_INVALID_ARG; + } + } msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_BLE_CTE; @@ -97,9 +149,13 @@ esp_err_t esp_ble_cte_set_connectionless_iq_sampling_enable(esp_ble_cte_iq_sampl arg.cte_iq_sampling_en.sampling_en = iq_sampling_en->sampling_en; arg.cte_iq_sampling_en.slot_dur = iq_sampling_en->slot_dur; arg.cte_iq_sampling_en.max_sampled_ctes = iq_sampling_en->max_sampled_ctes; - arg.cte_iq_sampling_en.switching_pattern_len = iq_sampling_en->switching_pattern_len; - arg.cte_iq_sampling_en.antenna_ids = iq_sampling_en->antenna_ids; - + if (iq_sampling_en->sampling_en == ESP_BLE_CTE_SAMPLING_ENABLE) { + arg.cte_iq_sampling_en.switching_pattern_len = iq_sampling_en->switching_pattern_len; + arg.cte_iq_sampling_en.antenna_ids = iq_sampling_en->antenna_ids; + } else { + arg.cte_iq_sampling_en.switching_pattern_len = 0; + arg.cte_iq_sampling_en.antenna_ids = NULL; + } return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_cte_args_t), btc_ble_cte_arg_deep_copy, btc_ble_cte_arg_deep_free) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL); } #endif // #if (BLE_FEAT_CTE_CONNECTIONLESS_EN == TRUE) @@ -109,14 +165,33 @@ esp_err_t esp_ble_cte_set_connection_receive_params(esp_ble_cte_recv_params_para { btc_msg_t msg; btc_ble_cte_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } - if ((cte_recv_params == NULL) || (cte_recv_params->antenna_ids == NULL)) { + if (cte_recv_params == NULL) { return ESP_ERR_INVALID_ARG; } + if ((cte_recv_params->sampling_en != ESP_BLE_CTE_SAMPLING_DISABLE) && + (cte_recv_params->sampling_en != ESP_BLE_CTE_SAMPLING_ENABLE)) { + return ESP_ERR_INVALID_ARG; + } + /* When sampling is enabled, antenna_ids and switching_pattern_len are required; when disabled they are ignored by the controller */ + if (cte_recv_params->sampling_en == ESP_BLE_CTE_SAMPLING_ENABLE) { + if ((cte_recv_params->slot_dur != ESP_BLE_CTE_SLOT_DURATION_1US) && + (cte_recv_params->slot_dur != ESP_BLE_CTE_SLOT_DURATION_2US)) { + return ESP_ERR_INVALID_ARG; + } + if (cte_recv_params->antenna_ids == NULL) { + return ESP_ERR_INVALID_ARG; + } + if ((cte_recv_params->switching_pattern_len < ESP_BLE_CTE_MIN_SWITCHING_PATTERN_LENGTH) || + (cte_recv_params->switching_pattern_len > ESP_BLE_CTE_MAX_SWITCHING_PATTERN_LENGTH)) { + return ESP_ERR_INVALID_ARG; + } + } msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_BLE_CTE; @@ -125,8 +200,13 @@ esp_err_t esp_ble_cte_set_connection_receive_params(esp_ble_cte_recv_params_para arg.cte_recv_params.conn_handle = cte_recv_params->conn_handle; arg.cte_recv_params.sampling_en = cte_recv_params->sampling_en; arg.cte_recv_params.slot_dur = cte_recv_params->slot_dur; - arg.cte_recv_params.switching_pattern_len = cte_recv_params->switching_pattern_len; - arg.cte_recv_params.antenna_ids = cte_recv_params->antenna_ids; + if (cte_recv_params->sampling_en == ESP_BLE_CTE_SAMPLING_ENABLE) { + arg.cte_recv_params.switching_pattern_len = cte_recv_params->switching_pattern_len; + arg.cte_recv_params.antenna_ids = cte_recv_params->antenna_ids; + } else { + arg.cte_recv_params.switching_pattern_len = 0; + arg.cte_recv_params.antenna_ids = NULL; + } return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_cte_args_t), btc_ble_cte_arg_deep_copy, btc_ble_cte_arg_deep_free) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL); } @@ -135,6 +215,7 @@ esp_err_t esp_ble_cte_set_connection_transmit_params(esp_ble_cte_conn_trans_para { btc_msg_t msg; btc_ble_cte_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -143,6 +224,15 @@ esp_err_t esp_ble_cte_set_connection_transmit_params(esp_ble_cte_conn_trans_para if ((cte_conn_trans_params == NULL) || (cte_conn_trans_params->antenna_ids == NULL)) { return ESP_ERR_INVALID_ARG; } + if ((cte_conn_trans_params->switching_pattern_len < ESP_BLE_CTE_MIN_SWITCHING_PATTERN_LENGTH) || + (cte_conn_trans_params->switching_pattern_len > ESP_BLE_CTE_MAX_SWITCHING_PATTERN_LENGTH)) { + return ESP_ERR_INVALID_ARG; + } + /* cte_types must be non-zero and only allowed bits (AOA, AoD 1us, AoD 2us) */ + if ((cte_conn_trans_params->cte_types == 0) || + (cte_conn_trans_params->cte_types & ~ESP_BLE_CTE_TYPES_ALL)) { + return ESP_ERR_INVALID_ARG; + } msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_BLE_CTE; @@ -160,6 +250,7 @@ esp_err_t esp_ble_cte_connection_cte_request_enable(esp_ble_cte_req_en_params_t { btc_msg_t msg; btc_ble_cte_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -168,6 +259,19 @@ esp_err_t esp_ble_cte_connection_cte_request_enable(esp_ble_cte_req_en_params_t if (cte_conn_req_en == NULL) { return ESP_ERR_INVALID_ARG; } + if ((cte_conn_req_en->enable != ESP_BLE_CTE_REQUEST_FOR_CONNECTION_DISABLE) && + (cte_conn_req_en->enable != ESP_BLE_CTE_REQUEST_FOR_CONNECTION_ENABLE)) { + return ESP_ERR_INVALID_ARG; + } + if (cte_conn_req_en->enable == ESP_BLE_CTE_REQUEST_FOR_CONNECTION_ENABLE) { + if ((cte_conn_req_en->req_cte_len < ESP_BLE_CTE_MIN_REQUESTED_CTE_LENGTH) || + (cte_conn_req_en->req_cte_len > ESP_BLE_CTE_MAX_REQUESTED_CTE_LENGTH)) { + return ESP_ERR_INVALID_ARG; + } + if (cte_conn_req_en->req_cte_Type > ESP_BLE_CTE_TYPE_AOD_WITH_2US) { + return ESP_ERR_INVALID_ARG; + } + } msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_BLE_CTE; @@ -186,6 +290,7 @@ esp_err_t esp_ble_cte_connection_cte_response_enable(esp_ble_cte_rsp_en_params_t { btc_msg_t msg; btc_ble_cte_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -194,6 +299,10 @@ esp_err_t esp_ble_cte_connection_cte_response_enable(esp_ble_cte_rsp_en_params_t if (cte_conn_rsp_en == NULL) { return ESP_ERR_INVALID_ARG; } + if ((cte_conn_rsp_en->enable != ESP_BLE_CTE_RESPONSE_FOR_CONNECTION_DISABLE) && + (cte_conn_rsp_en->enable != ESP_BLE_CTE_RESPONSE_FOR_CONNECTION_ENABLE)) { + return ESP_ERR_INVALID_ARG; + } msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_BLE_CTE; diff --git a/components/bt/host/bluedroid/api/esp_ble_iso_api.c b/components/bt/host/bluedroid/api/esp_ble_iso_api.c index d2239844f0..132b8880ad 100644 --- a/components/bt/host/bluedroid/api/esp_ble_iso_api.c +++ b/components/bt/host/bluedroid/api/esp_ble_iso_api.c @@ -14,6 +14,9 @@ esp_err_t esp_ble_iso_register_callback(esp_ble_iso_cb_t callback) { + if (callback == NULL) { + return ESP_ERR_INVALID_ARG; + } ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); return (btc_profile_cb_set(BTC_PID_ISO_BLE, callback) == 0 ? ESP_OK : ESP_FAIL); @@ -21,23 +24,55 @@ esp_err_t esp_ble_iso_register_callback(esp_ble_iso_cb_t callback) esp_ble_iso_cb_t esp_ble_iso_get_callback(void) { + if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { + return NULL; + } + return (esp_ble_iso_cb_t) btc_profile_cb_get(BTC_PID_ISO_BLE); } -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) esp_err_t esp_ble_iso_create_big(esp_ble_iso_big_creat_params_t *big_creat_param) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_iso_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); if (big_creat_param == NULL) { return ESP_ERR_INVALID_ARG; } - - if (big_creat_param->num_bis > BLE_ISO_BIS_MAX_COUNT) { + if (big_creat_param->num_bis == 0 || big_creat_param->num_bis > BLE_ISO_BIS_MAX_COUNT) { + return ESP_ERR_INVALID_ARG; + } + if (big_creat_param->num_bis > ESP_BLE_MAX_BIS_NUM) { + return ESP_ERR_INVALID_ARG; + } + if (big_creat_param->sdu_interval < BLE_ISO_SDU_INT_MIN || big_creat_param->sdu_interval > BLE_ISO_SDU_INT_MAX) { + return ESP_ERR_INVALID_ARG; + } + if (big_creat_param->max_sdu < 0x0001 || big_creat_param->max_sdu > 0x0FFF) { + return ESP_ERR_INVALID_ARG; + } + if (big_creat_param->max_transport_latency < BLE_ISO_MAX_TRANSPORT_LATENCY_MIN || + big_creat_param->max_transport_latency > BLE_ISO_MAX_TRANSPORT_LATENCY_MAX) { + return ESP_ERR_INVALID_ARG; + } + if (big_creat_param->rtn > 0x1E) { + return ESP_ERR_INVALID_ARG; + } + if ((big_creat_param->phy != 0x01) && (big_creat_param->phy != 0x02) && (big_creat_param->phy != 0x04)) { + return ESP_ERR_INVALID_ARG; + } + if (big_creat_param->packing > 0x01) { + return ESP_ERR_INVALID_ARG; + } + if (big_creat_param->framing > BLE_ISO_FRAMING_FRAMED_PDU_UNSEGMENTABLE_MODE) { + return ESP_ERR_INVALID_ARG; + } + if (big_creat_param->encryption > 0x01) { return ESP_ERR_INVALID_ARG; } @@ -53,18 +88,58 @@ esp_err_t esp_ble_iso_create_big(esp_ble_iso_big_creat_params_t *big_creat_param esp_err_t esp_ble_iso_create_big_test(esp_ble_iso_big_creat_test_params_t *big_creat_test_param) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_iso_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); if (big_creat_test_param == NULL) { return ESP_ERR_INVALID_ARG; } - - if (big_creat_test_param->num_bis > BLE_ISO_BIS_MAX_COUNT) { + if (big_creat_test_param->num_bis == 0 || big_creat_test_param->num_bis > BLE_ISO_BIS_MAX_COUNT) { return ESP_ERR_INVALID_ARG; } + if (big_creat_test_param->num_bis > ESP_BLE_MAX_BIS_NUM) { + return ESP_ERR_INVALID_ARG; + } + if (big_creat_test_param->sdu_interval < BLE_ISO_SDU_INT_MIN || big_creat_test_param->sdu_interval > BLE_ISO_SDU_INT_MAX) { + return ESP_ERR_INVALID_ARG; + } + if (big_creat_test_param->iso_interval < 0x0004 || big_creat_test_param->iso_interval > 0x0C80) { + return ESP_ERR_INVALID_ARG; + } + if (big_creat_test_param->nse == 0 || big_creat_test_param->nse > 0x1F) { + return ESP_ERR_INVALID_ARG; + } + if (big_creat_test_param->max_sdu < 0x0001 || big_creat_test_param->max_sdu > 0x0FFF) { + return ESP_ERR_INVALID_ARG; + } + if (big_creat_test_param->max_pdu < 0x0001 || big_creat_test_param->max_pdu > 0x00FB) { + return ESP_ERR_INVALID_ARG; + } + if ((big_creat_test_param->phy != 0x01) && (big_creat_test_param->phy != 0x02) && (big_creat_test_param->phy != 0x04)) { + return ESP_ERR_INVALID_ARG; + } + if (big_creat_test_param->framing > BLE_ISO_FRAMING_FRAMED_PDU_UNSEGMENTABLE_MODE) { + return ESP_ERR_INVALID_ARG; + } + if (big_creat_test_param->bn == 0 || big_creat_test_param->bn > 0x07) { + return ESP_ERR_INVALID_ARG; + } + if (big_creat_test_param->irc == 0 || big_creat_test_param->irc > 0x0F) { + return ESP_ERR_INVALID_ARG; + } + if (big_creat_test_param->encryption > 0x01) { + return ESP_ERR_INVALID_ARG; + } + if (big_creat_test_param->packing > 0x01) { + return ESP_ERR_INVALID_ARG; + } + if (big_creat_test_param->pto > 0x0F) { + return ESP_ERR_INVALID_ARG; + } + msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_ISO_BLE; @@ -78,11 +153,17 @@ esp_err_t esp_ble_iso_create_big_test(esp_ble_iso_big_creat_test_params_t *big_c esp_err_t esp_ble_iso_terminate_big(uint8_t big_handle, uint8_t reason) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_iso_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); + /* big_handle: 0x00 to 0xEF */ + if (big_handle > 0xEF) { + return ESP_ERR_INVALID_ARG; + } + msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_ISO_BLE; msg.act = BTC_ISO_ACT_BIG_TERMINATE; @@ -93,23 +174,51 @@ esp_err_t esp_ble_iso_terminate_big(uint8_t big_handle, uint8_t reason) return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_iso_args_t), NULL, NULL) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL); } -#endif // #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif // #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) esp_err_t esp_ble_iso_big_create_sync(esp_ble_iso_big_sync_creat_params_t *big_sync_create_param) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_iso_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); if (big_sync_create_param == NULL) { return ESP_ERR_INVALID_ARG; } - - if (big_sync_create_param->num_bis > BLE_ISO_BIS_MAX_COUNT) { + /* num_bis: 0x01 to 0x1F, and not more than BLE_ISO_BIS_MAX_COUNT */ + if (big_sync_create_param->num_bis == 0 || big_sync_create_param->num_bis > BLE_ISO_BIS_MAX_COUNT) { return ESP_ERR_INVALID_ARG; } + if (big_sync_create_param->num_bis > ESP_BLE_MAX_BIS_NUM) { + return ESP_ERR_INVALID_ARG; + } + if (big_sync_create_param->big_handle > 0xEF) { + return ESP_ERR_INVALID_ARG; + } + /* sync_handle: 0x0000 to 0x0EFF */ + if (big_sync_create_param->sync_handle > 0x0EFF) { + return ESP_ERR_INVALID_ARG; + } + if (big_sync_create_param->encryption > 0x01) { + return ESP_ERR_INVALID_ARG; + } + /* mse: 0x00 to 0x1F */ + if (big_sync_create_param->mse > 0x1F) { + return ESP_ERR_INVALID_ARG; + } + /* big_sync_timeout: 0x000A to 0x4000 */ + if (big_sync_create_param->big_sync_timeout < 0x000A || big_sync_create_param->big_sync_timeout > 0x4000) { + return ESP_ERR_INVALID_ARG; + } + for (uint8_t k = 0; k < big_sync_create_param->num_bis; k++) { + /* BIS index: 0x01 to 0x1F */ + if (big_sync_create_param->bis[k] == 0 || big_sync_create_param->bis[k] > 0x1F) { + return ESP_ERR_INVALID_ARG; + } + } msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_ISO_BLE; @@ -127,19 +236,23 @@ esp_err_t esp_ble_iso_big_create_sync(esp_ble_iso_big_sync_creat_params_t *big_s arg.iso_big_sync_creat_params.bis[i] = big_sync_create_param->bis[i]; } - // memcpy(&arg.iso_big_sync_creat_params, big_sync_create_param, sizeof(esp_ble_iso_big_sync_creat_params_t)); - return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_iso_args_t), NULL, NULL) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL); } esp_err_t esp_ble_iso_big_terminate_sync(uint8_t big_handle) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_iso_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); + /* big_handle: 0x00 to 0xEF */ + if (big_handle > 0xEF) { + return ESP_ERR_INVALID_ARG; + } + msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_ISO_BLE; msg.act = BTC_ISO_ACT_BIG_SYNC_TERMINATE; @@ -155,6 +268,7 @@ esp_err_t esp_ble_iso_set_iso_data_path(esp_ble_iso_set_data_path_params_t *data { btc_msg_t msg = {0}; btc_ble_iso_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -175,6 +289,10 @@ esp_err_t esp_ble_iso_set_iso_data_path(esp_ble_iso_set_data_path_params_t *data if (data_path_params->data_path_dir > ESP_BLE_ISO_DATA_PATH_DIR_OUTPUT) { return ESP_ERR_INVALID_ARG; } + /* controller_delay: 0x000000 to 0x3D0900 (0 to 4 s in microseconds) */ + if (data_path_params->controller_delay > 0x3D0900) { + return ESP_ERR_INVALID_ARG; + } msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_ISO_BLE; @@ -198,6 +316,7 @@ esp_err_t esp_ble_iso_remove_iso_data_path(esp_ble_iso_remove_data_path_params_t { btc_msg_t msg = {0}; btc_ble_iso_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -226,6 +345,7 @@ esp_err_t esp_ble_iso_read_iso_tx_sync(uint16_t iso_handle) { btc_msg_t msg = {0}; btc_ble_iso_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -244,6 +364,7 @@ esp_err_t esp_ble_iso_read_link_quality(uint16_t iso_handle) { btc_msg_t msg = {0}; btc_ble_iso_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -261,14 +382,36 @@ esp_err_t esp_ble_iso_read_link_quality(uint16_t iso_handle) #if (BLE_FEAT_ISO_CIG_CENTRAL_EN == TRUE) esp_err_t esp_ble_iso_set_cig_parameters(struct esp_ble_iso_set_cig_params *cig_params) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_iso_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } - if ((cig_params == NULL) || (cig_params->cis_cnt > BLE_ISO_CIS_MAX_COUNT)) { + if (cig_params == NULL) { + return ESP_ERR_INVALID_ARG; + } + if (cig_params->cis_cnt == 0 || cig_params->cis_cnt > BLE_ISO_CIS_MAX_COUNT) { + return ESP_ERR_INVALID_ARG; + } + if (cig_params->sdu_int_c_to_p < BLE_ISO_SDU_INT_MIN || cig_params->sdu_int_c_to_p > BLE_ISO_SDU_INT_MAX) { + return ESP_ERR_INVALID_ARG; + } + if (cig_params->sdu_int_p_to_c < BLE_ISO_SDU_INT_MIN || cig_params->sdu_int_p_to_c > BLE_ISO_SDU_INT_MAX) { + return ESP_ERR_INVALID_ARG; + } + if (cig_params->worse_case_SCA > BLE_ISO_WORST_CASE_SCA_LEVEL_20_PPM) { + return ESP_ERR_INVALID_ARG; + } + if (cig_params->framing > BLE_ISO_FRAMING_FRAMED_PDU_UNSEGMENTABLE_MODE) { + return ESP_ERR_INVALID_ARG; + } + if (cig_params->mtl_c_to_p < BLE_ISO_MAX_TRANSPORT_LATENCY_MIN || cig_params->mtl_c_to_p > BLE_ISO_MAX_TRANSPORT_LATENCY_MAX) { + return ESP_ERR_INVALID_ARG; + } + if (cig_params->mtl_p_to_c < BLE_ISO_MAX_TRANSPORT_LATENCY_MIN || cig_params->mtl_p_to_c > BLE_ISO_MAX_TRANSPORT_LATENCY_MAX) { return ESP_ERR_INVALID_ARG; } @@ -293,14 +436,33 @@ esp_err_t esp_ble_iso_set_cig_parameters(struct esp_ble_iso_set_cig_params *cig_ esp_err_t esp_ble_iso_set_cig_parameters_test(struct esp_ble_iso_set_cig_params_test *cig_params_test) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_iso_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } - if ((cig_params_test == NULL) || (cig_params_test->cis_cnt > BLE_ISO_CIS_MAX_COUNT)) { + if (cig_params_test == NULL) { + return ESP_ERR_INVALID_ARG; + } + if (cig_params_test->cis_cnt == 0 || cig_params_test->cis_cnt > BLE_ISO_CIS_MAX_COUNT) { + return ESP_ERR_INVALID_ARG; + } + if (cig_params_test->sdu_int_c_to_p < BLE_ISO_SDU_INT_MIN || cig_params_test->sdu_int_c_to_p > BLE_ISO_SDU_INT_MAX) { + return ESP_ERR_INVALID_ARG; + } + if (cig_params_test->sdu_int_p_to_c < BLE_ISO_SDU_INT_MIN || cig_params_test->sdu_int_p_to_c > BLE_ISO_SDU_INT_MAX) { + return ESP_ERR_INVALID_ARG; + } + if (cig_params_test->iso_interval < 0x0004 || cig_params_test->iso_interval > 0x0C80) { + return ESP_ERR_INVALID_ARG; + } + if (cig_params_test->worse_case_SCA > BLE_ISO_WORST_CASE_SCA_LEVEL_20_PPM) { + return ESP_ERR_INVALID_ARG; + } + if (cig_params_test->framing > BLE_ISO_FRAMING_FRAMED_PDU_UNSEGMENTABLE_MODE) { return ESP_ERR_INVALID_ARG; } @@ -326,14 +488,18 @@ esp_err_t esp_ble_iso_set_cig_parameters_test(struct esp_ble_iso_set_cig_params_ esp_err_t esp_ble_iso_create_cis(struct esp_ble_iso_create_cis_params *creat_cis_params) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_iso_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } - if ((creat_cis_params == NULL) || (creat_cis_params->cis_count > BLE_ISO_CIS_MAX_COUNT)) { + if (creat_cis_params == NULL) { + return ESP_ERR_INVALID_ARG; + } + if (creat_cis_params->cis_count == 0 || creat_cis_params->cis_count > BLE_ISO_CIS_MAX_COUNT) { return ESP_ERR_INVALID_ARG; } @@ -355,13 +521,19 @@ esp_err_t esp_ble_iso_create_cis(struct esp_ble_iso_create_cis_params *creat_cis esp_err_t esp_ble_iso_remove_cig(uint8_t cig_id) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_iso_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + /* cig_id: 0x00 to 0xEF */ + if (cig_id > 0xEF) { + return ESP_ERR_INVALID_ARG; + } + msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_ISO_BLE; msg.act = BTC_ISO_ACT_REMOVE_CIG; @@ -375,12 +547,17 @@ esp_err_t esp_ble_iso_remove_cig(uint8_t cig_id) #if (BLE_FEAT_ISO_CIG_PERIPHERAL_EN == TRUE) esp_err_t esp_ble_iso_accept_cis_request(uint16_t cis_handle) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_iso_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + /* Connection handle range: 0x0000 to 0x0EFF */ + if (cis_handle > 0x0EFF) { + return ESP_ERR_INVALID_ARG; + } msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_ISO_BLE; @@ -393,12 +570,16 @@ esp_err_t esp_ble_iso_accept_cis_request(uint16_t cis_handle) esp_err_t esp_ble_iso_reject_cis_request(uint16_t cis_handle, uint8_t reason) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_iso_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + if (cis_handle > 0x0EFF) { + return ESP_ERR_INVALID_ARG; + } msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_ISO_BLE; @@ -414,12 +595,16 @@ esp_err_t esp_ble_iso_reject_cis_request(uint16_t cis_handle, uint8_t reason) #if (BLE_FEAT_ISO_CIG_EN == TRUE) esp_err_t esp_ble_iso_disconnect_cis(uint16_t cis_handle, uint8_t reason) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_iso_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; } + if (cis_handle > 0x0EFF) { + return ESP_ERR_INVALID_ARG; + } msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_ISO_BLE; diff --git a/components/bt/host/bluedroid/api/esp_bluedroid_hci.c b/components/bt/host/bluedroid/api/esp_bluedroid_hci.c index 82f0246e3e..3dcaee9e38 100644 --- a/components/bt/host/bluedroid/api/esp_bluedroid_hci.c +++ b/components/bt/host/bluedroid/api/esp_bluedroid_hci.c @@ -81,6 +81,8 @@ void hci_host_send_packet(uint8_t *data, uint16_t len) #else /* BT_CONTROLLER_INCLUDED == TRUE */ if (s_hci_driver_ops.send) { s_hci_driver_ops.send(data, len); + } else { + ESP_LOGE(LOG_TAG, "%s send function is not registered", __func__); } #endif /* BT_CONTROLLER_INCLUDED == TRUE */ } diff --git a/components/bt/host/bluedroid/api/esp_bt_main.c b/components/bt/host/bluedroid/api/esp_bt_main.c index a728e81c35..fd5a0e2a92 100644 --- a/components/bt/host/bluedroid/api/esp_bt_main.c +++ b/components/bt/host/bluedroid/api/esp_bt_main.c @@ -52,6 +52,7 @@ esp_err_t esp_bluedroid_enable(void) msg.act = BTC_MAIN_ACT_ENABLE; if (btc_transfer_context(&msg, NULL, 0, NULL, NULL) != BT_STATUS_SUCCESS) { + future_free(*future_p); LOG_ERROR("Bluedroid enable failed\n"); return ESP_FAIL; } @@ -163,6 +164,9 @@ esp_err_t esp_bluedroid_init_with_cfg(esp_bluedroid_config_t *cfg) ret = bluedroid_config_init(cfg); if (ret != BT_STATUS_SUCCESS) { LOG_ERROR("Bluedroid stack initialize fail, ret:%d", ret); +#if HEAP_MEMORY_STATS + osi_mem_deinit(); +#endif return ESP_FAIL; } @@ -172,6 +176,11 @@ esp_err_t esp_bluedroid_init_with_cfg(esp_bluedroid_config_t *cfg) ret = btc_init(); if (ret != BT_STATUS_SUCCESS) { LOG_ERROR("Bluedroid Initialize Fail"); + bluedroid_config_deinit(); +#if HEAP_MEMORY_STATS + osi_mem_deinit(); +#endif + return ESP_FAIL; } @@ -179,6 +188,12 @@ esp_err_t esp_bluedroid_init_with_cfg(esp_bluedroid_config_t *cfg) *future_p = future_new(); if (*future_p == NULL) { LOG_ERROR("Bluedroid Initialize Fail!"); + btc_deinit(); + bluedroid_config_deinit(); +#if HEAP_MEMORY_STATS + osi_mem_deinit(); +#endif + return ESP_ERR_NO_MEM; } @@ -188,11 +203,22 @@ esp_err_t esp_bluedroid_init_with_cfg(esp_bluedroid_config_t *cfg) if (btc_transfer_context(&msg, NULL, 0, NULL, NULL) != BT_STATUS_SUCCESS) { LOG_ERROR("Bluedroid Initialize Fail"); + future_free(*future_p); + btc_deinit(); + bluedroid_config_deinit(); +#if HEAP_MEMORY_STATS + osi_mem_deinit(); +#endif return ESP_FAIL; } if (future_await(*future_p) == FUTURE_FAIL) { LOG_ERROR("Bluedroid Initialize Fail"); + btc_deinit(); + bluedroid_config_deinit(); +#if HEAP_MEMORY_STATS + osi_mem_deinit(); +#endif return ESP_FAIL; } diff --git a/components/bt/host/bluedroid/api/esp_gap_ble_api.c b/components/bt/host/bluedroid/api/esp_gap_ble_api.c index 7dfe9dd3dd..32745bd192 100644 --- a/components/bt/host/bluedroid/api/esp_gap_ble_api.c +++ b/components/bt/host/bluedroid/api/esp_gap_ble_api.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -33,6 +33,7 @@ esp_err_t esp_ble_gap_config_adv_data(esp_ble_adv_data_t *adv_data) { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -59,6 +60,7 @@ esp_err_t esp_ble_gap_set_scan_params(esp_ble_scan_params_t *scan_params) { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -78,6 +80,7 @@ esp_err_t esp_ble_gap_start_scanning(uint32_t duration) { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -92,7 +95,7 @@ esp_err_t esp_ble_gap_start_scanning(uint32_t duration) esp_err_t esp_ble_gap_stop_scanning(void) { - btc_msg_t msg; + btc_msg_t msg = {0}; ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -108,6 +111,7 @@ esp_err_t esp_ble_gap_start_advertising(esp_ble_adv_params_t *adv_params) { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -125,7 +129,7 @@ esp_err_t esp_ble_gap_start_advertising(esp_ble_adv_params_t *adv_params) esp_err_t esp_ble_gap_stop_advertising(void) { - btc_msg_t msg; + btc_msg_t msg = {0}; ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -142,6 +146,7 @@ esp_err_t esp_ble_gap_update_conn_params(esp_ble_conn_update_params_t *params) { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); if(!params) { @@ -172,6 +177,7 @@ esp_err_t esp_ble_gap_set_pkt_data_len(esp_bd_addr_t remote_device, uint16_t tx_ { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -218,6 +224,7 @@ esp_err_t esp_ble_gap_set_rand_addr(esp_bd_addr_t rand_addr) { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -243,6 +250,7 @@ esp_err_t esp_ble_gap_set_resolvable_private_address_timeout(uint16_t rpa_timeou btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_GAP_BLE; @@ -263,6 +271,7 @@ esp_err_t esp_ble_gap_add_device_to_resolving_list(esp_bd_addr_t peer_addr, uint btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_GAP_BLE; @@ -277,7 +286,7 @@ esp_err_t esp_ble_gap_add_device_to_resolving_list(esp_bd_addr_t peer_addr, uint esp_err_t esp_ble_gap_clear_rand_addr(void) { - btc_msg_t msg; + btc_msg_t msg = {0}; ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -292,6 +301,7 @@ esp_err_t esp_ble_gap_config_local_privacy (bool privacy_enable) { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -307,6 +317,7 @@ esp_err_t esp_ble_gap_config_local_icon (uint16_t icon) { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -322,6 +333,7 @@ esp_err_t esp_ble_gap_update_whitelist(bool add_remove, esp_bd_addr_t remote_bda { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -342,7 +354,7 @@ esp_err_t esp_ble_gap_update_whitelist(bool add_remove, esp_bd_addr_t remote_bda esp_err_t esp_ble_gap_clear_whitelist(void) { - btc_msg_t msg; + btc_msg_t msg = {0}; if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -359,6 +371,7 @@ esp_err_t esp_ble_gap_get_whitelist_size(uint16_t *length) if (length == NULL) { return ESP_FAIL; } + ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); btc_get_whitelist_size(length); return ESP_OK; @@ -370,6 +383,7 @@ esp_err_t esp_ble_gap_set_prefer_conn_params(esp_bd_addr_t bd_addr, { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -408,6 +422,7 @@ esp_err_t esp_ble_gap_set_device_name(const char *name) { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -445,6 +460,7 @@ esp_err_t esp_ble_gap_set_key_material(const uint8_t session_key[16], const uint { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -507,6 +523,7 @@ esp_err_t esp_ble_gap_config_adv_data_raw(uint8_t *raw_data, uint32_t raw_data_l { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -517,7 +534,8 @@ esp_err_t esp_ble_gap_config_adv_data_raw(uint8_t *raw_data, uint32_t raw_data_l msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_GAP_BLE; msg.act = BTC_GAP_BLE_ACT_CFG_ADV_DATA_RAW; - arg.cfg_adv_data_raw.raw_adv = raw_data; + // Check if raw_data_len is 0 and raw_data is not NULL + arg.cfg_adv_data_raw.raw_adv = (raw_data_len > 0) ? raw_data : NULL; arg.cfg_adv_data_raw.raw_adv_len = raw_data_len; return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_gap_args_t), btc_gap_ble_arg_deep_copy, @@ -529,6 +547,7 @@ esp_err_t esp_ble_gap_config_scan_rsp_data_raw(uint8_t *raw_data, uint32_t raw_d { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -539,7 +558,8 @@ esp_err_t esp_ble_gap_config_scan_rsp_data_raw(uint8_t *raw_data, uint32_t raw_d msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_GAP_BLE; msg.act = BTC_GAP_BLE_ACT_CFG_SCAN_RSP_DATA_RAW; - arg.cfg_scan_rsp_data_raw.raw_scan_rsp = raw_data; + // Check if raw_data_len is 0 and raw_data is not NULL + arg.cfg_scan_rsp_data_raw.raw_scan_rsp = (raw_data_len > 0) ? raw_data : NULL; arg.cfg_scan_rsp_data_raw.raw_scan_rsp_len = raw_data_len; return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_gap_args_t), btc_gap_ble_arg_deep_copy, @@ -553,6 +573,7 @@ esp_err_t esp_ble_gap_read_rssi(esp_bd_addr_t remote_addr) { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -576,6 +597,7 @@ esp_err_t esp_ble_gap_add_duplicate_scan_exceptional_device(esp_ble_duplicate_ex { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -600,6 +622,7 @@ esp_err_t esp_ble_gap_remove_duplicate_scan_exceptional_device(esp_ble_duplicate { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -624,6 +647,7 @@ esp_err_t esp_ble_gap_clean_duplicate_scan_exceptional_list(esp_duplicate_scan_e { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -671,6 +695,7 @@ esp_err_t esp_ble_gap_set_security_param(esp_ble_sm_param_t param_type, } btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -689,6 +714,7 @@ esp_err_t esp_ble_set_encryption(esp_bd_addr_t bd_addr, esp_ble_sec_act_t sec_ac { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -710,6 +736,7 @@ esp_err_t esp_ble_gap_security_rsp(esp_bd_addr_t bd_addr, bool accept) { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -732,6 +759,7 @@ esp_err_t esp_ble_passkey_reply(esp_bd_addr_t bd_addr, bool accept, uint32_t pas { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -742,9 +770,9 @@ esp_err_t esp_ble_passkey_reply(esp_bd_addr_t bd_addr, bool accept, uint32_t pas msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_GAP_BLE; msg.act = BTC_GAP_BLE_PASSKEY_REPLY_EVT; - arg.enc_passkey_replay.accept = accept; - arg.enc_passkey_replay.passkey = passkey; - memcpy(arg.enc_passkey_replay.bd_addr, bd_addr, ESP_BD_ADDR_LEN); + arg.enc_passkey_reply.accept = accept; + arg.enc_passkey_reply.passkey = passkey; + memcpy(arg.enc_passkey_reply.bd_addr, bd_addr, ESP_BD_ADDR_LEN); return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_gap_args_t), NULL, NULL) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL); @@ -754,6 +782,7 @@ esp_err_t esp_ble_confirm_reply(esp_bd_addr_t bd_addr, bool accept) { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -764,8 +793,8 @@ esp_err_t esp_ble_confirm_reply(esp_bd_addr_t bd_addr, bool accept) msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_GAP_BLE; msg.act = BTC_GAP_BLE_CONFIRM_REPLY_EVT; - arg.enc_comfirm_replay.accept = accept; - memcpy(arg.enc_comfirm_replay.bd_addr, bd_addr, ESP_BD_ADDR_LEN); + arg.enc_confirm_reply.accept = accept; + memcpy(arg.enc_confirm_reply.bd_addr, bd_addr, ESP_BD_ADDR_LEN); return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_gap_args_t), NULL, NULL) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL); @@ -775,6 +804,9 @@ esp_err_t esp_ble_remove_bond_device(esp_bd_addr_t bd_addr) { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); + + ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); if (bd_addr == NULL) { return ESP_ERR_INVALID_ARG; @@ -831,6 +863,7 @@ esp_err_t esp_ble_oob_req_reply(esp_bd_addr_t bd_addr, uint8_t *TK, uint8_t len) btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -853,6 +886,7 @@ esp_err_t esp_ble_sc_oob_req_reply(esp_bd_addr_t bd_addr, uint8_t p_c[16], uint8 btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -871,6 +905,8 @@ esp_err_t esp_ble_create_sc_oob_data(void) { btc_msg_t msg = {0}; + ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); + msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_GAP_BLE; msg.act = BTC_GAP_BLE_SC_CR_OOB_DATA_EVT; @@ -905,6 +941,7 @@ esp_err_t esp_ble_gap_disconnect(esp_bd_addr_t remote_device) { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -922,10 +959,11 @@ esp_err_t esp_ble_gap_disconnect(esp_bd_addr_t remote_device) esp_err_t esp_ble_get_current_conn_params(esp_bd_addr_t bd_addr, esp_gap_conn_params_t *conn_params) { - if(!bd_addr || !conn_params) { + if (!bd_addr || !conn_params) { return ESP_ERR_INVALID_ARG; } - if(BTM_GetCurrentConnParams(bd_addr, &conn_params->interval, &conn_params->latency, &conn_params->timeout)) { + ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); + if (BTM_GetCurrentConnParams(bd_addr, &conn_params->interval, &conn_params->latency, &conn_params->timeout)) { return ESP_OK; } return ESP_ERR_NOT_FOUND; @@ -935,6 +973,7 @@ esp_err_t esp_gap_ble_set_channels(esp_gap_ble_channels channels) { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -959,8 +998,9 @@ esp_err_t esp_ble_gap_read_channel_map(esp_bd_addr_t bd_addr) return ESP_ERR_INVALID_ARG; } - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -978,6 +1018,7 @@ esp_err_t esp_gap_ble_set_authorization(esp_bd_addr_t bd_addr, bool authorize) if (!bd_addr) { return ESP_ERR_INVALID_ARG; } + ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); if (BTM_Ble_Authorization(bd_addr, authorize)) { return ESP_OK; } @@ -989,6 +1030,7 @@ esp_err_t esp_ble_dtm_tx_start(const esp_ble_dtm_tx_t *tx_params) { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (!tx_params) { return ESP_ERR_INVALID_ARG; @@ -1009,6 +1051,7 @@ esp_err_t esp_ble_dtm_rx_start(const esp_ble_dtm_rx_t *rx_params) { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (!rx_params) { return ESP_ERR_INVALID_ARG; @@ -1031,6 +1074,7 @@ esp_err_t esp_ble_dtm_enh_tx_start(const esp_ble_dtm_enh_tx_t *tx_params) { btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (!tx_params) { return ESP_ERR_INVALID_ARG; @@ -1051,6 +1095,7 @@ esp_err_t esp_ble_dtm_enh_rx_start(const esp_ble_dtm_enh_rx_t *rx_params) { btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (!rx_params) { return ESP_ERR_INVALID_ARG; @@ -1085,11 +1130,16 @@ esp_err_t esp_ble_dtm_stop(void) esp_err_t esp_ble_gap_set_privacy_mode(esp_ble_addr_type_t addr_type, esp_bd_addr_t addr, esp_ble_privacy_mode_t mode) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); + if (addr == NULL) { + return ESP_ERR_INVALID_ARG; + } + msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_GAP_BLE; msg.act = BTC_GAP_BLE_SET_PRIVACY_MODE; @@ -1106,11 +1156,16 @@ esp_err_t esp_ble_gap_set_privacy_mode(esp_ble_addr_type_t addr_type, esp_bd_add esp_err_t esp_ble_gap_read_phy(esp_bd_addr_t bd_addr) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); + if (bd_addr == NULL) { + return ESP_ERR_INVALID_ARG; + } + msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_GAP_BLE; msg.act = BTC_GAP_BLE_READ_PHY; @@ -1123,8 +1178,9 @@ esp_err_t esp_ble_gap_read_phy(esp_bd_addr_t bd_addr) esp_err_t esp_ble_gap_set_preferred_default_phy(esp_ble_gap_phy_mask_t tx_phy_mask, esp_ble_gap_phy_mask_t rx_phy_mask) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -1144,11 +1200,16 @@ esp_err_t esp_ble_gap_set_preferred_phy(esp_bd_addr_t bd_addr, esp_ble_gap_phy_mask_t rx_phy_mask, esp_ble_gap_prefer_phy_options_t phy_options) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); + if (bd_addr == NULL) { + return ESP_ERR_INVALID_ARG; + } + msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_GAP_BLE; msg.act = BTC_GAP_BLE_SET_DEF_PHY; @@ -1164,11 +1225,16 @@ esp_err_t esp_ble_gap_set_preferred_phy(esp_bd_addr_t bd_addr, #if (BLE_50_EXTEND_ADV_EN == TRUE) esp_err_t esp_ble_gap_ext_adv_set_rand_addr(uint8_t instance, esp_bd_addr_t rand_addr) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); + if (rand_addr == NULL) { + return ESP_ERR_INVALID_ARG; + } + msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_GAP_BLE; msg.act = BTC_GAP_BLE_SET_EXT_ADV_RAND_ADDR; @@ -1183,8 +1249,9 @@ esp_err_t esp_ble_gap_ext_adv_set_rand_addr(uint8_t instance, esp_bd_addr_t rand esp_err_t esp_ble_gap_ext_adv_set_params(uint8_t instance, const esp_ble_gap_ext_adv_params_t *params) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -1216,11 +1283,17 @@ esp_err_t esp_ble_gap_ext_adv_set_params(uint8_t instance, esp_err_t esp_ble_gap_config_ext_adv_data_raw(uint8_t instance, uint16_t length, const uint8_t *data) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); + if (length != 0 && data == NULL) { + return ESP_ERR_INVALID_ARG; + } + + msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_GAP_BLE; msg.act = BTC_GAP_BLE_CFG_EXT_ADV_DATA_RAW; @@ -1236,11 +1309,16 @@ esp_err_t esp_ble_gap_config_ext_adv_data_raw(uint8_t instance, uint16_t length, esp_err_t esp_ble_gap_config_ext_scan_rsp_data_raw(uint8_t instance, uint16_t length, const uint8_t *scan_rsp_data) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); + if (length != 0 && scan_rsp_data == NULL) { + return ESP_ERR_INVALID_ARG; + } + msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_GAP_BLE; msg.act = BTC_GAP_BLE_CFG_EXT_SCAN_RSP_DATA_RAW; @@ -1255,11 +1333,17 @@ esp_err_t esp_ble_gap_config_ext_scan_rsp_data_raw(uint8_t instance, uint16_t le esp_err_t esp_ble_gap_ext_adv_start(uint8_t num_adv, const esp_ble_gap_ext_adv_t *ext_adv) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); + if (num_adv == 0 || ext_adv == NULL) { + return ESP_ERR_INVALID_ARG; + } + + msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_GAP_BLE; msg.act = BTC_GAP_BLE_EXT_ADV_START; @@ -1273,11 +1357,16 @@ esp_err_t esp_ble_gap_ext_adv_start(uint8_t num_adv, const esp_ble_gap_ext_adv_t esp_err_t esp_ble_gap_ext_adv_stop(uint8_t num_adv, const uint8_t *ext_adv_inst) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); + if (num_adv > 0 && ext_adv_inst == NULL) { + return ESP_ERR_INVALID_ARG; + } + msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_GAP_BLE; msg.act = BTC_GAP_BLE_EXT_ADV_STOP; @@ -1291,8 +1380,9 @@ esp_err_t esp_ble_gap_ext_adv_stop(uint8_t num_adv, const uint8_t *ext_adv_inst) esp_err_t esp_ble_gap_ext_adv_set_remove(uint8_t instance) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -1307,7 +1397,7 @@ esp_err_t esp_ble_gap_ext_adv_set_remove(uint8_t instance) esp_err_t esp_ble_gap_ext_adv_set_clear(void) { - btc_msg_t msg; + btc_msg_t msg = {0}; ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -1322,11 +1412,17 @@ esp_err_t esp_ble_gap_ext_adv_set_clear(void) #if (BLE_50_PERIODIC_ADV_EN == TRUE) esp_err_t esp_ble_gap_periodic_adv_set_params(uint8_t instance, const esp_ble_gap_periodic_adv_params_t *params) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); + if (params == NULL) { + return ESP_ERR_INVALID_ARG; + } + + msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_GAP_BLE; msg.act = BTC_GAP_BLE_SET_PERIODIC_ADV_PARAMS; @@ -1347,11 +1443,18 @@ esp_err_t esp_ble_gap_config_periodic_adv_data_raw(uint8_t instance, uint16_t le const uint8_t *data) #endif { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); + if (length != 0 && data == NULL) + { + return ESP_ERR_INVALID_ARG; + } + + msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_GAP_BLE; msg.act = BTC_GAP_BLE_CFG_PERIODIC_ADV_DATA_RAW; @@ -1376,8 +1479,9 @@ esp_err_t esp_ble_gap_periodic_adv_start(uint8_t instance,bool include_adi) esp_err_t esp_ble_gap_periodic_adv_start(uint8_t instance) #endif { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -1399,8 +1503,9 @@ esp_err_t esp_ble_gap_periodic_adv_start(uint8_t instance) esp_err_t esp_ble_gap_periodic_adv_stop(uint8_t instance) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -1419,11 +1524,17 @@ esp_err_t esp_ble_gap_periodic_adv_stop(uint8_t instance) #if (BLE_50_EXTEND_SYNC_EN == TRUE) esp_err_t esp_ble_gap_periodic_adv_create_sync(const esp_ble_gap_periodic_adv_sync_params_t *params) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); + if (params == NULL) { + return ESP_ERR_INVALID_ARG; + } + + msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_GAP_BLE; msg.act = BTC_GAP_BLE_PERIODIC_ADV_CREATE_SYNC; @@ -1437,7 +1548,7 @@ esp_err_t esp_ble_gap_periodic_adv_create_sync(const esp_ble_gap_periodic_adv_sy esp_err_t esp_ble_gap_periodic_adv_sync_cancel(void) { - btc_msg_t msg; + btc_msg_t msg = {0}; ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -1452,8 +1563,9 @@ esp_err_t esp_ble_gap_periodic_adv_sync_cancel(void) esp_err_t esp_ble_gap_periodic_adv_sync_terminate(uint16_t sync_handle) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -1471,11 +1583,16 @@ esp_err_t esp_ble_gap_periodic_adv_add_dev_to_list(esp_ble_addr_type_t addr_type esp_bd_addr_t addr, uint8_t sid) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); + if (addr == NULL) { + return ESP_ERR_INVALID_ARG; + } + msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_GAP_BLE; msg.act = BTC_GAP_BLE_PERIODIC_ADV_ADD_DEV_TO_LIST; @@ -1495,11 +1612,16 @@ esp_err_t esp_ble_gap_periodic_adv_remove_dev_from_list(esp_ble_addr_type_t addr esp_bd_addr_t addr, uint8_t sid) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); + if (addr == NULL) { + return ESP_ERR_INVALID_ARG; + } + msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_GAP_BLE; msg.act = BTC_GAP_BLE_PERIODIC_REMOVE_ADD_DEV_FROM_LIST; @@ -1517,7 +1639,7 @@ esp_err_t esp_ble_gap_periodic_adv_remove_dev_from_list(esp_ble_addr_type_t addr esp_err_t esp_ble_gap_periodic_adv_clear_dev(void) { - btc_msg_t msg; + btc_msg_t msg = {0}; ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -1535,6 +1657,7 @@ esp_err_t esp_ble_gap_get_periodic_list_size(uint8_t *size) if (size == NULL) { return ESP_FAIL; } + ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); btc_get_periodic_list_size(size); return ESP_OK; @@ -1545,8 +1668,9 @@ esp_err_t esp_ble_gap_get_periodic_list_size(uint8_t *size) #if (BLE_50_EXTEND_SCAN_EN == TRUE) esp_err_t esp_ble_gap_set_ext_scan_params(const esp_ble_ext_scan_params_t *params) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (!params) { return ESP_ERR_INVALID_ARG; @@ -1566,8 +1690,9 @@ esp_err_t esp_ble_gap_set_ext_scan_params(const esp_ble_ext_scan_params_t *param esp_err_t esp_ble_gap_start_ext_scan(uint32_t duration, uint16_t period) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -1584,7 +1709,7 @@ esp_err_t esp_ble_gap_start_ext_scan(uint32_t duration, uint16_t period) esp_err_t esp_ble_gap_stop_ext_scan(void) { - btc_msg_t msg; + btc_msg_t msg = {0}; ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -1602,11 +1727,16 @@ esp_err_t esp_ble_gap_prefer_ext_connect_params_set(esp_bd_addr_t addr, const esp_ble_gap_conn_params_t *phy_2m_conn_params, const esp_ble_gap_conn_params_t *phy_coded_conn_params) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); + if (addr == NULL) { + return ESP_ERR_INVALID_ARG; + } + msg.sig = BTC_SIG_API_CALL; msg.pid = BTC_PID_GAP_BLE; msg.act = BTC_GAP_BLE_SET_EXT_PEFER_CONNET_PARAMS; @@ -1614,7 +1744,7 @@ esp_err_t esp_ble_gap_prefer_ext_connect_params_set(esp_bd_addr_t addr, arg.set_ext_conn_params.phy_mask = phy_mask; if (phy_mask & ESP_BLE_GAP_PHY_1M_PREF_MASK) { if (!phy_1m_conn_params) { - return BT_STATUS_PARM_INVALID; + return ESP_ERR_INVALID_ARG; } if (ESP_BLE_IS_VALID_PARAM(phy_1m_conn_params->interval_min, ESP_BLE_CONN_INT_MIN, ESP_BLE_CONN_INT_MAX) && @@ -1638,7 +1768,7 @@ esp_err_t esp_ble_gap_prefer_ext_connect_params_set(esp_bd_addr_t addr, if (phy_mask & ESP_BLE_GAP_PHY_2M_PREF_MASK) { if (!phy_2m_conn_params) { - return BT_STATUS_PARM_INVALID; + return ESP_ERR_INVALID_ARG; } if (ESP_BLE_IS_VALID_PARAM(phy_2m_conn_params->interval_min, ESP_BLE_CONN_INT_MIN, ESP_BLE_CONN_INT_MAX) && @@ -1662,7 +1792,7 @@ esp_err_t esp_ble_gap_prefer_ext_connect_params_set(esp_bd_addr_t addr, if (phy_mask & ESP_BLE_GAP_PHY_CODED_PREF_MASK) { if (!phy_coded_conn_params) { - return BT_STATUS_PARM_INVALID; + return ESP_ERR_INVALID_ARG; } if (ESP_BLE_IS_VALID_PARAM(phy_coded_conn_params->interval_min, ESP_BLE_CONN_INT_MIN, ESP_BLE_CONN_INT_MAX) && @@ -1696,8 +1826,9 @@ esp_err_t esp_ble_gap_prefer_ext_connect_params_set(esp_bd_addr_t addr, #if (BLE_FEAT_PERIODIC_ADV_SYNC_TRANSFER == TRUE) esp_err_t esp_ble_gap_periodic_adv_recv_enable(uint16_t sync_handle, uint8_t enable) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -1714,8 +1845,9 @@ esp_err_t esp_ble_gap_periodic_adv_recv_enable(uint16_t sync_handle, uint8_t ena esp_err_t esp_ble_gap_periodic_adv_sync_trans(esp_bd_addr_t addr, uint16_t service_data, uint16_t sync_handle) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -1737,8 +1869,9 @@ esp_err_t esp_ble_gap_periodic_adv_sync_trans(esp_bd_addr_t addr, uint16_t servi esp_err_t esp_ble_gap_periodic_adv_set_info_trans(esp_bd_addr_t addr, uint16_t service_data, uint8_t adv_handle) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -1760,8 +1893,9 @@ esp_err_t esp_ble_gap_periodic_adv_set_info_trans(esp_bd_addr_t addr, uint16_t s esp_err_t esp_ble_gap_set_periodic_adv_sync_trans_params(esp_bd_addr_t addr, const esp_ble_gap_past_params_t *params) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -1790,6 +1924,7 @@ esp_err_t esp_ble_gap_vendor_command_send(esp_ble_vendor_cmd_params_t *vendor_cm { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -1818,6 +1953,7 @@ esp_err_t esp_ble_gap_set_vendor_event_mask(esp_ble_vendor_evt_mask_t event_mask { btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -1834,7 +1970,7 @@ esp_err_t esp_ble_gap_set_vendor_event_mask(esp_ble_vendor_evt_mask_t event_mask esp_err_t esp_ble_gap_clear_advertising(void) { - btc_msg_t msg; + btc_msg_t msg = {0}; ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -1847,8 +1983,9 @@ esp_err_t esp_ble_gap_clear_advertising(void) esp_err_t esp_ble_gap_set_csa_support(uint8_t csa_select) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -1922,6 +2059,7 @@ esp_err_t esp_ble_gap_enhanced_read_transmit_power_level(uint16_t conn_handle, e { btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -1933,7 +2071,7 @@ esp_err_t esp_ble_gap_enhanced_read_transmit_power_level(uint16_t conn_handle, e arg.enh_read_trans_pwr_level.conn_handle = conn_handle; arg.enh_read_trans_pwr_level.phy = phy; - return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_gap_args_t), NULL, NULL) + return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_5_gap_args_t), NULL, NULL) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL); } @@ -1941,6 +2079,7 @@ esp_err_t esp_ble_gap_read_remote_transmit_power_level(uint16_t conn_handle, esp { btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -1952,7 +2091,7 @@ esp_err_t esp_ble_gap_read_remote_transmit_power_level(uint16_t conn_handle, esp arg.read_rem_trans_pwr_level.conn_handle = conn_handle; arg.read_rem_trans_pwr_level.phy = phy; - return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_gap_args_t), NULL, NULL) + return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_5_gap_args_t), NULL, NULL) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL); } @@ -1960,6 +2099,7 @@ esp_err_t esp_ble_gap_set_path_loss_reporting_params(esp_ble_path_loss_rpt_param { btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -1979,7 +2119,7 @@ esp_err_t esp_ble_gap_set_path_loss_reporting_params(esp_ble_path_loss_rpt_param arg.set_path_loss_rpt_params.low_hysteresis = path_loss_rpt_params->low_hysteresis; arg.set_path_loss_rpt_params.min_time_spent = path_loss_rpt_params->min_time_spent; - return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_gap_args_t), NULL, NULL) + return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_5_gap_args_t), NULL, NULL) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL); } @@ -1987,6 +2127,7 @@ esp_err_t esp_ble_gap_set_path_loss_reporting_enable(uint16_t conn_handle, bool { btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -1998,7 +2139,7 @@ esp_err_t esp_ble_gap_set_path_loss_reporting_enable(uint16_t conn_handle, bool arg.set_path_loss_rpt_en.conn_handle = conn_handle; arg.set_path_loss_rpt_en.enable = enable; - return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_gap_args_t), NULL, NULL) + return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_5_gap_args_t), NULL, NULL) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL); } @@ -2006,6 +2147,7 @@ esp_err_t esp_ble_gap_set_transmit_power_reporting_enable(uint16_t conn_handle, { btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -2018,7 +2160,7 @@ esp_err_t esp_ble_gap_set_transmit_power_reporting_enable(uint16_t conn_handle, arg.set_trans_pwr_rpting_en.local_enable = local_enable; arg.set_trans_pwr_rpting_en.remote_enable = remote_enable; - return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_gap_args_t), NULL, NULL) + return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_5_gap_args_t), NULL, NULL) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL); } @@ -2029,6 +2171,7 @@ esp_err_t esp_ble_gap_set_default_subrate(esp_ble_default_subrate_param_t *defau { btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -2048,7 +2191,7 @@ esp_err_t esp_ble_gap_set_default_subrate(esp_ble_default_subrate_param_t *defau arg.default_subrate_param.continuation_number = default_subrate_params->continuation_number; arg.default_subrate_param.supervision_timeout = default_subrate_params->supervision_timeout; - return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_gap_args_t), NULL, NULL) + return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_5_gap_args_t), NULL, NULL) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL); } @@ -2056,6 +2199,7 @@ esp_err_t esp_ble_gap_subrate_request(esp_ble_subrate_req_param_t *subrate_req_p { btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -2076,7 +2220,7 @@ esp_err_t esp_ble_gap_subrate_request(esp_ble_subrate_req_param_t *subrate_req_p arg.subrate_req_param.continuation_number = subrate_req_params->continuation_number; arg.subrate_req_param.supervision_timeout = subrate_req_params->supervision_timeout; - return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_gap_args_t), NULL, NULL) + return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_5_gap_args_t), NULL, NULL) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL); } #endif // #if (BLE_FEAT_CONN_SUBRATING == TRUE) @@ -2084,8 +2228,9 @@ esp_err_t esp_ble_gap_subrate_request(esp_ble_subrate_req_param_t *subrate_req_p #if (BLE_50_FEATURE_SUPPORT == TRUE) esp_err_t esp_ble_gap_set_host_feature(uint16_t bit_num, uint8_t bit_val) { - btc_msg_t msg; + btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -2117,6 +2262,7 @@ esp_err_t esp_ble_gap_set_periodic_adv_subevent_data(esp_ble_per_adv_subevent_da { btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -2146,7 +2292,7 @@ esp_err_t esp_ble_gap_set_periodic_adv_subevent_data(esp_ble_per_adv_subevent_da arg.per_adv_subevent_data_params.num_subevents_with_data = subevent_data_params->num_subevents_with_data; arg.per_adv_subevent_data_params.subevent_params = subevent_data_params->subevent_params; - return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_gap_args_t), btc_gap_ble_arg_deep_copy, btc_gap_ble_arg_deep_free) + return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_5_gap_args_t), btc_gap_ble_arg_deep_copy, btc_gap_ble_arg_deep_free) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL); } @@ -2154,6 +2300,7 @@ esp_err_t esp_ble_gap_set_periodic_adv_response_data(esp_ble_per_adv_response_da { btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -2179,7 +2326,7 @@ esp_err_t esp_ble_gap_set_periodic_adv_response_data(esp_ble_per_adv_response_da arg.per_adv_response_data_params.response_data_len = rsp_data_params->response_data_len; arg.per_adv_response_data_params.response_data = rsp_data_params->response_data; - return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_gap_args_t), btc_gap_ble_arg_deep_copy, btc_gap_ble_arg_deep_free) + return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_5_gap_args_t), btc_gap_ble_arg_deep_copy, btc_gap_ble_arg_deep_free) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL); } @@ -2187,6 +2334,7 @@ esp_err_t esp_ble_gap_set_periodic_sync_subevent(esp_ble_per_sync_subevent_param { btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -2209,7 +2357,7 @@ esp_err_t esp_ble_gap_set_periodic_sync_subevent(esp_ble_per_sync_subevent_param arg.per_sync_subevent_params.num_subevents_to_sync = sync_subevent_params->num_subevents_to_sync; arg.per_sync_subevent_params.subevent = sync_subevent_params->subevent; - return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_gap_args_t), btc_gap_ble_arg_deep_copy, btc_gap_ble_arg_deep_free) + return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_5_gap_args_t), btc_gap_ble_arg_deep_copy, btc_gap_ble_arg_deep_free) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL); } #endif // #if (BT_BLE_FEAT_PAWR_EN == TRUE) @@ -2235,6 +2383,7 @@ esp_err_t esp_ble_cs_read_remote_supported_capabilities(uint16_t conn_handle) { btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -2307,6 +2456,7 @@ esp_err_t esp_ble_cs_security_enable(uint16_t conn_handle) { btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -2357,6 +2507,7 @@ esp_err_t esp_ble_cs_read_remote_fae_table(uint16_t conn_handle) { btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -2440,6 +2591,7 @@ esp_err_t esp_ble_cs_remove_config(esp_ble_cs_remove_config_params *remove_confi { btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -2464,6 +2616,7 @@ esp_err_t esp_ble_cs_set_channel_classification(esp_ble_cs_set_channel_class_par { btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -2487,6 +2640,7 @@ esp_err_t esp_ble_cs_set_procedure_params(esp_ble_cs_set_proc_params *procedure_ { btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; @@ -2523,6 +2677,7 @@ esp_err_t esp_ble_cs_procedure_enable(esp_ble_cs_procedure_enable_params *proced { btc_msg_t msg = {0}; btc_ble_5_gap_args_t arg; + memset(&arg, 0, sizeof(arg)); if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { return ESP_ERR_INVALID_STATE; diff --git a/components/bt/host/bluedroid/api/esp_gatt_common_api.c b/components/bt/host/bluedroid/api/esp_gatt_common_api.c index d0f3b0e02a..9254b8d87a 100644 --- a/components/bt/host/bluedroid/api/esp_gatt_common_api.c +++ b/components/bt/host/bluedroid/api/esp_gatt_common_api.c @@ -25,6 +25,7 @@ esp_err_t esp_ble_gatt_set_local_mtu (uint16_t mtu) { btc_msg_t msg = {0}; btc_ble_gatt_com_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -54,6 +55,9 @@ extern UINT16 L2CA_GetFreePktBufferNum_LE(void); uint16_t esp_ble_get_sendable_packets_num (void) { + if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { + return 0; + } return L2CA_GetFreePktBufferNum_LE(); } @@ -70,6 +74,9 @@ uint16_t esp_ble_get_sendable_packets_num (void) extern UINT16 L2CA_GetCurFreePktBufferNum_LE(UINT16 conn_id); uint16_t esp_ble_get_cur_sendable_packets_num (uint16_t connid) { + if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { + return 0; + } return L2CA_GetCurFreePktBufferNum_LE(connid); } #endif diff --git a/components/bt/host/bluedroid/api/esp_gattc_api.c b/components/bt/host/bluedroid/api/esp_gattc_api.c index f54deb8ea2..c9c6fb8f46 100644 --- a/components/bt/host/bluedroid/api/esp_gattc_api.c +++ b/components/bt/host/bluedroid/api/esp_gattc_api.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -31,6 +31,9 @@ esp_err_t esp_ble_gattc_register_callback(esp_gattc_cb_t callback) esp_gattc_cb_t esp_ble_gattc_get_callback(void) { + if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { + return NULL; + } return (esp_gattc_cb_t) btc_profile_cb_get(BTC_PID_GATTC); } @@ -38,6 +41,7 @@ esp_err_t esp_ble_gattc_app_register(uint16_t app_id) { btc_msg_t msg = {0}; btc_ble_gattc_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -57,6 +61,7 @@ esp_err_t esp_ble_gattc_app_unregister(esp_gatt_if_t gattc_if) { btc_msg_t msg = {0}; btc_ble_gattc_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -72,6 +77,7 @@ esp_err_t esp_ble_gattc_enh_open(esp_gatt_if_t gattc_if, esp_ble_gatt_creat_conn { btc_msg_t msg = {0}; btc_ble_gattc_args_t arg; + memset(&arg, 0, sizeof(arg)); const esp_ble_conn_params_t *conn_params; ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -216,6 +222,7 @@ esp_err_t esp_ble_gattc_aux_open_with_pawr_synced(esp_gatt_if_t gattc_if, esp_bl { btc_msg_t msg = {0}; btc_ble_gattc_args_t arg; + memset(&arg, 0, sizeof(arg)); const esp_ble_conn_params_t *conn_params; ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -315,6 +322,7 @@ esp_err_t esp_ble_gattc_close (esp_gatt_if_t gattc_if, uint16_t conn_id) { btc_msg_t msg = {0}; btc_ble_gattc_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -330,6 +338,7 @@ esp_err_t esp_ble_gattc_send_mtu_req (esp_gatt_if_t gattc_if, uint16_t conn_id) { btc_msg_t msg = {0}; btc_ble_gattc_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -345,6 +354,7 @@ esp_err_t esp_ble_gattc_search_service(esp_gatt_if_t gattc_if, uint16_t conn_id, { btc_msg_t msg = {0}; btc_ble_gattc_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -386,15 +396,16 @@ esp_gatt_status_t esp_ble_gattc_get_all_char(esp_gatt_if_t gattc_if, { ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); - if ((start_handle == 0) && (end_handle == 0)) { - *count = 0; - return ESP_GATT_INVALID_HANDLE; - } if (result == NULL || count == NULL || *count == 0) { return ESP_GATT_INVALID_PDU; } + if ((start_handle == 0) && (end_handle == 0)) { + *count = 0; + return ESP_GATT_INVALID_HANDLE; + } + uint16_t conn_hdl = BTC_GATT_CREATE_CONN_ID(gattc_if, conn_id); return btc_ble_gattc_get_all_char(conn_hdl, start_handle, end_handle, result, count, offset); } @@ -429,15 +440,15 @@ esp_gatt_status_t esp_ble_gattc_get_char_by_uuid(esp_gatt_if_t gattc_if, { ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); + if (result == NULL || count == NULL || *count == 0) { + return ESP_GATT_INVALID_PDU; + } + if (start_handle == 0 && end_handle == 0) { *count = 0; return ESP_GATT_INVALID_HANDLE; } - if (result == NULL || count == NULL || *count == 0) { - return ESP_GATT_INVALID_PDU; - } - uint16_t conn_hdl = BTC_GATT_CREATE_CONN_ID(gattc_if,conn_id); return btc_ble_gattc_get_char_by_uuid(conn_hdl, start_handle, end_handle, char_uuid, result, count); } @@ -471,15 +482,15 @@ esp_gatt_status_t esp_ble_gattc_get_descr_by_char_handle(esp_gatt_if_t gattc_if, { ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); + if (result == NULL || count == NULL || *count == 0) { + return ESP_GATT_INVALID_PDU; + } + if (char_handle == 0) { *count = 0; return ESP_GATT_INVALID_HANDLE; } - if (result == NULL || count == NULL || *count == 0) { - return ESP_GATT_INVALID_PDU; - } - uint16_t conn_hdl = BTC_GATT_CREATE_CONN_ID(gattc_if, conn_id); return btc_ble_gattc_get_descr_by_char_handle(conn_hdl, char_handle, descr_uuid, result, count); } @@ -494,15 +505,15 @@ esp_gatt_status_t esp_ble_gattc_get_include_service(esp_gatt_if_t gattc_if, { ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); + if (result == NULL || count == NULL || *count == 0) { + return ESP_GATT_INVALID_PDU; + } + if (start_handle == 0 && end_handle == 0) { *count = 0; return ESP_GATT_INVALID_HANDLE; } - if (result == NULL || count == NULL || *count == 0) { - return ESP_GATT_INVALID_PDU; - } - uint16_t conn_hdl = BTC_GATT_CREATE_CONN_ID(gattc_if, conn_id); return btc_ble_gattc_get_include_service(conn_hdl, start_handle, end_handle, incl_uuid, result, count); } @@ -517,15 +528,15 @@ esp_gatt_status_t esp_ble_gattc_get_attr_count(esp_gatt_if_t gattc_if, { ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); + if (count == NULL) { + return ESP_GATT_INVALID_PDU; + } + if ((start_handle == 0 && end_handle == 0) && (type != ESP_GATT_DB_DESCRIPTOR)) { *count = 0; return ESP_GATT_INVALID_HANDLE; } - if (count == NULL) { - return ESP_GATT_INVALID_PDU; - } - uint16_t conn_hdl = BTC_GATT_CREATE_CONN_ID(gattc_if, conn_id); return btc_ble_gattc_get_attr_count(conn_hdl, type, start_handle, end_handle, char_handle, count); } @@ -535,15 +546,16 @@ esp_gatt_status_t esp_ble_gattc_get_db(esp_gatt_if_t gattc_if, uint16_t conn_id, { ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); - if (start_handle == 0 && end_handle == 0) { - *count = 0; - return ESP_GATT_INVALID_HANDLE; - } if (db == NULL || count == NULL || *count == 0) { return ESP_GATT_INVALID_PDU; } + if (start_handle == 0 && end_handle == 0) { + *count = 0; + return ESP_GATT_INVALID_HANDLE; + } + uint16_t conn_hdl = BTC_GATT_CREATE_CONN_ID(gattc_if, conn_id); return btc_ble_gattc_get_db(conn_hdl, start_handle, end_handle, db, count); } @@ -555,6 +567,7 @@ esp_err_t esp_ble_gattc_read_char (esp_gatt_if_t gattc_if, { btc_msg_t msg = {0}; btc_ble_gattc_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); tGATT_TCB *p_tcb = gatt_get_tcb_by_idx(conn_id); @@ -591,6 +604,7 @@ esp_err_t esp_ble_gattc_read_by_type (esp_gatt_if_t gattc_if, { btc_msg_t msg = {0}; btc_ble_gattc_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -631,10 +645,11 @@ esp_err_t esp_ble_gattc_read_multiple(esp_gatt_if_t gattc_if, { btc_msg_t msg = {0}; btc_ble_gattc_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); - if (read_multi == NULL) { + if ((read_multi == NULL) || (read_multi->num_attr == 0) || (read_multi->num_attr > ESP_GATT_MAX_READ_MULTI_HANDLES)) { return ESP_ERR_INVALID_ARG; } @@ -656,12 +671,8 @@ esp_err_t esp_ble_gattc_read_multiple(esp_gatt_if_t gattc_if, arg.read_multiple.num_attr = read_multi->num_attr; arg.read_multiple.auth_req = auth_req; - if (read_multi->num_attr > 0) { - memcpy(arg.read_multiple.handles, read_multi->handles, sizeof(uint16_t)*read_multi->num_attr); - } else { - LOG_ERROR("%s(), the num_attr should not be 0.", __func__); - return ESP_FAIL; - } + memcpy(arg.read_multiple.handles, read_multi->handles, sizeof(uint16_t)*read_multi->num_attr); + return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_gattc_args_t), NULL, NULL) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL); } @@ -671,10 +682,11 @@ esp_err_t esp_ble_gattc_read_multiple_variable(esp_gatt_if_t gattc_if, { btc_msg_t msg = {0}; btc_ble_gattc_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); - if (read_multi == NULL) { + if ((read_multi == NULL) || (read_multi->num_attr == 0) || (read_multi->num_attr > ESP_GATT_MAX_READ_MULTI_HANDLES)) { return ESP_ERR_INVALID_ARG; } @@ -695,13 +707,8 @@ esp_err_t esp_ble_gattc_read_multiple_variable(esp_gatt_if_t gattc_if, arg.read_multiple.conn_id = BTC_GATT_CREATE_CONN_ID(gattc_if, conn_id); arg.read_multiple.num_attr = read_multi->num_attr; arg.read_multiple.auth_req = auth_req; + memcpy(arg.read_multiple.handles, read_multi->handles, sizeof(uint16_t)*read_multi->num_attr); - if (read_multi->num_attr > 0) { - memcpy(arg.read_multiple.handles, read_multi->handles, sizeof(uint16_t)*read_multi->num_attr); - } else { - LOG_ERROR("%s(), the num_attr should not be 0.", __func__); - return ESP_FAIL; - } return (btc_transfer_context(&msg, &arg, sizeof(btc_ble_gattc_args_t), NULL, NULL) == BT_STATUS_SUCCESS ? ESP_OK : ESP_FAIL); } @@ -711,6 +718,7 @@ esp_err_t esp_ble_gattc_read_char_descr (esp_gatt_if_t gattc_if, { btc_msg_t msg = {0}; btc_ble_gattc_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -748,9 +756,14 @@ esp_err_t esp_ble_gattc_write_char(esp_gatt_if_t gattc_if, { btc_msg_t msg = {0}; btc_ble_gattc_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); + if(value == NULL || value_len == 0) { + return ESP_ERR_INVALID_ARG; + } + tGATT_TCB *p_tcb = gatt_get_tcb_by_idx(conn_id); if (!gatt_check_connection_state_by_tcb(p_tcb)) { LOG_WARN("%s, The connection not created.", __func__); @@ -791,6 +804,7 @@ esp_err_t esp_ble_gattc_write_char_descr (esp_gatt_if_t gattc_if, { btc_msg_t msg = {0}; btc_ble_gattc_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -834,6 +848,7 @@ esp_err_t esp_ble_gattc_prepare_write(esp_gatt_if_t gattc_if, { btc_msg_t msg = {0}; btc_ble_gattc_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -875,6 +890,7 @@ esp_err_t esp_ble_gattc_prepare_write_char_descr(esp_gatt_if_t gattc_if, { btc_msg_t msg = {0}; btc_ble_gattc_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -911,6 +927,7 @@ esp_err_t esp_ble_gattc_execute_write (esp_gatt_if_t gattc_if, uint16_t conn_id, { btc_msg_t msg = {0}; btc_ble_gattc_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -928,6 +945,7 @@ esp_err_t esp_ble_gattc_register_for_notify (esp_gatt_if_t gattc_if, { btc_msg_t msg = {0}; btc_ble_gattc_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -954,6 +972,7 @@ esp_err_t esp_ble_gattc_unregister_for_notify (esp_gatt_if_t gattc_if, { btc_msg_t msg = {0}; btc_ble_gattc_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -978,6 +997,7 @@ esp_err_t esp_ble_gattc_cache_refresh(esp_bd_addr_t remote_bda) { btc_msg_t msg = {0}; btc_ble_gattc_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -997,6 +1017,7 @@ esp_err_t esp_ble_gattc_cache_clean(esp_bd_addr_t remote_bda) { btc_msg_t msg = {0}; btc_ble_gattc_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -1016,6 +1037,7 @@ esp_err_t esp_ble_gattc_cache_assoc(esp_gatt_if_t gattc_if, esp_bd_addr_t src_ad { btc_msg_t msg = {0}; btc_ble_gattc_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -1038,6 +1060,7 @@ esp_err_t esp_ble_gattc_cache_get_addr_list(esp_gatt_if_t gattc_if) { btc_msg_t msg = {0}; btc_ble_gattc_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); diff --git a/components/bt/host/bluedroid/api/esp_gatts_api.c b/components/bt/host/bluedroid/api/esp_gatts_api.c index 1d7c696126..ceaf047875 100644 --- a/components/bt/host/bluedroid/api/esp_gatts_api.c +++ b/components/bt/host/bluedroid/api/esp_gatts_api.c @@ -31,6 +31,9 @@ esp_err_t esp_ble_gatts_register_callback(esp_gatts_cb_t callback) esp_gatts_cb_t esp_ble_gatts_get_callback(void) { + if (esp_bluedroid_get_status() != ESP_BLUEDROID_STATUS_ENABLED) { + return NULL; + } return (esp_gatts_cb_t) btc_profile_cb_get(BTC_PID_GATTS); } @@ -38,6 +41,7 @@ esp_err_t esp_ble_gatts_app_register(uint16_t app_id) { btc_msg_t msg = {0}; btc_ble_gatts_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -59,6 +63,7 @@ esp_err_t esp_ble_gatts_app_unregister(esp_gatt_if_t gatts_if) { btc_msg_t msg = {0}; btc_ble_gatts_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -75,6 +80,7 @@ esp_err_t esp_ble_gatts_create_service(esp_gatt_if_t gatts_if, { btc_msg_t msg = {0}; btc_ble_gatts_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -99,6 +105,7 @@ esp_err_t esp_ble_gatts_create_attr_tab(const esp_gatts_attr_db_t *gatts_attr_db { btc_msg_t msg = {0}; btc_ble_gatts_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -128,6 +135,7 @@ esp_err_t esp_ble_gatts_add_included_service(uint16_t service_handle, uint16_t i { btc_msg_t msg = {0}; btc_ble_gatts_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -147,6 +155,7 @@ esp_err_t esp_ble_gatts_add_char(uint16_t service_handle, esp_bt_uuid_t *char_ { btc_msg_t msg = {0}; btc_ble_gatts_args_t arg; + memset(&arg, 0, sizeof(arg)); esp_err_t status; ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -191,6 +200,7 @@ esp_err_t esp_ble_gatts_add_char_descr (uint16_t service_handle, { btc_msg_t msg = {0}; btc_ble_gatts_args_t arg; + memset(&arg, 0, sizeof(arg)); esp_err_t status; ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -231,6 +241,7 @@ esp_err_t esp_ble_gatts_delete_service(uint16_t service_handle) { btc_msg_t msg = {0}; btc_ble_gatts_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -246,6 +257,7 @@ esp_err_t esp_ble_gatts_start_service(uint16_t service_handle) { btc_msg_t msg = {0}; btc_ble_gatts_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -261,6 +273,7 @@ esp_err_t esp_ble_gatts_stop_service(uint16_t service_handle) { btc_msg_t msg = {0}; btc_ble_gatts_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -276,15 +289,20 @@ esp_err_t esp_ble_gatts_stop_service(uint16_t service_handle) esp_err_t esp_ble_gatts_send_indicate(esp_gatt_if_t gatts_if, uint16_t conn_id, uint16_t attr_handle, uint16_t value_len, uint8_t *value, bool need_confirm) { + ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); if (value_len > ESP_GATT_MAX_ATTR_LEN) { LOG_ERROR("%s, value_len > ESP_GATT_MAX_ATTR_LEN.", __func__); return ESP_ERR_INVALID_SIZE; } + if(value == NULL && value_len > 0) { + return ESP_ERR_INVALID_ARG; + } + btc_msg_t msg = {0}; btc_ble_gatts_args_t arg; + memset(&arg, 0, sizeof(arg)); - ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); tGATT_TCB *p_tcb = gatt_get_tcb_by_idx(conn_id); if (!gatt_check_connection_state_by_tcb(p_tcb)) { @@ -317,6 +335,9 @@ esp_err_t esp_ble_gatts_send_response(esp_gatt_if_t gatts_if, uint16_t conn_id, { btc_msg_t msg = {0}; btc_ble_gatts_args_t arg; + memset(&arg, 0, sizeof(arg)); + + // rsp may be NULL ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -342,6 +363,11 @@ esp_err_t esp_ble_gatts_set_attr_value(uint16_t attr_handle, uint16_t length, co { btc_msg_t msg = {0}; btc_ble_gatts_args_t arg; + memset(&arg, 0, sizeof(arg)); + + if(value == NULL && length > 0) { + return ESP_ERR_INVALID_ARG; + } ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -376,6 +402,7 @@ esp_err_t esp_ble_gatts_open(esp_gatt_if_t gatts_if, esp_bd_addr_t remote_bda, b { btc_msg_t msg = {0}; btc_ble_gatts_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -398,6 +425,7 @@ esp_err_t esp_ble_gatts_close(esp_gatt_if_t gatts_if, uint16_t conn_id) { btc_msg_t msg = {0}; btc_ble_gatts_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); @@ -414,6 +442,7 @@ esp_err_t esp_ble_gatts_send_service_change_indication(esp_gatt_if_t gatts_if, e { btc_msg_t msg = {0}; btc_ble_gatts_args_t arg; + memset(&arg, 0, sizeof(arg)); ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED); diff --git a/components/bt/host/bluedroid/api/include/api/esp_ble_iso_api.h b/components/bt/host/bluedroid/api/include/api/esp_ble_iso_api.h index 5531393e77..c2afa745c7 100644 --- a/components/bt/host/bluedroid/api/include/api/esp_ble_iso_api.h +++ b/components/bt/host/bluedroid/api/include/api/esp_ble_iso_api.h @@ -78,7 +78,7 @@ typedef enum { #define BLE_ISO_MAX_TRANSPORT_LATENCY_MIN (0x0005) #define BLE_ISO_MAX_TRANSPORT_LATENCY_MAX (0x0FA0) -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) typedef struct { uint8_t big_handle; /*!< Used to identify the BIG, value 0x00 to 0xEF */ uint8_t adv_handle; /*!< Used to identify the periodic advertising train, value 0x00 to 0xEF */ @@ -113,7 +113,7 @@ typedef struct { uint8_t broadcast_code[16]; /*!< The code used to derive the session key that is used to encrypt and decrypt BIS payloads */ } esp_ble_iso_big_creat_test_params_t; -#endif //#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif //#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) typedef struct { @@ -431,7 +431,7 @@ esp_ble_iso_cb_t esp_ble_iso_get_callback(void); -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) /** * @brief This function is called to create BIG. @@ -469,7 +469,7 @@ esp_err_t esp_ble_iso_create_big_test(esp_ble_iso_big_creat_test_params_t *big_c * */ esp_err_t esp_ble_iso_terminate_big(uint8_t big_handle, uint8_t reason); -#endif // #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif // #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) diff --git a/components/bt/host/bluedroid/api/include/api/esp_gap_ble_api.h b/components/bt/host/bluedroid/api/include/api/esp_gap_ble_api.h index 01c2be6b21..a9e6b9a6fc 100644 --- a/components/bt/host/bluedroid/api/include/api/esp_gap_ble_api.h +++ b/components/bt/host/bluedroid/api/include/api/esp_gap_ble_api.h @@ -2448,7 +2448,7 @@ typedef union { * @brief ESP_GAP_BLE_CS_READ_LOCAL_SUPP_CAPS_EVT */ struct ble_cs_read_local_supp_caps_evt { - uint8_t status; /*!< Indicate channel sounding read local supported capabilities command successfully completed */ + esp_bt_status_t status; /*!< Indicate channel sounding read local supported capabilities command successfully completed */ uint16_t conn_handle; /*!< Connection Handle */ uint8_t num_config_supported; /*!< Number of CS configurations supported per connection */ uint16_t max_consecutive_proc_supported; /*!< 0x0000: Support for both a fixed number of consecutive CS procedures and for an indefinite number of CS procedures until termination @@ -2515,7 +2515,7 @@ typedef union { * @brief ESP_GAP_BLE_CS_READ_REMOTE_SUPP_CAPS_CMPL_EVT */ struct ble_cs_read_remote_supp_caps { - uint8_t status; /*!< 0x00: Channel sounding read remote supported capabilities command successfully completed + esp_bt_status_t status; /*!< 0x00: Channel sounding read remote supported capabilities command successfully completed other: Channel sounding read remote supported capabilities command failed */ uint16_t conn_handle; /*!< Connection Handle */ uint8_t num_config_supported; /*!< Number of CS configurations supported per connection */ @@ -2578,7 +2578,7 @@ typedef union { * @brief ESP_GAP_BLE_CS_WRITE_CACHED_REMOTE_SUPP_CAPS_EVT */ struct ble_cs_write_cached_remote_supp_caps { - uint8_t status; /*!< 0x00: Channel sounding write cached remote FAE table command succeeded + esp_bt_status_t status; /*!< 0x00: Channel sounding write cached remote FAE table command succeeded 0x01: Channel sounding write cached remote FAE table command failed */ uint16_t conn_handle; /*!< Connection Handle */ } cs_write_cached_remote_supp_caps; /*!< Event parameter of ESP_GAP_BLE_CS_WRITE_CACHED_REMOTE_SUPP_CAPS_EVT */ @@ -2586,7 +2586,7 @@ typedef union { * @brief ESP_GAP_BLE_CS_SECURITY_ENABLE_CMPL_EVT */ struct ble_cs_security_enable { - uint8_t status; /*!< 0x00: Channel sounding security parameters successfully exchanged + esp_bt_status_t status; /*!< 0x00: Channel sounding security parameters successfully exchanged other: Channel sounding CS security parameter exchange failed */ uint16_t conn_handle; /*!< Connection Handle */ } cs_security_enable; /*!< Event parameter of ESP_GAP_BLE_CS_SECURITY_ENABLE_CMPL_EVT */ @@ -2594,7 +2594,7 @@ typedef union { * @brief ESP_GAP_BLE_CS_SET_DEFAULT_SETTINGS_EVT */ struct ble_cs_set_default_settings { - uint8_t status; /*!< 0x00: Channel sounding set default settings command successfully completed + esp_bt_status_t status; /*!< 0x00: Channel sounding set default settings command successfully completed other: Channel sounding set default settings command failed*/ uint16_t conn_handle; /*!< Connection Handle */ } cs_set_default_settings; /*!< Event parameter of ESP_GAP_BLE_CS_SET_DEFAULT_SETTINGS_EVT */ @@ -2602,7 +2602,7 @@ typedef union { * @brief ESP_GAP_BLE_CS_READ_REMOTE_FAE_TABLE_CMPL_EVT */ struct ble_cs_read_remote_fae_tab { - uint8_t status; /*!< 0x00: Channel sounding read remote FAE Table command successfully completed + esp_bt_status_t status; /*!< 0x00: Channel sounding read remote FAE Table command successfully completed other: Channel sounding read remote FAE Table command failed*/ uint16_t conn_handle; /*!< Connection Handle */ uint8_t remote_fae_table[72]; /*!< Per-channel mode-0 Frequency Actuation Error table of the remote Controller */ @@ -2611,7 +2611,7 @@ typedef union { * @brief ESP_GAP_BLE_CS_WRITE_CACHED_REMOTE_FAE_TABLE_EVT */ struct ble_cs_write_cached_remote_fae_tab { - uint8_t status; /*!< 0x00: Channel sounding write cached remote FAE table command succeeded + esp_bt_status_t status; /*!< 0x00: Channel sounding write cached remote FAE table command succeeded other: Channel sounding write cached remote FAE table command failed */ uint16_t conn_handle; /*!< Connection Handle */ } cs_write_cached_remote_fae_tab; /*!< Event parameter of ESP_GAP_BLE_CS_WRITE_CACHED_REMOTE_FAE_TABLE_EVT */ @@ -2619,7 +2619,7 @@ typedef union { * @brief ESP_GAP_BLE_CS_CONFIG_CMPL_EVT */ struct ble_cs_config_udpate { - uint8_t status; /*!< 0x00: Channel Sounding Configuration procedure succeeded + esp_bt_status_t status; /*!< 0x00: Channel Sounding Configuration procedure succeeded other: Channel Sounding Configuration procedure failed */ uint16_t conn_handle; /*!< Connection Handle */ uint8_t config_id; /*!< CS configuration identifier */ @@ -2680,7 +2680,7 @@ typedef union { * @brief ESP_GAP_BLE_CS_SET_PROC_PARAMS_CMPL_EVT */ struct ble_cs_set_proc_params { - uint8_t status; /*!< 0x00: Channel sounding set procedure_Parameters command successful + esp_bt_status_t status; /*!< 0x00: Channel sounding set procedure_Parameters command successful other: Channel sounding set procedure_Parameters command failed */ uint16_t conn_handle; /*!< Connection Handle */ } cs_set_proc_params; /*!< Event parameter of ESP_GAP_BLE_CS_SET_PROC_PARAMS_CMPL_EVT */ @@ -2688,14 +2688,14 @@ typedef union { * @brief ESP_GAP_BLE_CS_SET_CHANNEL_CLASS_CMPL_EVT */ struct ble_cs_set_channel_class { - uint8_t status; /*!< 0x00: Channel sounding set channel classification command successful + esp_bt_status_t status; /*!< 0x00: Channel sounding set channel classification command successful other: Channel sounding set channel classification command failed */ } cs_set_channel_class; /*!< Event parameter of ESP_GAP_BLE_CS_SET_CHANNEL_CLASS_CMPL_EVT */ /** * @brief ESP_GAP_BLE_CS_PROC_ENABLE_CMPL_EVT */ struct ble_cs_proc_enable { - uint8_t status; /*!< 0x00: Channel sounding procedure enable command successful + esp_bt_status_t status; /*!< 0x00: Channel sounding procedure enable command successful other: Channel sounding procedure enable command failed */ uint16_t conn_handle; /*!< Connection Handle */ uint8_t config_id; /*!< CS configuration identifier */ diff --git a/components/bt/host/bluedroid/bta/dm/bta_dm_act.c b/components/bt/host/bluedroid/bta/dm/bta_dm_act.c index 4f6f496a52..fb7fdc0954 100644 --- a/components/bt/host/bluedroid/bta/dm/bta_dm_act.c +++ b/components/bt/host/bluedroid/bta/dm/bta_dm_act.c @@ -305,6 +305,10 @@ void bta_dm_enable(tBTA_DM_MSG *p_data) sys_enable_event->hw_module = BTA_SYS_HW_BLUETOOTH; bta_sys_sendmsg(sys_enable_event); + } else { + // if malloc failed, restart + APPL_TRACE_ERROR("%s, failed to allocate memory for sys_enable_event", __func__); + assert(0); } } @@ -678,7 +682,11 @@ static void bta_dm_disable_timer_cback (TIMER_LIST_ENT *p_tle) #if (CLASSIC_BT_INCLUDED == TRUE) bta_sys_remove_uuid(UUID_SERVCLASS_PNP_INFORMATION); #endif // #if (CLASSIC_BT_INCLUDED == TRUE) - bta_dm_cb.p_sec_cback(BTA_DM_DISABLE_EVT, NULL); + if (bta_dm_cb.p_sec_cback) { + bta_dm_cb.p_sec_cback(BTA_DM_DISABLE_EVT, NULL); + } else { + APPL_TRACE_ERROR("%s, security callback is not registered", __func__); + } } } @@ -1147,6 +1155,7 @@ static void bta_dm_process_remove_device(BD_ADDR bd_addr, tBT_TRANSPORT transpor *******************************************************************************/ void bta_dm_remove_device(tBTA_DM_MSG *p_data) { + // p_data is not NULL, see BTA_DmRemoveDevice() tBTA_DM_API_REMOVE_DEVICE *p_dev = &p_data->remove_dev; if (p_dev == NULL) { return; @@ -3732,19 +3741,26 @@ void bta_dm_acl_change(tBTA_DM_MSG *p_data) conn.link_down.is_removed = bta_dm_cb.device_list.peer_device[i].remove_dev_pending; - for (; i < bta_dm_cb.device_list.count ; i++) { + /* Shift remaining devices down; use i + 1 < count to avoid UINT8 underflow when count is 0 */ + for (; i + 1 < bta_dm_cb.device_list.count; i++) { memcpy(&bta_dm_cb.device_list.peer_device[i], &bta_dm_cb.device_list.peer_device[i + 1], sizeof(bta_dm_cb.device_list.peer_device[i])); } + /* Clear empty slots to avoid residual old data */ + memset(&bta_dm_cb.device_list.peer_device[bta_dm_cb.device_list.count-1], 0, + sizeof(bta_dm_cb.device_list.peer_device[0])); + + if (bta_dm_cb.device_list.count) { + bta_dm_cb.device_list.count--; + } +#if BLE_INCLUDED == TRUE + if ((p_data->acl_change.transport == BT_TRANSPORT_LE) && + (bta_dm_cb.device_list.le_count)) { + bta_dm_cb.device_list.le_count--; + } +#endif break; } - if (bta_dm_cb.device_list.count) { - bta_dm_cb.device_list.count--; - } #if BLE_INCLUDED == TRUE - if ((p_data->acl_change.transport == BT_TRANSPORT_LE) && - (bta_dm_cb.device_list.le_count)) { - bta_dm_cb.device_list.le_count--; - } conn.link_down.link_type = p_data->acl_change.transport; #endif @@ -3937,23 +3953,34 @@ static BOOLEAN bta_dm_remove_sec_dev_entry(BD_ADDR remote_bd_addr) { BOOLEAN is_device_deleted = FALSE; UINT16 index = 0; + + for (index = 0; index < bta_dm_cb.device_list.count; index ++) { + if (!bdcmp( bta_dm_cb.device_list.peer_device[index].peer_bdaddr, remote_bd_addr)) { + break; + } + } + if ( BTM_IsAclConnectionUp(remote_bd_addr, BT_TRANSPORT_LE) || BTM_IsAclConnectionUp(remote_bd_addr, BT_TRANSPORT_BR_EDR)) { APPL_TRACE_DEBUG("%s ACL is not down. Schedule for Dev Removal when ACL closes", __FUNCTION__); BTM_SecClearSecurityFlags (remote_bd_addr); - for (index = 0; index < bta_dm_cb.device_list.count; index ++) { - if (!bdcmp( bta_dm_cb.device_list.peer_device[index].peer_bdaddr, remote_bd_addr)) { - break; - } - } + if (index != bta_dm_cb.device_list.count) { bta_dm_cb.device_list.peer_device[index].remove_dev_pending = TRUE; } else { APPL_TRACE_ERROR(" %s Device does not exist in DB", __FUNCTION__); } } else { - is_device_deleted = BTM_SecDeleteDevice (remote_bd_addr, bta_dm_cb.device_list.peer_device[index].transport); + tBT_TRANSPORT transport = BT_TRANSPORT_BR_EDR; + if (index != bta_dm_cb.device_list.count) { + transport = bta_dm_cb.device_list.peer_device[index].transport; + } else { + // if device not found, Set transport to invalid value, try to delete both BR/EDR and LE keys + transport = BT_TRANSPORT_INVALID; + APPL_TRACE_WARNING("%s Device does not exist", __FUNCTION__); + } + is_device_deleted = BTM_SecDeleteDevice (remote_bd_addr, transport); #if (BLE_INCLUDED == TRUE && GATTC_INCLUDED == TRUE) /* need to remove all pending background connection */ BTA_GATTC_CancelOpen(0, remote_bd_addr, FALSE); @@ -5023,7 +5050,7 @@ void bta_dm_add_ble_device (tBTA_DM_MSG *p_data) *******************************************************************************/ void bta_dm_ble_passkey_reply (tBTA_DM_MSG *p_data) { - if (p_data->pin_reply.accept) { + if (p_data->ble_passkey_reply.accept) { BTM_BlePasskeyReply(p_data->ble_passkey_reply.bd_addr, BTM_SUCCESS, p_data->ble_passkey_reply.passkey); } else { BTM_BlePasskeyReply(p_data->ble_passkey_reply.bd_addr, BTM_NOT_AUTHORIZED, p_data->ble_passkey_reply.passkey); @@ -5050,7 +5077,7 @@ void bta_dm_ble_confirm_reply (tBTA_DM_MSG *p_data) if (p_data->confirm.accept) { BTM_BleConfirmReply(p_data->confirm.bd_addr, BTM_SUCCESS); } else { - BTM_BleConfirmReply(p_data->ble_passkey_reply.bd_addr, BTM_NOT_AUTHORIZED); + BTM_BleConfirmReply(p_data->confirm.bd_addr, BTM_NOT_AUTHORIZED); } } @@ -5517,16 +5544,17 @@ void bta_dm_ble_set_data_length(tBTA_DM_MSG *p_data) void bta_dm_ble_advstop (tBTA_DM_MSG *p_data) { tBTA_STATUS status = BTA_FAILURE; - BOOLEAN start = p_data->ble_observe.start; + BOOLEAN start = p_data->ble_adv_action.start; - if (BTM_BleBroadcast(start, p_data->ble_observe.p_stop_adv_cback) == BTM_SUCCESS) { - status = BTA_SUCCESS; + tBTM_STATUS btm_status = BTM_BleBroadcast(start, p_data->ble_adv_action.p_stop_adv_cback); + if (btm_status == BTM_SUCCESS) { + status = BTA_SUCCESS; } else { APPL_TRACE_ERROR("%s failed\n", __FUNCTION__); } - if (p_data->ble_observe.p_stop_adv_cback){ - (*p_data->ble_observe.p_stop_adv_cback)(status); + if (p_data->ble_adv_action.p_stop_adv_cback){ + (*p_data->ble_adv_action.p_stop_adv_cback)(status); } } @@ -5813,7 +5841,7 @@ void bta_dm_ble_gap_set_periodic_adv_sync_trans_params(tBTA_DM_MSG *p_data) #endif // #if (BLE_FEAT_PERIODIC_ADV_SYNC_TRANSFER == TRUE) #if (BLE_FEAT_ISO_EN == TRUE) -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) void bta_dm_ble_big_create(tBTA_DM_MSG *p_data) { APPL_TRACE_API("%s", __func__); @@ -5841,7 +5869,7 @@ void bta_dm_ble_big_terminate(tBTA_DM_MSG *p_data) tBTA_DM_BLE_BIG_TERMINATE_PARAMS param = p_data->big_terminate.big_terminate_param; BTM_BleBigTerminate(param.big_handle, param.reason); } -#endif // #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif // #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) void bta_dm_ble_big_sync_create(tBTA_DM_MSG *p_data) @@ -6293,7 +6321,7 @@ static void bta_dm_gatt_disc_complete(UINT16 conn_id, tBTA_GATT_STATUS status) p_msg->disc_result.result.disc_res.raw_data_size = bta_dm_search_cb.ble_raw_used; } else { p_msg->disc_result.result.disc_res.p_raw_data = NULL; - bta_dm_search_cb.p_ble_rawdata = 0; + bta_dm_search_cb.p_ble_rawdata = NULL; } bta_sys_sendmsg(p_msg); diff --git a/components/bt/host/bluedroid/bta/dm/bta_dm_api.c b/components/bt/host/bluedroid/bta/dm/bta_dm_api.c index aaf0d8864f..9279591c56 100644 --- a/components/bt/host/bluedroid/bta/dm/bta_dm_api.c +++ b/components/bt/host/bluedroid/bta/dm/bta_dm_api.c @@ -868,11 +868,13 @@ void BTA_DmSecureConnectionOobReply(BD_ADDR bd_addr, UINT8 *p_c, UINT8 *p_r) { tBTA_DM_API_SC_OOB_REPLY *p_msg; - if ((p_msg = (tBTA_DM_API_SC_OOB_REPLY *) osi_malloc(sizeof(tBTA_DM_API_OOB_REPLY))) != NULL) { + if((p_c == NULL) || (p_r == NULL)) { + APPL_TRACE_ERROR("%s, p_c or p_r is NULL", __func__); + return; + } + + if ((p_msg = (tBTA_DM_API_SC_OOB_REPLY *) osi_malloc(sizeof(tBTA_DM_API_SC_OOB_REPLY))) != NULL) { p_msg->hdr.event = BTA_DM_API_SC_OOB_REPLY_EVT; - if((p_c == NULL) || (p_r == NULL)) { - return; - } memcpy(p_msg->bd_addr, bd_addr, BD_ADDR_LEN); memcpy(p_msg->c, p_c, BT_OCTET16_LEN); memcpy(p_msg->r, p_r, BT_OCTET16_LEN); @@ -1630,12 +1632,12 @@ void BTA_DmUpdateDuplicateExceptionalList(UINT8 subcode, UINT32 type, BD_ADDR de *******************************************************************************/ extern void BTA_DmBleAdvStop (BOOLEAN start, tBTA_START_STOP_ADV_CMPL_CBACK *p_start_stop_adv_cb) { - tBTA_DM_API_BLE_OBSERVE *p_msg; + tBTA_DM_API_BLE_ADVACTION *p_msg; APPL_TRACE_API("BTA_DmBleAdvStop: start = %d \n", start); - if ((p_msg = (tBTA_DM_API_BLE_OBSERVE *) osi_malloc(sizeof(tBTA_DM_API_BLE_OBSERVE))) != NULL) { - memset(p_msg, 0, sizeof(tBTA_DM_API_BLE_OBSERVE)); + if ((p_msg = (tBTA_DM_API_BLE_ADVACTION *) osi_malloc(sizeof(tBTA_DM_API_BLE_ADVACTION))) != NULL) { + memset(p_msg, 0, sizeof(tBTA_DM_API_BLE_ADVACTION)); p_msg->hdr.event = BTA_DM_API_BLE_ADVSTOP_EVT; p_msg->start = start; @@ -2837,9 +2839,10 @@ void BTA_DmBleGapPeriodicAdvCfgDataRaw(UINT8 instance, UINT16 length, p_msg->hdr.event = BTA_DM_API_PERIODIC_ADV_CFG_DATA_EVT; p_msg->instance = instance; p_msg->length = length; - p_msg->data = (UINT8 *)(p_msg + 1); - memcpy(p_msg->data, data, length); - p_msg->data = length != 0 ? (UINT8 *)(p_msg + 1) : NULL; + p_msg->data = (length != 0) ? (UINT8 *)(p_msg + 1) : NULL; + if (data && length) { + memcpy(p_msg->data, data, length); + } p_msg->only_update_did = only_update_did; //start sent the msg to the bta system control module bta_sys_sendmsg(p_msg); @@ -3165,7 +3168,7 @@ void BTA_DmBleGapSetPeriodicAdvSyncTransParams(BD_ADDR peer_addr, tBTA_DM_BLE_PA #endif // #if (BLE_FEAT_PERIODIC_ADV_SYNC_TRANSFER == TRUE) #if (BLE_FEAT_ISO_EN == TRUE) -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) void BTA_DmBleGapIsoBigCreate(tBTA_DM_BLE_BIG_CREATE_PARAMS *p_big_creat_param) { tBTA_DM_API_BIG_CREATE *p_msg; @@ -3240,7 +3243,7 @@ void BTA_DmBleGapIsoBigTerminate(tBTA_DM_BLE_BIG_TERMINATE_PARAMS *p_big_termina APPL_TRACE_ERROR("%s malloc failed", __func__); } } -#endif // #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif // #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) void BTA_DmBleGapIsoBigSyncCreate(tBTA_DM_BLE_BIG_SYNC_CREATE_PARAMS *p_big_sync_param) @@ -3500,7 +3503,7 @@ void BTA_DmBleCteSetConnectionlessTransParams(uint8_t adv_handle, uint8_t cte_le p_buf->cte_count = cte_count; p_buf->switching_pattern_len = switching_pattern_len; p_buf->antenna_ids = (switching_pattern_len != 0) ? (UINT8 *)(p_buf + 1) : NULL; - if (switching_pattern_len) { + if (switching_pattern_len && antenna_ids) { memcpy(p_buf->antenna_ids, antenna_ids, switching_pattern_len); } //start sent the msg to the bta system control module @@ -3544,7 +3547,7 @@ void BTA_DmBleCteSetConnectionlessIqSamplingEnable(uint16_t sync_handle, uint8_t p_buf->max_sampled_ctes = max_sampled_ctes; p_buf->switching_pattern_len = switching_pattern_len; p_buf->antenna_ids = (switching_pattern_len != 0) ? (UINT8 *)(p_buf + 1) : NULL; - if (switching_pattern_len) { + if (switching_pattern_len && ant_ids) { memcpy(p_buf->antenna_ids, ant_ids, switching_pattern_len); } // start sent the msg to the bta system control module @@ -3571,7 +3574,7 @@ void BTA_DmBleCteSetConnectionReceiveParams(uint16_t conn_handle, uint8_t sampli p_buf->slot_dur = slot_dur; p_buf->switching_pattern_len = switching_pattern_len; p_buf->antenna_ids = (switching_pattern_len != 0) ? (UINT8 *)(p_buf + 1) : NULL; - if (switching_pattern_len) { + if (switching_pattern_len && ant_ids) { memcpy(p_buf->antenna_ids, ant_ids, switching_pattern_len); } // start sent the msg to the bta system control module @@ -3594,7 +3597,7 @@ void BTA_DmBleCteSetConnectionTransParams(uint16_t conn_handle, uint8_t cte_type p_buf->cte_types = cte_types; p_buf->switching_pattern_len = switching_pattern_len; p_buf->antenna_ids = (switching_pattern_len != 0) ? (UINT8 *)(p_buf + 1) : NULL; - if (switching_pattern_len) { + if (switching_pattern_len && ant_ids) { memcpy(p_buf->antenna_ids, ant_ids, switching_pattern_len); } // start sent the msg to the bta system control module diff --git a/components/bt/host/bluedroid/bta/dm/bta_dm_main.c b/components/bt/host/bluedroid/bta/dm/bta_dm_main.c index 6d86d41be3..6890c430fe 100644 --- a/components/bt/host/bluedroid/bta/dm/bta_dm_main.c +++ b/components/bt/host/bluedroid/bta/dm/bta_dm_main.c @@ -238,11 +238,11 @@ const tBTA_DM_ACTION bta_dm_action[BTA_DM_MAX_EVT] = { bta_dm_read_ble_channel_map, /* BTA_DM_API_BLE_READ_CH_MAP_EVT */ #endif #if (BLE_FEAT_ISO_EN == TRUE) -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) bta_dm_ble_big_create, /* BTA_DM_API_ISO_BIG_CREATE_EVT */ bta_dm_ble_big_create_test, /* BTA_DM_API_ISO_BIG_CREATE_TEST_EVT */ bta_dm_ble_big_terminate, /* BTA_DM_API_ISO_BIG_TERMINATE_EVT */ -#endif// #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif// #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) bta_dm_ble_big_sync_create, /* BTA_DM_API_ISO_BIG_SYNC_CREATE_EVT */ bta_dm_ble_big_sync_terminate, /* BTA_DM_API_ISO_BIG_SYNC_TERMINATE_EVT */ diff --git a/components/bt/host/bluedroid/bta/dm/include/bta_dm_int.h b/components/bt/host/bluedroid/bta/dm/include/bta_dm_int.h index f4498b54da..f75070cd39 100644 --- a/components/bt/host/bluedroid/bta/dm/include/bta_dm_int.h +++ b/components/bt/host/bluedroid/bta/dm/include/bta_dm_int.h @@ -231,11 +231,11 @@ enum { BTA_DM_API_BLE_READ_CH_MAP_EVT, #endif #if (BLE_FEAT_ISO_EN == TRUE) -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) BTA_DM_API_ISO_BIG_CREATE_EVT, BTA_DM_API_ISO_BIG_CREATE_TEST_EVT, BTA_DM_API_ISO_BIG_TERMINATE_EVT, -#endif // #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif // #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) BTA_DM_API_ISO_BIG_SYNC_CREATE_EVT, BTA_DM_API_ISO_BIG_SYNC_TERMINATE_EVT, @@ -824,12 +824,8 @@ typedef struct { typedef struct { BT_HDR hdr; BOOLEAN start; - UINT32 duration; - tBTA_DM_SEARCH_CBACK *p_cback; - tBTA_START_STOP_SCAN_CMPL_CBACK *p_start_scan_cback; - tBTA_START_STOP_SCAN_CMPL_CBACK *p_stop_scan_cback; tBTA_START_STOP_ADV_CMPL_CBACK *p_stop_adv_cback; -} tBTA_DM_API_BLE_OBSERVE; +} tBTA_DM_API_BLE_ADVACTION; /* Data type for start/stop scan */ typedef struct { @@ -839,7 +835,6 @@ typedef struct { tBTA_DM_SEARCH_CBACK *p_cback; tBTA_START_STOP_SCAN_CMPL_CBACK *p_start_scan_cback; tBTA_START_STOP_SCAN_CMPL_CBACK *p_stop_scan_cback; - tBTA_START_STOP_ADV_CMPL_CBACK *p_stop_adv_cback; } tBTA_DM_API_BLE_SCAN; typedef struct { @@ -1389,7 +1384,7 @@ typedef struct { #endif // #if (BLE_FEAT_PERIODIC_ADV_SYNC_TRANSFER == TRUE) #if (BLE_FEAT_ISO_EN == TRUE) -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) typedef struct { BT_HDR hdr; tBTA_DM_BLE_BIG_CREATE_PARAMS big_creat_param; @@ -1402,7 +1397,7 @@ typedef struct { BT_HDR hdr; tBTA_DM_BLE_BIG_TERMINATE_PARAMS big_terminate_param; } tBTA_DM_API_BIG_TERMINATE; -#endif // #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif // #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) typedef struct { BT_HDR hdr; @@ -1690,7 +1685,7 @@ typedef union { tBTA_DM_API_BLE_SET_BG_CONN_TYPE ble_set_bd_conn_type; tBTA_DM_API_BLE_CONN_PARAMS ble_set_conn_params; tBTA_DM_API_BLE_SCAN_FILTER_PARAMS ble_set_scan_fil_params; - tBTA_DM_API_BLE_OBSERVE ble_observe; + tBTA_DM_API_BLE_ADVACTION ble_adv_action; tBTA_DM_API_BLE_SCAN ble_scan; tBTA_DM_API_ENABLE_PRIVACY ble_remote_privacy; tBTA_DM_API_LOCAL_PRIVACY ble_local_privacy; @@ -1763,11 +1758,11 @@ typedef union { tBTA_DM_API_BLE_SET_VENDOR_EVT_MASK ble_set_vendor_evt_mask; #endif #if (BLE_FEAT_ISO_EN == TRUE) -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) tBTA_DM_API_BIG_CREATE big_creat; tBTA_DM_API_BIG_CREATE_TEST big_creat_test; tBTA_DM_API_BIG_TERMINATE big_terminate; -#endif // #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif // #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) tBTA_DM_API_BIG_SYNC_CREATE big_sync; tBTA_DM_API_BIG_SYNC_TERMINATE big_sync_terminate; @@ -2415,11 +2410,11 @@ extern void bta_dm_ble_gap_set_periodic_adv_sync_trans_params(tBTA_DM_MSG *p_dat #endif // #if (BLE_FEAT_PERIODIC_ADV_SYNC_TRANSFER == TRUE) #if (BLE_FEAT_ISO_EN == TRUE) -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) extern void bta_dm_ble_big_create(tBTA_DM_MSG *p_data); extern void bta_dm_ble_big_create_test(tBTA_DM_MSG *p_data); extern void bta_dm_ble_big_terminate(tBTA_DM_MSG *p_data); -#endif // #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif // #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) extern void bta_dm_ble_big_sync_create(tBTA_DM_MSG *p_data); extern void bta_dm_ble_big_sync_terminate(tBTA_DM_MSG *p_data); diff --git a/components/bt/host/bluedroid/bta/gatt/bta_gatt_common.c b/components/bt/host/bluedroid/bta/gatt/bta_gatt_common.c index 81cee87767..2b8ecd72c9 100644 --- a/components/bt/host/bluedroid/bta/gatt/bta_gatt_common.c +++ b/components/bt/host/bluedroid/bta/gatt/bta_gatt_common.c @@ -16,6 +16,10 @@ void BTA_GATT_SetLocalMTU(uint16_t mtu) { + if (mtu < GATT_DEF_BLE_MTU_SIZE || mtu > GATT_MAX_MTU_SIZE) { + APPL_TRACE_ERROR("%s: invalid mtu=%u", __func__, mtu); + return; + } gatt_set_local_mtu(mtu); } diff --git a/components/bt/host/bluedroid/bta/gatt/bta_gattc_act.c b/components/bt/host/bluedroid/bta/gatt/bta_gattc_act.c index e808dc9f54..61983b3c4c 100644 --- a/components/bt/host/bluedroid/bta/gatt/bta_gattc_act.c +++ b/components/bt/host/bluedroid/bta/gatt/bta_gattc_act.c @@ -38,10 +38,6 @@ #include "bta_hh_int.h" #include "btm_int.h" -#if (defined BTA_HH_LE_INCLUDED && BTA_HH_LE_INCLUDED == TRUE) -#include "bta_hh_int.h" -#endif - // #include "btif/include/btif_debug_conn.h" #include @@ -290,12 +286,21 @@ void bta_gattc_deregister(tBTA_GATTC_CB *p_cb, tBTA_GATTC_RCB *p_clreg) /* remove bg connection associated with this rcb */ for (i = 0; i < BTA_GATTC_KNOWN_SR_MAX; i ++) { if (p_cb->bg_track[i].in_use) { - if (p_cb->bg_track[i].cif_mask & (1 << (p_clreg->client_if - 1))) { - bta_gattc_mark_bg_conn(p_clreg->client_if, p_cb->bg_track[i].remote_bda, FALSE, FALSE); - GATT_CancelConnect(p_clreg->client_if, p_cb->bg_track[i].remote_bda, FALSE); + if (p_cb->bg_track[i].cif_mask & BTA_GATTC_CIF_MASK_BIT(p_clreg->client_if)) { + /* bta_gattc_mark_bg_conn is called to remove the application's bit from the mask. + If this was the last application interested in the device, + bta_gattc_mark_bg_conn zeroes out the entire track entry using memset + */ + BD_ADDR remote_bda; + bdcpy(remote_bda, p_cb->bg_track[i].remote_bda); + bta_gattc_mark_bg_conn(p_clreg->client_if, remote_bda, FALSE, FALSE); + GATT_CancelConnect(p_clreg->client_if, remote_bda, FALSE); } - if (p_cb->bg_track[i].cif_adv_mask & (1 << (p_clreg->client_if - 1))) { - bta_gattc_mark_bg_conn(p_clreg->client_if, p_cb->bg_track[i].remote_bda, FALSE, TRUE); + if (p_cb->bg_track[i].cif_adv_mask & BTA_GATTC_CIF_MASK_BIT(p_clreg->client_if)) { + BD_ADDR remote_bda_adv; + bdcpy(remote_bda_adv, p_cb->bg_track[i].remote_bda); + bta_gattc_mark_bg_conn(p_clreg->client_if, remote_bda_adv, FALSE, TRUE); + GATT_CancelConnect(p_clreg->client_if, remote_bda_adv, FALSE); } } } @@ -450,28 +455,6 @@ void bta_gattc_cancel_open_error(tBTA_GATTC_CLCB *p_clcb, tBTA_GATTC_DATA *p_dat } } -/******************************************************************************* -** -** Function bta_gattc_open_error -** -** Description -** -** Returns void -** -*******************************************************************************/ -void bta_gattc_open_error(tBTA_GATTC_CLCB *p_clcb, tBTA_GATTC_DATA *p_data) -{ - UNUSED(p_data); - - APPL_TRACE_ERROR("Connection already opened. wrong state"); - - bta_gattc_send_open_cback(p_clcb->p_rcb, - BTA_GATT_OK, - p_clcb->bda, - p_clcb->bta_conn_id, - p_clcb->transport, - 0); -} /******************************************************************************* ** ** Function bta_gattc_open_fail @@ -713,6 +696,18 @@ void bta_gattc_cancel_open(tBTA_GATTC_CLCB *p_clcb, tBTA_GATTC_DATA *p_data) void bta_gattc_conn(tBTA_GATTC_CLCB *p_clcb, tBTA_GATTC_DATA *p_data) { tBTA_GATTC_IF gatt_if; + if (p_clcb->p_srcb == NULL) { + APPL_TRACE_ERROR("%s, p_clcb->p_srcb is NULL", __func__); + if (p_clcb->p_rcb) { + bta_gattc_send_open_cback(p_clcb->p_rcb, + BTA_GATT_ERROR, + p_clcb->bda, + p_clcb->bta_conn_id, + p_clcb->transport, + GATT_DEF_BLE_MTU_SIZE); + } + return; + } APPL_TRACE_DEBUG("bta_gattc_conn server cache state=%d", p_clcb->p_srcb->state); if (p_data != NULL) { @@ -861,6 +856,10 @@ void bta_gattc_close_fail(tBTA_GATTC_CLCB *p_clcb, tBTA_GATTC_DATA *p_data) *******************************************************************************/ void bta_gattc_close(tBTA_GATTC_CLCB *p_clcb, tBTA_GATTC_DATA *p_data) { + if (!p_clcb || !p_clcb->p_rcb) { + APPL_TRACE_ERROR("%s, p_clcb or p_clcb->p_rcb is NULL", __func__); + return; + } tBTA_GATTC_CBACK *p_cback = p_clcb->p_rcb->p_cback; tBTA_GATTC_RCB *p_clreg = p_clcb->p_rcb; tBTA_GATTC cb_data; @@ -1096,6 +1095,11 @@ void bta_gattc_disc_cmpl(tBTA_GATTC_CLCB *p_clcb, tBTA_GATTC_DATA *p_data) APPL_TRACE_DEBUG("bta_gattc_disc_cmpl conn_id=%d, status = %d", p_clcb->bta_conn_id, p_clcb->status); + if (p_clcb->p_srcb == NULL) { + APPL_TRACE_ERROR("%s, p_clcb->p_srcb is NULL", __func__); + return; + } + p_clcb->p_srcb->state = BTA_GATTC_SERV_IDLE; p_clcb->disc_active = FALSE; @@ -1214,16 +1218,13 @@ void bta_gattc_read_multi(tBTA_GATTC_CLCB *p_clcb, tBTA_GATTC_DATA *p_data) if (bta_gattc_enqueue(p_clcb, p_data)) { memset(&read_param, 0, sizeof(tGATT_READ_PARAM)); - if (status == BTA_GATT_OK) { - read_param.read_multiple.num_handles = p_data->api_read_multi.num_attr; - read_param.read_multiple.auth_req = p_data->api_read_multi.auth_req; - memcpy(&read_param.read_multiple.handles, p_data->api_read_multi.handles, - sizeof(UINT16) * p_data->api_read_multi.num_attr); + read_param.read_multiple.num_handles = p_data->api_read_multi.num_attr; + read_param.read_multiple.auth_req = p_data->api_read_multi.auth_req; + memcpy(&read_param.read_multiple.handles, p_data->api_read_multi.handles, + sizeof(UINT16) * p_data->api_read_multi.num_attr); - status = GATTC_Read(p_clcb->bta_conn_id, GATT_READ_MULTIPLE, &read_param); - } + status = GATTC_Read(p_clcb->bta_conn_id, GATT_READ_MULTIPLE, &read_param); - /* read fail */ if (status != BTA_GATT_OK) { bta_gattc_cmpl_sendmsg(p_clcb->bta_conn_id, GATTC_OPTYPE_READ, status, NULL); } @@ -1245,16 +1246,13 @@ void bta_gattc_read_multi_var(tBTA_GATTC_CLCB *p_clcb, tBTA_GATTC_DATA *p_data) if (bta_gattc_enqueue(p_clcb, p_data)) { memset(&read_param, 0, sizeof(tGATT_READ_PARAM)); - if (status == BTA_GATT_OK) { - read_param.read_multiple.num_handles = p_data->api_read_multi.num_attr; - read_param.read_multiple.auth_req = p_data->api_read_multi.auth_req; - memcpy(&read_param.read_multiple.handles, p_data->api_read_multi.handles, - sizeof(UINT16) * p_data->api_read_multi.num_attr); + read_param.read_multiple.num_handles = p_data->api_read_multi.num_attr; + read_param.read_multiple.auth_req = p_data->api_read_multi.auth_req; + memcpy(&read_param.read_multiple.handles, p_data->api_read_multi.handles, + sizeof(UINT16) * p_data->api_read_multi.num_attr); - status = GATTC_Read(p_clcb->bta_conn_id, GATT_READ_MULTIPLE_VAR, &read_param); - } + status = GATTC_Read(p_clcb->bta_conn_id, GATT_READ_MULTIPLE_VAR, &read_param); - /* read fail */ if (status != BTA_GATT_OK) { bta_gattc_cmpl_sendmsg(p_clcb->bta_conn_id, GATTC_OPTYPE_READ, status, NULL); } @@ -1364,6 +1362,11 @@ void bta_gattc_read_cmpl(tBTA_GATTC_CLCB *p_clcb, tBTA_GATTC_OP_CMPL *p_data) tBTA_GATTC cb_data; tBTA_GATT_UNFMT read_value; + if (p_clcb->p_q_cmd == NULL) { + APPL_TRACE_ERROR("%s, p_clcb->p_q_cmd is NULL", __func__); + return; + } + memset(&cb_data, 0, sizeof(tBTA_GATTC)); memset(&read_value, 0, sizeof(tBTA_GATT_UNFMT)); @@ -1406,6 +1409,18 @@ void bta_gattc_write_cmpl(tBTA_GATTC_CLCB *p_clcb, tBTA_GATTC_OP_CMPL *p_data) { tBTA_GATTC cb_data = {0}; UINT8 event; + if (p_data->p_cmpl == NULL) { + APPL_TRACE_ERROR("%s, p_data->p_cmpl is NULL", __func__); + UINT16 handle = p_clcb->p_q_cmd->api_write.handle; + tBTA_GATTC_EVT cmpl_evt = p_clcb->p_q_cmd->api_write.cmpl_evt; + bta_gattc_free_command_data(p_clcb); + bta_gattc_pop_command_to_send(p_clcb); + cb_data.write.status = BTA_GATT_ERROR; + cb_data.write.handle = handle; + cb_data.write.conn_id = p_clcb->bta_conn_id; + ( *p_clcb->p_rcb->p_cback)(cmpl_evt, (tBTA_GATTC *)&cb_data); + return; + } tBTA_GATTC_CONN *p_conn = bta_gattc_conn_find(p_clcb->bda); memset(&cb_data, 0, sizeof(tBTA_GATTC)); @@ -1414,6 +1429,17 @@ void bta_gattc_write_cmpl(tBTA_GATTC_CLCB *p_clcb, tBTA_GATTC_OP_CMPL *p_data) cb_data.write.handle = p_data->p_cmpl->att_value.handle; if (p_clcb->p_q_cmd->api_write.hdr.event == BTA_GATTC_API_WRITE_EVT && p_clcb->p_q_cmd->api_write.write_type == BTA_GATTC_WRITE_PREPARE) { + // Check if the parameters are valid + // should not happen, but just in case + if (p_clcb->p_q_cmd->api_write.p_value == NULL) { + APPL_TRACE_ERROR("%s, p_clcb->p_q_cmd->api_write.p_value is NULL", __func__); + bta_gattc_free_command_data(p_clcb); + bta_gattc_pop_command_to_send(p_clcb); + cb_data.write.status = BTA_GATT_ERROR; + cb_data.write.conn_id = p_clcb->bta_conn_id; + ( *p_clcb->p_rcb->p_cback)(BTA_GATTC_PREP_WRITE_EVT, (tBTA_GATTC *)&cb_data); + return; + } // Should check the value received from the peer device is correct or not. if (memcmp(p_clcb->p_q_cmd->api_write.p_value, p_data->p_cmpl->att_value.value, p_data->p_cmpl->att_value.len) != 0) { @@ -1509,6 +1535,13 @@ void bta_gattc_op_cmpl(tBTA_GATTC_CLCB *p_clcb, tBTA_GATTC_DATA *p_data) APPL_TRACE_DEBUG("bta_gattc_op_cmpl op = %d", op); + // Check if the operation is valid + // should not happen, but just in case + if (op > GATTC_OPTYPE_INDICATION) { + APPL_TRACE_ERROR("unexpected operation, ignored"); + return; + } + if (op == GATTC_OPTYPE_INDICATION || op == GATTC_OPTYPE_NOTIFICATION) { APPL_TRACE_ERROR("unexpected operation, ignored"); } else if (op >= GATTC_OPTYPE_READ) { @@ -1893,49 +1926,30 @@ void bta_gattc_process_api_cache_assoc(tBTA_GATTC_CB *p_cb, tBTA_GATTC_DATA *p_m { tBTA_GATTC gattc_cb = {0}; gattc_cb.set_assoc.client_if = p_msg->api_assoc.client_if; + gattc_cb.set_assoc.status = BTA_GATT_OK; BOOLEAN state = FALSE; tBTA_GATTC_CLCB *p_assoc_clcb = bta_gattc_find_clcb_by_cif(p_msg->api_assoc.client_if, p_msg->api_assoc.assoc_addr, BTA_TRANSPORT_LE); tBTA_GATTC_RCB *p_clrcb = bta_gattc_cl_get_regcb(p_msg->api_assoc.client_if); - if (p_assoc_clcb != NULL) { - if (p_assoc_clcb->state == BTA_GATTC_CONN_ST || p_assoc_clcb->state == BTA_GATTC_DISCOVER_ST) { - gattc_cb.set_assoc.status = BTA_GATT_BUSY; - if (p_clrcb != NULL) { - (*p_clrcb->p_cback)(BTA_GATTC_ASSOC_EVT, &gattc_cb); - return; - } - } - } - if (p_msg->api_assoc.is_assoc) { - if ((state = bta_gattc_co_cache_append_assoc_addr(p_msg->api_assoc.src_addr, p_msg->api_assoc.assoc_addr)) == TRUE) { - gattc_cb.set_assoc.status = BTA_GATT_OK; - - } else { + if (p_assoc_clcb != NULL && + (p_assoc_clcb->state == BTA_GATTC_CONN_ST || p_assoc_clcb->state == BTA_GATTC_DISCOVER_ST)) { + gattc_cb.set_assoc.status = BTA_GATT_BUSY; + } else if (p_msg->api_assoc.is_assoc) { + state = bta_gattc_co_cache_append_assoc_addr(p_msg->api_assoc.src_addr, p_msg->api_assoc.assoc_addr); + if (!state) { gattc_cb.set_assoc.status = BTA_GATT_ERROR; - if (p_clrcb != NULL) { - (*p_clrcb->p_cback)(BTA_GATTC_ASSOC_EVT, &gattc_cb); - return; - } } } else { - if (( state = bta_gattc_co_cache_remove_assoc_addr(p_msg->api_assoc.src_addr, p_msg->api_assoc.assoc_addr)) == TRUE) { - gattc_cb.set_assoc.status = BTA_GATT_OK; - } else { + state = bta_gattc_co_cache_remove_assoc_addr(p_msg->api_assoc.src_addr, p_msg->api_assoc.assoc_addr); + if (!state) { gattc_cb.set_assoc.status = BTA_GATT_ERROR; - if (p_clrcb != NULL) { - (*p_clrcb->p_cback)(BTA_GATTC_ASSOC_EVT, &gattc_cb); - return; - } } } - if (p_clrcb != NULL) { + if (p_clrcb != NULL && p_clrcb->p_cback != NULL) { (*p_clrcb->p_cback)(BTA_GATTC_ASSOC_EVT, &gattc_cb); } - - return; - } void bta_gattc_process_api_cache_get_addr_list(tBTA_GATTC_CB *p_cb, tBTA_GATTC_DATA *p_msg) { @@ -1957,7 +1971,7 @@ void bta_gattc_process_api_cache_get_addr_list(tBTA_GATTC_CB *p_cb, tBTA_GATTC_D gattc_cb.get_addr_list.status = BTA_GATT_NOT_FOUND; } - if (p_clrcb != NULL) { + if (p_clrcb != NULL && p_clrcb->p_cback != NULL) { (* p_clrcb->p_cback)(BTA_GATTC_GET_ADDR_LIST_EVT, &gattc_cb); } @@ -2363,7 +2377,7 @@ tBTA_GATTC_FIND_SERVICE_CB bta_gattc_register_service_change_notify(UINT16 conn_ tBTA_GATTC_SERVICE *p_service = NULL; tBTA_GATTC_CHARACTERISTIC *p_char = NULL; tBTA_GATTC_DESCRIPTOR *p_desc = NULL; - tBTA_GATTC_FIND_SERVICE_CB result; + tBTA_GATTC_FIND_SERVICE_CB result = SERVICE_CHANGE_CACHE_NOT_FOUND; BOOLEAN gatt_cache_found = FALSE; BOOLEAN gatt_service_found = FALSE; BOOLEAN gatt_service_change_found = FALSE; diff --git a/components/bt/host/bluedroid/bta/gatt/bta_gattc_api.c b/components/bt/host/bluedroid/bta/gatt/bta_gattc_api.c index 69738647ba..29df677274 100644 --- a/components/bt/host/bluedroid/bta/gatt/bta_gattc_api.c +++ b/components/bt/host/bluedroid/bta/gatt/bta_gattc_api.c @@ -151,6 +151,7 @@ void BTA_GATTC_Enh_Open(tBTA_GATTC_IF client_if, BD_ADDR remote_bda, tBTA_ADDR_T tBTA_GATTC_API_OPEN *p_buf; if ((p_buf = (tBTA_GATTC_API_OPEN *) osi_malloc(sizeof(tBTA_GATTC_API_OPEN))) != NULL) { + memset(p_buf, 0, sizeof(tBTA_GATTC_API_OPEN)); p_buf->hdr.event = BTA_GATTC_API_OPEN_EVT; p_buf->client_if = client_if; @@ -365,7 +366,7 @@ void BTA_GATTC_GetServiceWithUUID(UINT16 conn_id, tBT_UUID *svc_uuid, void BTA_GATTC_GetAllChar(UINT16 conn_id, UINT16 start_handle, UINT16 end_handle, btgatt_db_element_t **db, UINT16 *count) { - bta_gattc_get_db_with_opration(conn_id, + bta_gattc_get_db_with_operation(conn_id, GATT_OP_GET_ALL_CHAR, 0, NULL, @@ -380,7 +381,7 @@ void BTA_GATTC_GetAllChar(UINT16 conn_id, UINT16 start_handle, UINT16 end_handle void BTA_GATTC_GetAllDescriptor(UINT16 conn_id, UINT16 char_handle, btgatt_db_element_t **db, UINT16 *count) { - bta_gattc_get_db_with_opration(conn_id, + bta_gattc_get_db_with_operation(conn_id, GATT_OP_GET_ALL_DESCRI, char_handle, NULL, @@ -395,7 +396,7 @@ void BTA_GATTC_GetAllDescriptor(UINT16 conn_id, UINT16 char_handle, void BTA_GATTC_GetCharByUUID(UINT16 conn_id, UINT16 start_handle, UINT16 end_handle, tBT_UUID char_uuid, btgatt_db_element_t **db, UINT16 *count) { - bta_gattc_get_db_with_opration(conn_id, + bta_gattc_get_db_with_operation(conn_id, GATT_OP_GET_CHAR_BY_UUID, 0, NULL, @@ -411,7 +412,7 @@ void BTA_GATTC_GetDescrByUUID(UINT16 conn_id, uint16_t start_handle, uint16_t en tBT_UUID char_uuid, tBT_UUID descr_uuid, btgatt_db_element_t **db, UINT16 *count) { - bta_gattc_get_db_with_opration(conn_id, + bta_gattc_get_db_with_operation(conn_id, GATT_OP_GET_DESCRI_BY_UUID, 0, NULL, @@ -426,7 +427,7 @@ void BTA_GATTC_GetDescrByUUID(UINT16 conn_id, uint16_t start_handle, uint16_t en void BTA_GATTC_GetDescrByCharHandle(UINT16 conn_id, UINT16 char_handle, tBT_UUID descr_uuid, btgatt_db_element_t **db, UINT16 *count) { - bta_gattc_get_db_with_opration(conn_id, + bta_gattc_get_db_with_operation(conn_id, GATT_OP_GET_DESCRI_BY_HANDLE, char_handle, NULL, @@ -441,7 +442,7 @@ void BTA_GATTC_GetDescrByCharHandle(UINT16 conn_id, UINT16 char_handle, tBT_UUID void BTA_GATTC_GetIncludeService(UINT16 conn_id, UINT16 start_handle, UINT16 end_handle, tBT_UUID *incl_uuid, btgatt_db_element_t **db, UINT16 *count) { - bta_gattc_get_db_with_opration(conn_id, + bta_gattc_get_db_with_operation(conn_id, GATT_OP_GET_INCLUDE_SVC, 0, incl_uuid, @@ -528,9 +529,8 @@ void BTA_GATTC_ReadCharacteristic(UINT16 conn_id, UINT16 handle, tBTA_GATT_AUTH_ void BTA_GATTC_ReadCharDescr (UINT16 conn_id, UINT16 handle, tBTA_GATT_AUTH_REQ auth_req) { tBTA_GATTC_API_READ *p_buf; - UINT16 len = (UINT16)(sizeof(tBTA_GATT_ID) + sizeof(tBTA_GATTC_API_READ)); - if ((p_buf = (tBTA_GATTC_API_READ *) osi_malloc(len)) != NULL) { + if ((p_buf = (tBTA_GATTC_API_READ *) osi_malloc(sizeof(tBTA_GATTC_API_READ))) != NULL) { memset(p_buf, 0, sizeof(tBTA_GATTC_API_READ)); p_buf->hdr.event = BTA_GATTC_API_READ_EVT; @@ -560,6 +560,7 @@ void BTA_GATTC_ReadCharDescr (UINT16 conn_id, UINT16 handle, tBTA_GATT_AUTH_REQ void BTA_GATTC_ReadMultiple(UINT16 conn_id, tBTA_GATTC_MULTI *p_read_multi, tBTA_GATT_AUTH_REQ auth_req) { + // p_read_multi should not be NULL tBTA_GATTC_API_READ_MULTI *p_buf; //tBTA_GATTC_API_READ_MULTI *p_value; UINT16 len = (UINT16)(sizeof(tBTA_GATTC_API_READ_MULTI)); @@ -921,7 +922,7 @@ tBTA_GATT_STATUS BTA_GATTC_RegisterForNotifications (tBTA_GATTC_IF client_if, if (!handle) { - APPL_TRACE_ERROR("deregistration failed, handle is 0"); + APPL_TRACE_ERROR("registration failed, handle is 0"); return status; } @@ -1117,10 +1118,15 @@ typedef struct { } uuid; } __attribute__((packed)) tAPP_UUID; -uint8_t BTA_GATTC_Discover(uint8_t gatt_if, uint16_t conn_id, void *uuid, uint8_t disc_type, uint16_t s_handle, uint16_t e_handle) +int BTA_GATTC_Discover(uint8_t gatt_if, uint16_t conn_id, void *uuid, uint8_t disc_type, uint16_t s_handle, uint16_t e_handle) { tGATT_STATUS status; tGATT_DISC_PARAM param; + + if (uuid == NULL && disc_type == GATT_DISC_SRVC_BY_UUID) { + APPL_TRACE_ERROR("%s invalid parameters", __func__); + return -1; + } tAPP_UUID *app_uuid = (tAPP_UUID *)uuid; conn_id = (UINT16)((((UINT8)conn_id) << 8) | gatt_if); @@ -1144,6 +1150,7 @@ uint8_t BTA_GATTC_Discover(uint8_t gatt_if, uint16_t conn_id, void *uuid, uint8_ memcpy(param.service.uu.uuid128, app_uuid->uuid.uuid128, LEN_UUID_128); } else { APPL_TRACE_ERROR("%s invalid uuid len %u", __func__, app_uuid->len); + return -1; } } diff --git a/components/bt/host/bluedroid/bta/gatt/bta_gattc_cache.c b/components/bt/host/bluedroid/bta/gatt/bta_gattc_cache.c index 7af5e6beee..aebffce50a 100644 --- a/components/bt/host/bluedroid/bta/gatt/bta_gattc_cache.c +++ b/components/bt/host/bluedroid/bta/gatt/bta_gattc_cache.c @@ -40,6 +40,7 @@ #include "stack/l2c_api.h" #include "btm_int.h" #include "errno.h" +#include "gatt_int.h" // #include "osi/include/log.h" @@ -287,6 +288,12 @@ static tBTA_GATT_STATUS bta_gattc_add_srvc_to_cache(tBTA_GATTC_SERV *p_srvc_cb, if(!p_srvc_cb->p_srvc_cache) { APPL_TRACE_WARNING("%s(), no resource.", __func__); + if (p_new_srvc->characteristics) { + list_free(p_new_srvc->characteristics); + } + if (p_new_srvc->included_svc) { + list_free(p_new_srvc->included_svc); + } osi_free(p_new_srvc); return BTA_GATT_NO_RESOURCES; } @@ -336,7 +343,14 @@ static tBTA_GATT_STATUS bta_gattc_add_char_to_cache(tBTA_GATTC_SERV *p_srvc_cb, memcpy(&characteristic->uuid, p_uuid, sizeof(tBT_UUID)); characteristic->service = service; - list_append(service->characteristics, characteristic); + if (!list_append(service->characteristics, characteristic)) { + APPL_TRACE_WARNING("%s(), no resource.", __func__); + if (characteristic->descriptors) { + list_free(characteristic->descriptors); + } + osi_free(characteristic); + return BTA_GATT_NO_RESOURCES; + } return BTA_GATT_OK; } @@ -556,7 +570,8 @@ void bta_gattc_update_include_service(const list_t *services) { for (list_node_t *sn = list_begin(services); sn != list_end(services); sn = list_next(sn)) { tBTA_GATTC_SERVICE *service = list_node(sn); if(!service || !service->included_svc || list_is_empty(service->included_svc)) break; - for (list_node_t *sn = list_begin(service->included_svc); sn != list_end(service->included_svc); sn = list_next(sn)) { + for (list_node_t *sn = list_begin(service->included_svc); sn != list_end(service->included_svc);) { + list_node_t *sn_next = list_next(sn); tBTA_GATTC_INCLUDED_SVC *include_service = list_node(sn); if(include_service && !include_service->included_service) { //update @@ -564,9 +579,10 @@ void bta_gattc_update_include_service(const list_t *services) { if(!include_service->included_service) { //not match, free it list_remove(service->included_svc, include_service); - osi_free(include_service); + // osi_free(include_service); } } + sn = sn_next; } } @@ -594,7 +610,7 @@ static void bta_gattc_explore_srvc(UINT16 conn_id, tBTA_GATTC_SERV *p_srvc_cb) APPL_TRACE_ERROR("unknown connection ID"); return; } - /* start expore a service if there is service not been explored */ + /* start explore a service if there is service not been explored */ if (p_srvc_cb->cur_srvc_idx < p_srvc_cb->total_srvc) { /* add the first service into cache */ if (bta_gattc_add_srvc_to_cache (p_srvc_cb, @@ -817,7 +833,7 @@ static tBTA_GATT_STATUS bta_gattc_add_char_to_list(tBTA_GATTC_SERV *p_srvc_cb, p_rec->e_handle = (p_srvc_cb->p_srvc_list + p_srvc_cb->cur_srvc_idx)->e_handle; memcpy(&p_rec->uuid, &uuid, sizeof(tBT_UUID)); - /* update the endind handle of pervious characteristic if available */ + /* update the endind handle of previous characteristic if available */ if (p_srvc_cb->total_char > 1) { p_rec -= 1; p_rec->e_handle = decl_handle - 1; @@ -1319,7 +1335,7 @@ void bta_gattc_fill_gatt_db_el(btgatt_db_element_t *p_attr, bta_to_btif_uuid(&p_attr->uuid, &uuid); } -void bta_gattc_get_db_with_opration(UINT16 conn_id, +void bta_gattc_get_db_with_operation(UINT16 conn_id, bt_gatt_get_db_op_t op, UINT16 char_handle, tBT_UUID *incl_uuid, @@ -1502,10 +1518,9 @@ static size_t bta_gattc_get_db_size_with_type(list_t *services, } size_t db_size = 0; - UINT16 svc_length = list_length(services) - 1; for (list_node_t *sn = list_begin(services); - sn != list_end(services); sn = list_next(sn), svc_length--) { + sn != list_end(services); sn = list_next(sn)) { tBTA_GATTC_SERVICE *p_cur_srvc = list_node(sn); if (p_cur_srvc->e_handle < start_handle) { @@ -1519,12 +1534,8 @@ static size_t bta_gattc_get_db_size_with_type(list_t *services, if (type == BTGATT_DB_PRIMARY_SERVICE || type == BTGATT_DB_SECONDARY_SERVICE) { if ((type == BTGATT_DB_PRIMARY_SERVICE && p_cur_srvc->is_primary) || (type == BTGATT_DB_SECONDARY_SERVICE && !p_cur_srvc->is_primary)) { - // if the current service is the last service in the db, need to ensure the current service start handle is not less than the start_handle. - if (!svc_length) { - if (p_cur_srvc->s_handle >= start_handle) { - db_size++; - } - } else { + /* Count only when declaration handle s_handle is within [start_handle, end_handle] (GATT spec). */ + if (p_cur_srvc->s_handle >= start_handle) { db_size++; } } @@ -1620,9 +1631,8 @@ static size_t bta_gattc_get_db_size(list_t *services, } size_t db_size = 0; - UINT16 svc_length = list_length(services) - 1; for (list_node_t *sn = list_begin(services); - sn != list_end(services); sn = list_next(sn), svc_length--) { + sn != list_end(services); sn = list_next(sn)) { tBTA_GATTC_SERVICE *p_cur_srvc = list_node(sn); if (p_cur_srvc->e_handle < start_handle) { @@ -1633,41 +1643,38 @@ static size_t bta_gattc_get_db_size(list_t *services, break; } - if (!svc_length) { - if (p_cur_srvc->s_handle >= start_handle) { - db_size++; - } - } else { - db_size++; - } - - if (!p_cur_srvc->characteristics || list_is_empty(p_cur_srvc->characteristics)) { + /* Count service only when declaration handle s_handle is within [start_handle, end_handle] (GATT spec). + * Skip counting this service and all its contents when s_handle < start_handle (consistent with bta_gattc_get_gatt_db_impl). */ + if (p_cur_srvc->s_handle < start_handle) { continue; } + db_size++; - for (list_node_t *cn = list_begin(p_cur_srvc->characteristics); - cn != list_end(p_cur_srvc->characteristics); cn = list_next(cn)) { - tBTA_GATTC_CHARACTERISTIC *p_char = list_node(cn); + if (p_cur_srvc->characteristics && !list_is_empty(p_cur_srvc->characteristics)) { + for (list_node_t *cn = list_begin(p_cur_srvc->characteristics); + cn != list_end(p_cur_srvc->characteristics); cn = list_next(cn)) { + tBTA_GATTC_CHARACTERISTIC *p_char = list_node(cn); - if (p_char->handle < start_handle) { - continue; - } - if (p_char->handle > end_handle) { - return db_size; - } - db_size++; + if (p_char->handle < start_handle) { + continue; + } + if (p_char->handle > end_handle) { + return db_size; + } + db_size++; - if (p_char->descriptors) { - for (list_node_t *dn = list_begin(p_char->descriptors); - dn != list_end(p_char->descriptors); dn = list_next(dn)) { - tBTA_GATTC_DESCRIPTOR *p_desc = list_node(dn); - if (p_desc->handle < start_handle) { - continue; + if (p_char->descriptors) { + for (list_node_t *dn = list_begin(p_char->descriptors); + dn != list_end(p_char->descriptors); dn = list_next(dn)) { + tBTA_GATTC_DESCRIPTOR *p_desc = list_node(dn); + if (p_desc->handle < start_handle) { + continue; + } + if (p_desc->handle > end_handle) { + return db_size; + } + db_size++; } - if (p_desc->handle > end_handle) { - return db_size; - } - db_size++; } } } @@ -1702,7 +1709,7 @@ void bta_gattc_get_db_size_handle(UINT16 conn_id, UINT16 start_handle, UINT16 en } tBTA_GATTC_SERV *p_srcb = p_clcb->p_srcb; - if (!p_srcb->p_srvc_cache || list_is_empty(p_srcb->p_srvc_cache)) { + if ((p_srcb == NULL) || !p_srcb->p_srvc_cache || list_is_empty(p_srcb->p_srvc_cache)) { *count = 0; return; } @@ -1792,6 +1799,11 @@ static void bta_gattc_get_gatt_db_impl(tBTA_GATTC_SERV *p_srvc_cb, break; } + /* Output service only when declaration handle s_handle is within [start_handle, end_handle] (consistent with count logic). */ + if (p_cur_srvc->s_handle < start_handle) { + continue; + } + bta_gattc_fill_gatt_db_el(curr_db_attr, p_cur_srvc->is_primary ? BTGATT_DB_PRIMARY_SERVICE : @@ -1879,8 +1891,8 @@ static void bta_gattc_get_gatt_db_impl(tBTA_GATTC_SERV *p_srvc_cb, bta_gattc_fill_gatt_db_el(curr_db_attr, BTGATT_DB_INCLUDED_SERVICE, p_isvc->handle, - 0 /* s_handle */, - 0 /* e_handle */, + p_isvc->incl_srvc_s_handle, + p_isvc->incl_srvc_e_handle, p_isvc->handle, p_isvc->uuid, 0 /* property */); @@ -1912,17 +1924,26 @@ void bta_gattc_get_gatt_db(UINT16 conn_id, UINT16 start_handle, UINT16 end_handl if (p_clcb == NULL) { APPL_TRACE_ERROR("Unknown conn ID: %d", conn_id); + *count = 0; + *db = NULL; return; } if (p_clcb->state != BTA_GATTC_CONN_ST) { APPL_TRACE_ERROR("server cache not available, CLCB state = %d", p_clcb->state); + *count = 0; + *db = NULL; return; } - if (!p_clcb->p_srcb || p_clcb->p_srcb->p_srvc_list || /* no active discovery */ + /* Reject if no server context, discovery still in progress (p_srvc_list in use), or cache not ready + p_srvc_list must set to NULL after osi_free; + */ + if (!p_clcb->p_srcb || p_clcb->p_srcb->p_srvc_list || !p_clcb->p_srcb->p_srvc_cache) { + *count = 0; + *db = NULL; APPL_TRACE_ERROR("No server cache available"); return; } @@ -2032,10 +2053,11 @@ void bta_gattc_cache_save(tBTA_GATTC_SERV *p_srvc_cb, UINT16 conn_id) return; } - int i = 0; + /* i: current write index, equals actual count after loops; db_size: allocated slots from cache count */ + size_t i = 0; size_t db_size = bta_gattc_get_db_size(p_srvc_cb->p_srvc_cache, 0x0000, 0xFFFF); tBTA_GATTC_NV_ATTR *nv_attr = osi_malloc(db_size * sizeof(tBTA_GATTC_NV_ATTR)); - // This step is very importent, if not clear the memory, the hasy key base on the attribute case will be not corret. + // This step is very important, if not clear the memory, the hasy key base on the attribute case will be not correct. if (nv_attr != NULL) { memset(nv_attr, 0, db_size * sizeof(tBTA_GATTC_NV_ATTR)); } @@ -2048,6 +2070,11 @@ void bta_gattc_cache_save(tBTA_GATTC_SERV *p_srvc_cb, UINT16 conn_id) sn != list_end(p_srvc_cb->p_srvc_cache); sn = list_next(sn)) { tBTA_GATTC_SERVICE *p_cur_srvc = list_node(sn); + /* Bounds check: avoid buffer overflow if cache is modified and count exceeds db_size */ + if (i >= db_size) { + APPL_TRACE_ERROR("%s(), db_size exceeded (services), skip saving.", __func__); + goto save_error; + } bta_gattc_fill_nv_attr(&nv_attr[i++], BTA_GATTC_ATTR_TYPE_SRVC, p_cur_srvc->s_handle, @@ -2063,41 +2090,49 @@ void bta_gattc_cache_save(tBTA_GATTC_SERV *p_srvc_cb, UINT16 conn_id) sn != list_end(p_srvc_cb->p_srvc_cache); sn = list_next(sn)) { tBTA_GATTC_SERVICE *p_cur_srvc = list_node(sn); - if (!p_cur_srvc->characteristics || list_is_empty(p_cur_srvc->characteristics)) { - continue; - } - - for (list_node_t *cn = list_begin(p_cur_srvc->characteristics); - cn != list_end(p_cur_srvc->characteristics); cn = list_next(cn)) { - tBTA_GATTC_CHARACTERISTIC *p_char = list_node(cn); - - bta_gattc_fill_nv_attr(&nv_attr[i++], - BTA_GATTC_ATTR_TYPE_CHAR, - p_char->handle, - 0, - p_char->uuid, - p_char->properties, - 0 /* incl_srvc_s_handle */, - 0 /* incl_srvc_e_handle */, - FALSE); - - if (!p_char->descriptors || list_is_empty(p_char->descriptors)) { - continue; - } - - for (list_node_t *dn = list_begin(p_char->descriptors); - dn != list_end(p_char->descriptors); dn = list_next(dn)) { - tBTA_GATTC_DESCRIPTOR *p_desc = list_node(dn); + if (p_cur_srvc->characteristics && !list_is_empty(p_cur_srvc->characteristics)) { + for (list_node_t *cn = list_begin(p_cur_srvc->characteristics); + cn != list_end(p_cur_srvc->characteristics); cn = list_next(cn)) { + tBTA_GATTC_CHARACTERISTIC *p_char = list_node(cn); + /* Bounds check: avoid buffer overflow if count exceeds db_size */ + if (i >= db_size) { + APPL_TRACE_ERROR("%s(), db_size exceeded (characteristics), skip saving.", __func__); + goto save_error; + } bta_gattc_fill_nv_attr(&nv_attr[i++], - BTA_GATTC_ATTR_TYPE_CHAR_DESCR, - p_desc->handle, + BTA_GATTC_ATTR_TYPE_CHAR, + p_char->handle, 0, - p_desc->uuid, - 0 /* properties */, + p_char->uuid, + p_char->properties, 0 /* incl_srvc_s_handle */, 0 /* incl_srvc_e_handle */, FALSE); + + if (!p_char->descriptors || list_is_empty(p_char->descriptors)) { + continue; + } + + for (list_node_t *dn = list_begin(p_char->descriptors); + dn != list_end(p_char->descriptors); dn = list_next(dn)) { + tBTA_GATTC_DESCRIPTOR *p_desc = list_node(dn); + + /* Bounds check: avoid buffer overflow if count exceeds db_size */ + if (i >= db_size) { + APPL_TRACE_ERROR("%s(), db_size exceeded (descriptors), skip saving.", __func__); + goto save_error; + } + bta_gattc_fill_nv_attr(&nv_attr[i++], + BTA_GATTC_ATTR_TYPE_CHAR_DESCR, + p_desc->handle, + 0, + p_desc->uuid, + 0 /* properties */, + 0 /* incl_srvc_s_handle */, + 0 /* incl_srvc_e_handle */, + FALSE); + } } } @@ -2108,21 +2143,32 @@ void bta_gattc_cache_save(tBTA_GATTC_SERV *p_srvc_cb, UINT16 conn_id) for (list_node_t *an = list_begin(p_cur_srvc->included_svc); an != list_end(p_cur_srvc->included_svc); an = list_next(an)) { tBTA_GATTC_INCLUDED_SVC *p_isvc = list_node(an); + UINT16 incl_s_handle = p_isvc->included_service ? p_isvc->included_service->s_handle : p_isvc->incl_srvc_s_handle; + UINT16 incl_e_handle = p_isvc->included_service ? p_isvc->included_service->e_handle : p_isvc->incl_srvc_e_handle; + /* Bounds check: avoid buffer overflow if count exceeds db_size */ + if (i >= db_size) { + APPL_TRACE_ERROR("%s(), db_size exceeded (included_svc), skip saving.", __func__); + goto save_error; + } bta_gattc_fill_nv_attr(&nv_attr[i++], BTA_GATTC_ATTR_TYPE_INCL_SRVC, p_isvc->handle, 0, p_isvc->uuid, 0 /* properties */, - p_isvc->included_service->s_handle, - p_isvc->included_service->e_handle, + incl_s_handle, + incl_e_handle, FALSE); } } - /* TODO: Gattc cache write/read need to be added in IDF 3.1*/ - bta_gattc_cache_write(p_srvc_cb->server_bda, db_size, nv_attr); + bta_gattc_cache_write(p_srvc_cb->server_bda, (UINT16)db_size, nv_attr); + osi_free(nv_attr); + return; + +save_error: + APPL_TRACE_ERROR("%s(), cache inconsistency detected, not saving partial cache.", __func__); osi_free(nv_attr); } @@ -2149,11 +2195,14 @@ bool bta_gattc_cache_load(tBTA_GATTC_CLCB *p_clcb) return false; } - size_t num_attr = bta_gattc_get_cache_attr_length(index) / sizeof(tBTA_GATTC_NV_ATTR); + size_t length = bta_gattc_get_cache_attr_length(index); - if (!num_attr) { + if (length == 0 || (length % sizeof(tBTA_GATTC_NV_ATTR)) != 0) { + APPL_TRACE_ERROR("%s, Invalid cache length %d", __func__, length); return false; } + + size_t num_attr = length / sizeof(tBTA_GATTC_NV_ATTR); //don't forget to set the total attribute number. p_clcb->p_srcb->total_attr = num_attr; APPL_TRACE_DEBUG("%s(), index = %x, num_attr = %d", __func__, index, num_attr); @@ -2163,6 +2212,7 @@ bool bta_gattc_cache_load(tBTA_GATTC_CLCB *p_clcb) } if ((status = bta_gattc_co_cache_load(attr, index)) != BTA_GATT_OK) { APPL_TRACE_DEBUG("%s(), gattc cache load fail, status = %x", __func__, status); + osi_free(attr); return false; } p_clcb->searched_service_source = BTA_GATTC_SERVICE_INFO_FROM_NVS_FLASH; diff --git a/components/bt/host/bluedroid/bta/gatt/bta_gattc_co.c b/components/bt/host/bluedroid/bta/gatt/bta_gattc_co.c index d6ca7bca47..80a10a8f2a 100644 --- a/components/bt/host/bluedroid/bta/gatt/bta_gattc_co.c +++ b/components/bt/host/bluedroid/bta/gatt/bta_gattc_co.c @@ -172,6 +172,14 @@ static void cacheReset(BD_ADDR bda, BOOLEAN update) return; } + // Free the assoc_addr list_t structure before array shift to prevent memory leak + // Note: bta_gattc_co_cache_clear_assoc_addr only calls list_clear which clears nodes + // but doesn't free the list_t structure itself + if (cache_env->cache_addr[index].assoc_addr != NULL) { + list_free(cache_env->cache_addr[index].assoc_addr); + cache_env->cache_addr[index].assoc_addr = NULL; + } + UINT8 num = cache_env->num_addr; //delete the server_bda in the addr_info list. for(UINT8 i = index; i < (num - 1); i++) { @@ -435,6 +443,8 @@ void bta_gattc_co_cache_addr_init(void) } else { APPL_TRACE_ERROR("%s, Line = %d, nvs flash open fail, err_code = %x", __func__, __LINE__, err_code); osi_free(p_buf); + osi_free(cache_env); + cache_env = NULL; return; } @@ -444,11 +454,18 @@ void bta_gattc_co_cache_addr_init(void) void bta_gattc_co_cache_addr_deinit(void) { - APPL_TRACE_DEBUG("%s is_open=%d", __func__, cache_env->is_open); - - if(!cache_env->is_open) { + if(cache_env == NULL) { return; } + + APPL_TRACE_DEBUG("%s is_open=%d", __func__, cache_env->is_open); + + if (!cache_env->is_open) { + osi_free(cache_env); + cache_env = NULL; + return; + } + nvs_close(cache_env->addr_fp); cache_env->is_open = false; @@ -608,9 +625,30 @@ BOOLEAN bta_gattc_co_cache_append_assoc_addr(BD_ADDR src_addr, BD_ADDR assoc_add if ((addr_index = bta_gattc_co_find_addr_in_cache(src_addr)) != INVALID_ADDR_NUM) { addr_info = &cache_env->cache_addr[addr_index]; if (addr_info->assoc_addr == NULL) { - addr_info->assoc_addr =list_new(NULL); + addr_info->assoc_addr =list_new(osi_free_func); } - return list_append(addr_info->assoc_addr, p_assoc_buf); + if (addr_info->assoc_addr == NULL) { + APPL_TRACE_ERROR("assoc_addr list creation failed"); + osi_free(p_assoc_buf); + return FALSE; + } + + for (list_node_t *sn = list_begin(addr_info->assoc_addr); + sn != list_end(addr_info->assoc_addr); sn = list_next(sn)) { + if (!memcmp(list_node(sn), assoc_addr, sizeof(BD_ADDR))) { + APPL_TRACE_WARNING("Association already exists"); + osi_free(p_assoc_buf); + return TRUE; + } + } + + if (!list_append(addr_info->assoc_addr, p_assoc_buf)) { + APPL_TRACE_ERROR("Failed to append to assoc_addr list"); + osi_free(p_assoc_buf); + return FALSE; + + } + return TRUE; } else { osi_free(p_assoc_buf); } @@ -643,16 +681,15 @@ BOOLEAN bta_gattc_co_cache_remove_assoc_addr(BD_ADDR src_addr, BD_ADDR assoc_add UINT8* bta_gattc_co_cache_find_src_addr(BD_ADDR assoc_addr, UINT8 *index) { - UINT8 num = cache_env->num_addr; + UINT8 num = (cache_env->num_addr > MAX_DEVICE_IN_CACHE) ? MAX_DEVICE_IN_CACHE : cache_env->num_addr; cache_addr_info_t *addr_info = &cache_env->cache_addr[0]; UINT8 *addr_data; - //Check the assoc_addr list is NULL or not - if (addr_info->assoc_addr == NULL) { - *index = INVALID_ADDR_NUM; - return NULL; - } for (int i = 0; i < num; i++) { + if (addr_info->assoc_addr == NULL) { + addr_info++; + continue; + } for (const list_node_t *node = list_begin(addr_info->assoc_addr); node != list_end(addr_info->assoc_addr); node = list_next(node)) { addr_data = (UINT8 *)list_node(node); @@ -662,11 +699,6 @@ UINT8* bta_gattc_co_cache_find_src_addr(BD_ADDR assoc_addr, UINT8 *index) } } addr_info++; - - if (addr_info->assoc_addr == NULL) { - *index = INVALID_ADDR_NUM; - return NULL; - } } *index = INVALID_ADDR_NUM; diff --git a/components/bt/host/bluedroid/bta/gatt/bta_gattc_main.c b/components/bt/host/bluedroid/bta/gatt/bta_gattc_main.c index c1d1e72033..09e1aea2fa 100644 --- a/components/bt/host/bluedroid/bta/gatt/bta_gattc_main.c +++ b/components/bt/host/bluedroid/bta/gatt/bta_gattc_main.c @@ -41,7 +41,6 @@ enum { BTA_GATTC_OPEN, BTA_GATTC_OPEN_FAIL, - BTA_GATTC_OPEN_ERROR, BTA_GATTC_CANCEL_OPEN, BTA_GATTC_CANCEL_OPEN_OK, BTA_GATTC_CANCEL_OPEN_ERROR, @@ -77,7 +76,6 @@ typedef void (*tBTA_GATTC_ACTION)(tBTA_GATTC_CLCB *p_clcb, tBTA_GATTC_DATA *p_da const tBTA_GATTC_ACTION bta_gattc_action[] = { bta_gattc_open, bta_gattc_open_fail, - bta_gattc_open_error, bta_gattc_cancel_open, bta_gattc_cancel_open_ok, bta_gattc_cancel_open_error, @@ -289,6 +287,11 @@ BOOLEAN bta_gattc_sm_execute(tBTA_GATTC_CLCB *p_clcb, UINT16 event, tBTA_GATTC_D gattc_evt_code(in_event)); #endif + // should not happen, but just in case + if (!p_clcb) { + APPL_TRACE_ERROR("p_clcb or p_data is NULL, event is %d", event); + return rt; + } /* look up the state table for the current state */ state_table = bta_gattc_st_tbl[p_clcb->state]; diff --git a/components/bt/host/bluedroid/bta/gatt/bta_gattc_utils.c b/components/bt/host/bluedroid/bta/gatt/bta_gattc_utils.c index 6f3f3c0a4c..bc329b775b 100644 --- a/components/bt/host/bluedroid/bta/gatt/bta_gattc_utils.c +++ b/components/bt/host/bluedroid/bta/gatt/bta_gattc_utils.c @@ -35,37 +35,16 @@ #include "bta_gattc_int.h" #include "stack/l2c_api.h" #include "osi/allocator.h" +#include "gatt_int.h" /***************************************************************************** ** Constants *****************************************************************************/ - -static const UINT8 base_uuid[LEN_UUID_128] = {0xFB, 0x34, 0x9B, 0x5F, 0x80, 0x00, 0x00, 0x80, - 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - }; - static const BD_ADDR dummy_bda = {0, 0, 0, 0, 0, 0}; #define GATTC_COMMAND_QUEUE_SIZE_MAX 30 -/******************************************************************************* -** -** Function bta_gatt_convert_uuid16_to_uuid128 -** -** Description Convert a 16 bits UUID to be an standard 128 bits one. -** -** Returns TRUE if two uuid match; FALSE otherwise. -** -*******************************************************************************/ -void bta_gatt_convert_uuid16_to_uuid128(UINT8 uuid_128[LEN_UUID_128], UINT16 uuid_16) -{ - UINT8 *p = &uuid_128[LEN_UUID_128 - 4]; - - memcpy (uuid_128, base_uuid, LEN_UUID_128); - - UINT16_TO_STREAM(p, uuid_16); -} /******************************************************************************* ** ** Function bta_gattc_uuid_compare @@ -77,11 +56,8 @@ void bta_gatt_convert_uuid16_to_uuid128(UINT8 uuid_128[LEN_UUID_128], UINT16 uui *******************************************************************************/ BOOLEAN bta_gattc_uuid_compare (const tBT_UUID *p_src, const tBT_UUID *p_tar, BOOLEAN is_precise) { - UINT8 su[LEN_UUID_128], tu[LEN_UUID_128]; - const UINT8 *ps, *pt; - /* any of the UUID is unspecified */ - if (p_src == 0 || p_tar == 0) { + if (p_src == 0 || p_tar == 0 || p_src->len == 0 || p_tar->len == 0) { if (is_precise) { return FALSE; } else { @@ -89,29 +65,7 @@ BOOLEAN bta_gattc_uuid_compare (const tBT_UUID *p_src, const tBT_UUID *p_tar, BO } } - /* If both are 16-bit, we can do a simple compare */ - if (p_src->len == 2 && p_tar->len == 2) { - return p_src->uu.uuid16 == p_tar->uu.uuid16; - } - - /* One or both of the UUIDs is 128-bit */ - if (p_src->len == LEN_UUID_16) { - /* convert a 16 bits UUID to 128 bits value */ - bta_gatt_convert_uuid16_to_uuid128(su, p_src->uu.uuid16); - ps = su; - } else { - ps = p_src->uu.uuid128; - } - - if (p_tar->len == LEN_UUID_16) { - /* convert a 16 bits UUID to 128 bits value */ - bta_gatt_convert_uuid16_to_uuid128(tu, p_tar->uu.uuid16); - pt = tu; - } else { - pt = p_tar->uu.uuid128; - } - - return (memcmp(ps, pt, LEN_UUID_128) == 0); + return gatt_uuid_compare(*p_src, *p_tar); } /******************************************************************************* @@ -242,6 +196,10 @@ tBTA_GATTC_CLCB *bta_gattc_clcb_alloc(tBTA_GATTC_IF client_if, BD_ADDR remote_bd p_clcb->p_srcb->num_clcb ++; p_clcb->p_rcb->num_clcb ++; } else { + if (p_clcb->p_cmd_list) { + list_free(p_clcb->p_cmd_list); + p_clcb->p_cmd_list = NULL; + } /* release this clcb if clcb or srcb allocation failed */ p_clcb->in_use = FALSE; p_clcb = NULL; @@ -305,6 +263,9 @@ void bta_gattc_clcb_dealloc(tBTA_GATTC_CLCB *p_clcb) list_free(p_srcb->p_srvc_cache); p_srcb->p_srvc_cache = NULL; } +#if (GATTC_CACHE_NVS == TRUE) + bta_gattc_co_cache_close(p_srcb->server_bda, 0); +#endif } if ( p_clcb->p_q_cmd != NULL && !list_contains(p_clcb->p_cmd_list, p_clcb->p_q_cmd)){ @@ -740,12 +701,12 @@ BOOLEAN bta_gattc_mark_bg_conn (tBTA_GATTC_IF client_if, BD_ADDR_PTR remote_bda if (add) /* mask on the cif bit */ { - *p_cif_mask |= (1 << (client_if - 1)); + *p_cif_mask |= BTA_GATTC_CIF_MASK_BIT(client_if); } else { - if (client_if != 0) { - *p_cif_mask &= (~(1 << (client_if - 1))); - } else { + if (client_if == 0) { *p_cif_mask = 0; + } else { + *p_cif_mask &= (~BTA_GATTC_CIF_MASK_BIT(client_if)); } } /* no BG connection for this device, make it available */ @@ -777,7 +738,7 @@ BOOLEAN bta_gattc_mark_bg_conn (tBTA_GATTC_IF client_if, BD_ADDR_PTR remote_bda p_cif_mask = is_listen ? &p_bg_tck->cif_adv_mask : &p_bg_tck->cif_mask; - *p_cif_mask = (1 << (client_if - 1)); + *p_cif_mask = BTA_GATTC_CIF_MASK_BIT(client_if); return TRUE; } } @@ -804,12 +765,12 @@ BOOLEAN bta_gattc_check_bg_conn (tBTA_GATTC_IF client_if, BD_ADDR remote_bda, U if (p_bg_tck->in_use && (bdcmp(p_bg_tck->remote_bda, remote_bda) == 0 || bdcmp(p_bg_tck->remote_bda, dummy_bda) == 0)) { - if (((p_bg_tck->cif_mask & (1 << (client_if - 1))) != 0) && + if (((p_bg_tck->cif_mask & BTA_GATTC_CIF_MASK_BIT(client_if)) != 0) && role == HCI_ROLE_MASTER) { is_bg_conn = TRUE; } - if (((p_bg_tck->cif_adv_mask & (1 << (client_if - 1))) != 0) && + if (((p_bg_tck->cif_adv_mask & BTA_GATTC_CIF_MASK_BIT(client_if)) != 0) && role == HCI_ROLE_SLAVE) { is_bg_conn = TRUE; } diff --git a/components/bt/host/bluedroid/bta/gatt/bta_gatts_act.c b/components/bt/host/bluedroid/bta/gatt/bta_gatts_act.c index 4e786bc8a1..04bcb697f8 100644 --- a/components/bt/host/bluedroid/bta/gatt/bta_gatts_act.c +++ b/components/bt/host/bluedroid/bta/gatt/bta_gatts_act.c @@ -36,6 +36,7 @@ #include #include "osi/allocator.h" #include "l2c_int.h" +#include "gatt_int.h" static void bta_gatts_nv_save_cback(BOOLEAN is_saved, tGATTS_HNDL_RANGE *p_hndl_range); static BOOLEAN bta_gatts_nv_srv_chg_cback(tGATTS_SRV_CHG_CMD cmd, tGATTS_SRV_CHG_REQ *p_req, @@ -176,13 +177,15 @@ void bta_gatts_register(tBTA_GATTS_CB *p_cb, tBTA_GATTS_DATA *p_msg) tBTA_GATT_STATUS status = BTA_GATT_OK; UINT8 i, first_unuse = 0xff; + memset(&cb_data, 0, sizeof(tBTA_GATTS)); + if (p_cb->enabled == FALSE) { bta_gatts_enable(p_cb); } for (i = 0; i < BTA_GATTS_MAX_APP_NUM; i ++) { if (p_cb->rcb[i].in_use) { - if (bta_gatts_uuid_compare(p_cb->rcb[i].app_uuid, p_msg->api_reg.app_uuid)) { + if (gatt_uuid_compare(p_cb->rcb[i].app_uuid, p_msg->api_reg.app_uuid)) { APPL_TRACE_ERROR("application already registered.\n"); status = BTA_GATT_DUP_REG; break; @@ -199,9 +202,7 @@ void bta_gatts_register(tBTA_GATTS_CB *p_cb, tBTA_GATTS_DATA *p_msg) } cb_data.reg_oper.server_if = BTA_GATTS_INVALID_IF; -// btla-specific ++ memcpy(&cb_data.reg_oper.uuid, &p_msg->api_reg.app_uuid, sizeof(tBT_UUID)); -// btla-specific -- if (first_unuse != 0xff) { APPL_TRACE_VERBOSE("register application first_unuse rcb_idx = %d", first_unuse); @@ -213,6 +214,7 @@ void bta_gatts_register(tBTA_GATTS_CB *p_cb, tBTA_GATTS_DATA *p_msg) GATT_Register(&p_msg->api_reg.app_uuid, &bta_gatts_cback); if ( !p_cb->rcb[first_unuse].gatt_if) { status = BTA_GATT_NO_RESOURCES; + memset( &p_cb->rcb[first_unuse], 0 , sizeof(tBTA_GATTS_RCB)); } else { if ((p_buf = (tBTA_GATTS_INT_START_IF *) osi_malloc(sizeof(tBTA_GATTS_INT_START_IF))) != NULL) { @@ -222,6 +224,7 @@ void bta_gatts_register(tBTA_GATTS_CB *p_cb, tBTA_GATTS_DATA *p_msg) bta_sys_sendmsg(p_buf); } else { status = BTA_GATT_NO_RESOURCES; + GATT_Deregister(p_cb->rcb[first_unuse].gatt_if); memset( &p_cb->rcb[first_unuse], 0 , sizeof(tBTA_GATTS_RCB)); } } @@ -309,7 +312,7 @@ void bta_gatts_deregister(tBTA_GATTS_CB *p_cb, tBTA_GATTS_DATA *p_msg) void bta_gatts_create_srvc(tBTA_GATTS_CB *p_cb, tBTA_GATTS_DATA *p_msg) { UINT8 rcb_idx; - tBTA_GATTS cb_data; + tBTA_GATTS cb_data = {0}; UINT8 srvc_idx; UINT16 service_id = 0; diff --git a/components/bt/host/bluedroid/bta/gatt/bta_gatts_api.c b/components/bt/host/bluedroid/bta/gatt/bta_gatts_api.c index b712da9b79..06667a415b 100644 --- a/components/bt/host/bluedroid/bta/gatt/bta_gatts_api.c +++ b/components/bt/host/bluedroid/bta/gatt/bta_gatts_api.c @@ -302,6 +302,8 @@ void BTA_GATTS_AddCharDescriptor (UINT16 service_id, memcpy(p_buf->attr_val.attr_val, attr_val->attr_val, value_len); } else{ + p_buf->attr_val.attr_len = 0; + p_buf->attr_val.attr_max_len = 0; APPL_TRACE_ERROR("Allocate fail for %s\n", __func__); } diff --git a/components/bt/host/bluedroid/bta/gatt/bta_gatts_main.c b/components/bt/host/bluedroid/bta/gatt/bta_gatts_main.c index bf1174c5f7..6444321437 100644 --- a/components/bt/host/bluedroid/bta/gatt/bta_gatts_main.c +++ b/components/bt/host/bluedroid/bta/gatt/bta_gatts_main.c @@ -109,6 +109,14 @@ BOOLEAN bta_gatts_hdl_event(BT_HDR *p_msg) case BTA_GATTS_API_SET_ATTR_VAL_EVT:{ UINT16 attr_id = ((tBTA_GATTS_DATA *) p_msg)->api_set_val.hdr.layer_specific; p_srvc_cb = bta_gatts_find_srvc_cb_by_attr_id(p_cb, attr_id); + if (p_srvc_cb == NULL) { + if (((tBTA_GATTS_DATA *) p_msg)->api_set_val.value != NULL) { + osi_free(((tBTA_GATTS_DATA *) p_msg)->api_set_val.value); + } + APPL_TRACE_ERROR("Service not found for attribute ID: %d", attr_id); + break; + } + bta_gatts_set_attr_value(p_srvc_cb, (tBTA_GATTS_DATA *) p_msg); break; } diff --git a/components/bt/host/bluedroid/bta/gatt/bta_gatts_utils.c b/components/bt/host/bluedroid/bta/gatt/bta_gatts_utils.c index 224e887334..d697f0dc19 100644 --- a/components/bt/host/bluedroid/bta/gatt/bta_gatts_utils.c +++ b/components/bt/host/bluedroid/bta/gatt/bta_gatts_utils.c @@ -31,27 +31,7 @@ #include "bta/bta_sys.h" #include "bta_gatts_int.h" -static const UINT8 base_uuid[LEN_UUID_128] = {0xFB, 0x34, 0x9B, 0x5F, 0x80, 0x00, 0x00, 0x80, - 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 - }; -/******************************************************************************* -** -** Function bta_gatt_convert_uuid16_to_uuid128 -** -** Description Convert a 16 bits UUID to be an standard 128 bits one. -** -** Returns TRUE if two uuid match; FALSE otherwise. -** -*******************************************************************************/ -static void bta_gatt_convert_uuid16_to_uuid128(UINT8 uuid_128[LEN_UUID_128], UINT16 uuid_16) -{ - UINT8 *p = &uuid_128[LEN_UUID_128 - 4]; - - memcpy (uuid_128, base_uuid, LEN_UUID_128); - - UINT16_TO_STREAM(p, uuid_16); -} /******************************************************************************* ** ** Function bta_gatts_alloc_srvc_cb @@ -167,6 +147,7 @@ tBTA_GATTS_SRVC_CB *bta_gatts_find_srvc_cb_by_attr_id(tBTA_GATTS_CB *p_cb, UINT1 attr_id >= p_cb->srvc_cb[i].service_id) || /* last service incb */ (i == (BTA_GATTS_MAX_SRVC_NUM - 1) && + p_cb->srvc_cb[i].in_use && attr_id >= p_cb->srvc_cb[i].service_id) ) { return &p_cb->srvc_cb[i]; @@ -174,51 +155,5 @@ tBTA_GATTS_SRVC_CB *bta_gatts_find_srvc_cb_by_attr_id(tBTA_GATTS_CB *p_cb, UINT1 } return NULL; } -/******************************************************************************* -** -** Function bta_gatts_uuid_compare -** -** Description Compare two UUID to see if they are the same. -** -** Returns TRUE if two uuid match; FALSE otherwise. -** -*******************************************************************************/ -BOOLEAN bta_gatts_uuid_compare(tBT_UUID tar, tBT_UUID src) -{ - UINT8 su[LEN_UUID_128], tu[LEN_UUID_128]; - UINT8 *ps, *pt; - - /* any of the UUID is unspecified */ - if (src.len == 0 || tar.len == 0) { - return TRUE; - } - - /* If both are 16-bit, we can do a simple compare */ - if (src.len == 2 && tar.len == 2) { - return src.uu.uuid16 == tar.uu.uuid16; - } - - /* One or both of the UUIDs is 128-bit */ - if (src.len == LEN_UUID_16) { - /* convert a 16 bits UUID to 128 bits value */ - bta_gatt_convert_uuid16_to_uuid128(su, src.uu.uuid16); - ps = su; - } else { - ps = src.uu.uuid128; - } - - if (tar.len == LEN_UUID_16) { - /* convert a 16 bits UUID to 128 bits value */ - bta_gatt_convert_uuid16_to_uuid128(tu, tar.uu.uuid16); - pt = tu; - } else { - pt = tar.uu.uuid128; - } - - return (memcmp(ps, pt, LEN_UUID_128) == 0); -} - - - #endif /* GATTS_INCLUDED */ diff --git a/components/bt/host/bluedroid/bta/gatt/include/bta_gattc_int.h b/components/bt/host/bluedroid/bta/gatt/include/bta_gattc_int.h index ac42de6973..e74b5759ee 100644 --- a/components/bt/host/bluedroid/bta/gatt/include/bta_gattc_int.h +++ b/components/bt/host/bluedroid/bta/gatt/include/bta_gattc_int.h @@ -383,6 +383,10 @@ typedef UINT16 tBTA_GATTC_CIF_MASK; typedef UINT32 tBTA_GATTC_CIF_MASK; #endif +/* Safe bit for client_if in cif_mask; avoids UB when client_if is 0 or > GATT_MAX_APPS */ +#define BTA_GATTC_CIF_MASK_BIT(cif) \ + ((tBTA_GATTC_CIF_MASK)(((cif) >= 1 && (cif) <= (unsigned)GATT_MAX_APPS) ? (1U << ((cif) - 1)) : 0U)) + typedef struct { BOOLEAN in_use; BD_ADDR remote_bda; @@ -456,7 +460,6 @@ extern void bta_gattc_process_enc_cmpl(tBTA_GATTC_CB *p_cb, tBTA_GATTC_DATA *p_m /* function within state machine */ extern void bta_gattc_open(tBTA_GATTC_CLCB *p_clcb, tBTA_GATTC_DATA *p_data); extern void bta_gattc_open_fail(tBTA_GATTC_CLCB *p_clcb, tBTA_GATTC_DATA *p_data); -extern void bta_gattc_open_error(tBTA_GATTC_CLCB *p_clcb, tBTA_GATTC_DATA *p_data); extern void bta_gattc_cancel_open(tBTA_GATTC_CLCB *p_clcb, tBTA_GATTC_DATA *p_data); extern void bta_gattc_cancel_open_ok(tBTA_GATTC_CLCB *p_clcb, tBTA_GATTC_DATA *p_data); @@ -542,7 +545,7 @@ extern void bta_gattc_get_service_with_uuid(UINT16 conn_id, tBT_UUID *svc_uuid, btgatt_db_element_t **svc_db, UINT16 *count); -extern void bta_gattc_get_db_with_opration(UINT16 conn_id, +extern void bta_gattc_get_db_with_operation(UINT16 conn_id, bt_gatt_get_db_op_t op, UINT16 char_handle, tBT_UUID *incl_uuid, diff --git a/components/bt/host/bluedroid/bta/gatt/include/bta_gatts_int.h b/components/bt/host/bluedroid/bta/gatt/include/bta_gatts_int.h index 854a28a208..8a5e4a7749 100644 --- a/components/bt/host/bluedroid/bta/gatt/include/bta_gatts_int.h +++ b/components/bt/host/bluedroid/bta/gatt/include/bta_gatts_int.h @@ -243,7 +243,6 @@ extern void bta_gatts_close (tBTA_GATTS_CB *p_cb, tBTA_GATTS_DATA *p_msg); extern void bta_gatts_send_service_change_indication (tBTA_GATTS_DATA *p_msg); extern void bta_gatts_show_local_database (void); -extern BOOLEAN bta_gatts_uuid_compare(tBT_UUID tar, tBT_UUID src); extern tBTA_GATTS_RCB *bta_gatts_find_app_rcb_by_app_if(tBTA_GATTS_IF server_if); extern UINT8 bta_gatts_find_app_rcb_idx_by_app_if(tBTA_GATTS_CB *p_cb, tBTA_GATTS_IF server_if); extern UINT8 bta_gatts_alloc_srvc_cb(tBTA_GATTS_CB *p_cb, UINT8 rcb_idx); diff --git a/components/bt/host/bluedroid/bta/include/bta/bta_api.h b/components/bt/host/bluedroid/bta/include/bta/bta_api.h index d8918fccff..d4567df224 100644 --- a/components/bt/host/bluedroid/bta/include/bta/bta_api.h +++ b/components/bt/host/bluedroid/bta/include/bta/bta_api.h @@ -444,8 +444,6 @@ typedef tBTM_CMPL_CB tBTA_CMPL_CB; typedef tBTM_VSC_CMPL tBTA_VSC_CMPL; -typedef tBTM_TX_POWER_RESULTS tBTA_TX_POWER_RESULTS; - typedef tBTM_RSSI_RESULTS tBTA_RSSI_RESULTS; typedef tBTM_BLE_CH_MAP_RESULTS tBTA_BLE_CH_MAP_RESULTS; @@ -1661,10 +1659,10 @@ extern tBTM_BLE_5_HCI_CBACK ble_5_hci_cb; #endif // #if (BLE_50_FEATURE_SUPPORT == TRUE) #if (BLE_FEAT_ISO_EN == TRUE) -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #define BTA_BLE_ISO_BIG_CREATE_COMPLETE_EVT BTM_BLE_ISO_BIG_CREATE_COMPLETE_EVT #define BTA_BLE_ISO_BIG_TERMINATE_COMPLETE_EVT BTM_BLE_ISO_BIG_TERMINATE_COMPLETE_EVT -#endif // #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif // #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) #define BTA_BLE_ISO_BIG_SYNC_ESTABLISHED_EVT BTM_BLE_ISO_BIG_SYNC_ESTABLISHED_EVT #define BTA_BLE_ISO_BIG_SYNC_LOST_EVT BTM_BLE_ISO_BIG_SYNC_LOST_EVT @@ -3110,11 +3108,11 @@ extern void BTA_DmBleGapSetPeriodicAdvSyncTransParams(BD_ADDR peer_addr, tBTA_DM #endif // #if (BLE_FEAT_PERIODIC_ADV_SYNC_TRANSFER == TRUE) #if (BLE_FEAT_ISO_EN == TRUE) -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) extern void BTA_DmBleGapIsoBigCreate(tBTA_DM_BLE_BIG_CREATE_PARAMS *p_big_creat_param); extern void BTA_DmBleGapIsoBigCreateTest(tBTA_DM_BLE_BIG_CREATE_TEST_PARAMS *p_big_creat_test_param); extern void BTA_DmBleGapIsoBigTerminate(tBTA_DM_BLE_BIG_TERMINATE_PARAMS *p_big_terminate_param); -#endif// #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif// #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) extern void BTA_DmBleGapIsoBigSyncCreate(tBTA_DM_BLE_BIG_SYNC_CREATE_PARAMS *p_big_sync_param); extern void BTA_DmBleGapIsoBigSyncTerminate(tBTA_DM_BLE_BIG_SYNC_TERMINATE_PARAMS *p_big_sync_terminate_param); diff --git a/components/bt/host/bluedroid/bta/include/bta/bta_gatt_common.h b/components/bt/host/bluedroid/bta/include/bta/bta_gatt_common.h index 2d696729fe..0a42cc3116 100644 --- a/components/bt/host/bluedroid/bta/include/bta/bta_gatt_common.h +++ b/components/bt/host/bluedroid/bta/include/bta/bta_gatt_common.h @@ -10,6 +10,7 @@ * * ******************************************************************************/ +#pragma once #include "stack/bt_types.h" diff --git a/components/bt/host/bluedroid/btc/core/btc_ble_storage.c b/components/bt/host/bluedroid/btc/core/btc_ble_storage.c index aef3863111..2c7c87ef7a 100644 --- a/components/bt/host/bluedroid/btc/core/btc_ble_storage.c +++ b/components/bt/host/bluedroid/btc/core/btc_ble_storage.c @@ -1045,9 +1045,10 @@ bt_status_t btc_storage_set_gatt_cl_supp_feat(bt_bdaddr_t *remote_bd_addr, uint8 { int ret; bdstr_t bdstr; - + btc_config_lock(); bdaddr_to_string(remote_bd_addr, bdstr, sizeof(bdstr_t)); ret = btc_config_set_bin(bdstr, BTC_BLE_STORAGE_GATT_CL_SUPP_FEAT_STR, value, (size_t)len); + btc_config_unlock(); if (ret == false) { return BT_STATUS_FAIL; } diff --git a/components/bt/host/bluedroid/btc/core/btc_config.c b/components/bt/host/bluedroid/btc/core/btc_config.c index e2cce6da73..966c33b522 100644 --- a/components/bt/host/bluedroid/btc/core/btc_config.c +++ b/components/bt/host/bluedroid/btc/core/btc_config.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -85,7 +85,11 @@ static void btc_key_value_to_string(uint8_t *key_value, char *value_str, int key bool btc_config_init(void) { - osi_mutex_new(&lock); + if (osi_mutex_new(&lock) != 0) { + BTC_TRACE_ERROR("%s unable to create lock.\n", __func__); + return false; + } + config = config_new(CONFIG_FILE_PATH); if (!config) { BTC_TRACE_WARNING("%s unable to load config file; starting unconfigured.\n", __func__); diff --git a/components/bt/host/bluedroid/btc/core/btc_storage.c b/components/bt/host/bluedroid/btc/core/btc_storage.c index bee44e18d3..9b197e3b06 100644 --- a/components/bt/host/bluedroid/btc/core/btc_storage.c +++ b/components/bt/host/bluedroid/btc/core/btc_storage.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -42,23 +42,33 @@ bt_status_t btc_storage_add_bonded_device(bt_bdaddr_t *remote_bd_addr, /* device not in bond list and exceed the maximum number of bonded devices, delete the inactive bonded device */ if (btc_storage_get_num_all_bond_devices() >= BTM_SEC_MAX_BONDS && !btc_config_has_section(bdstr)) { const btc_config_section_iter_t *iter = btc_config_section_begin(); - const btc_config_section_iter_t *remove_iter = iter; - /* find the first device(the last node) */ + const btc_config_section_iter_t *remove_iter = NULL; + /* find the last bdaddr-formatted device section */ while (iter != btc_config_section_end()) { - remove_iter = iter; + const char *name = btc_config_section_name(iter); + if (name && string_is_bdaddr(name)) { + remove_iter = iter; + } iter = btc_config_section_next(iter); } - const char *remove_section = btc_config_section_name(remove_iter); - // delete device info - string_to_bdaddr(remove_section, &bd_addr); - BTA_DmRemoveDevice(bd_addr.address, BT_TRANSPORT_BR_EDR); - BTA_DmRemoveDevice(bd_addr.address, BT_TRANSPORT_LE); + if (remove_iter != NULL) { + const char *remove_section = btc_config_section_name(remove_iter); + if (string_to_bdaddr(remove_section, &bd_addr)) { + // delete device info + BTA_DmRemoveDevice(bd_addr.address, BT_TRANSPORT_BR_EDR); + BTA_DmRemoveDevice(bd_addr.address, BT_TRANSPORT_LE); - // delete config info - if (btc_config_remove_section(remove_section)) { - BTC_TRACE_WARNING("exceeded the maximum number of bonded devices, delete the first device info : %02x:%02x:%02x:%02x:%02x:%02x", - bd_addr.address[0], bd_addr.address[1], bd_addr.address[2], bd_addr.address[3], bd_addr.address[4], bd_addr.address[5]); + // delete config info + if (btc_config_remove_section(remove_section)) { + BTC_TRACE_WARNING("exceeded the maximum number of bonded devices, delete the first device info : %02x:%02x:%02x:%02x:%02x:%02x", + bd_addr.address[0], bd_addr.address[1], bd_addr.address[2], bd_addr.address[3], bd_addr.address[4], bd_addr.address[5]); + } + } else { + BTC_TRACE_ERROR("Failed to convert section name to bdaddr: %s", remove_section); + } + } else { + BTC_TRACE_WARNING("No bdaddr-formatted section found to remove"); } } diff --git a/components/bt/host/bluedroid/btc/profile/std/cte/btc_ble_cte.c b/components/bt/host/bluedroid/btc/profile/std/cte/btc_ble_cte.c index b4534bba98..546c3c71fe 100644 --- a/components/bt/host/bluedroid/btc/profile/std/cte/btc_ble_cte.c +++ b/components/bt/host/bluedroid/btc/profile/std/cte/btc_ble_cte.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2025-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -159,6 +159,8 @@ void btc_ble_cte_arg_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src) memcpy(dst->cte_trans_params.antenna_ids, src->cte_trans_params.antenna_ids, src->cte_trans_params.switching_pattern_len); } else { BTC_TRACE_ERROR("%s %d no mem\n",__func__, msg->act); + dst->cte_trans_params.switching_pattern_len = 0; + dst->cte_trans_params.antenna_ids = NULL; } } break; @@ -168,6 +170,8 @@ void btc_ble_cte_arg_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src) if (dst->cte_iq_sampling_en.antenna_ids) { memcpy(dst->cte_iq_sampling_en.antenna_ids, src->cte_iq_sampling_en.antenna_ids, src->cte_iq_sampling_en.switching_pattern_len); } else { + dst->cte_iq_sampling_en.switching_pattern_len = 0; + dst->cte_iq_sampling_en.antenna_ids = NULL; BTC_TRACE_ERROR("%s %d no mem\n",__func__, msg->act); } } @@ -181,6 +185,8 @@ void btc_ble_cte_arg_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src) if (dst->cte_recv_params.antenna_ids) { memcpy(dst->cte_recv_params.antenna_ids, src->cte_recv_params.antenna_ids, src->cte_recv_params.switching_pattern_len); } else { + dst->cte_recv_params.switching_pattern_len = 0; + dst->cte_recv_params.antenna_ids = NULL; BTC_TRACE_ERROR("%s %d no mem\n",__func__, msg->act); } } @@ -191,6 +197,8 @@ void btc_ble_cte_arg_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src) if (dst->cte_conn_trans_params.antenna_ids) { memcpy(dst->cte_conn_trans_params.antenna_ids, src->cte_conn_trans_params.antenna_ids, src->cte_conn_trans_params.switching_pattern_len); } else { + dst->cte_conn_trans_params.switching_pattern_len = 0; + dst->cte_conn_trans_params.antenna_ids = NULL; BTC_TRACE_ERROR("%s %d no mem\n",__func__, msg->act); } } @@ -258,7 +266,11 @@ void btc_ble_cte_cb_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src) memcpy(dst->connless_iq_rpt.i_sample, &(src->connless_iq_rpt.i_sample[0]), src->connless_iq_rpt.sample_count); } else { + dst->connless_iq_rpt.sample_count = 0; + dst->connless_iq_rpt.i_sample = NULL; + dst->connless_iq_rpt.q_sample = NULL; BTC_TRACE_ERROR("%s, i_sample malloc failed\n", __func__); + break; } dst->connless_iq_rpt.q_sample = osi_malloc(src->connless_iq_rpt.sample_count); if (dst->connless_iq_rpt.q_sample) { @@ -266,7 +278,14 @@ void btc_ble_cte_cb_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src) src->connless_iq_rpt.sample_count); } else { BTC_TRACE_ERROR("%s, q_sample malloc failed\n", __func__); + osi_free(dst->connless_iq_rpt.i_sample); + dst->connless_iq_rpt.sample_count = 0; + dst->connless_iq_rpt.i_sample = NULL; + dst->connless_iq_rpt.q_sample = NULL; } + } else { + dst->connless_iq_rpt.i_sample = NULL; + dst->connless_iq_rpt.q_sample = NULL; } break; #endif // #if (BLE_FEAT_CTE_CONNECTIONLESS_EN == TRUE) @@ -278,15 +297,26 @@ void btc_ble_cte_cb_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src) memcpy(dst->conn_iq_rpt.i_sample, src->conn_iq_rpt.i_sample, src->conn_iq_rpt.sample_count); } else { + dst->conn_iq_rpt.i_sample = NULL; + dst->conn_iq_rpt.q_sample = NULL; + dst->conn_iq_rpt.sample_count = 0; BTC_TRACE_ERROR("%s, i_sample malloc failed\n", __func__); + break; } dst->conn_iq_rpt.q_sample = osi_malloc(src->conn_iq_rpt.sample_count); if (dst->conn_iq_rpt.q_sample) { memcpy(dst->conn_iq_rpt.q_sample, src->conn_iq_rpt.q_sample, src->conn_iq_rpt.sample_count); } else { + osi_free(dst->conn_iq_rpt.i_sample); + dst->conn_iq_rpt.i_sample = NULL; + dst->conn_iq_rpt.q_sample = NULL; + dst->conn_iq_rpt.sample_count = 0; BTC_TRACE_ERROR("%s, q_sample malloc failed\n", __func__); } + } else { + dst->conn_iq_rpt.i_sample = NULL; + dst->conn_iq_rpt.q_sample = NULL; } break; #endif // #if (BLE_FEAT_CTE_CONNECTION_EN == TRUE) @@ -303,8 +333,8 @@ void btc_ble_cte_cb_deep_free(btc_msg_t *msg) #if (BLE_FEAT_CTE_CONNECTIONLESS_EN == TRUE) case ESP_BLE_CTE_CONNLESS_IQ_REPORT_EVT: { esp_ble_cte_cb_param_t *params = (esp_ble_cte_cb_param_t *)msg->arg; - uint8_t *i_sample = &(params->connless_iq_rpt.i_sample[0]); - uint8_t *q_sample = &(params->connless_iq_rpt.q_sample[0]); + uint8_t *i_sample = params->connless_iq_rpt.i_sample; + uint8_t *q_sample = params->connless_iq_rpt.q_sample; if (i_sample) { osi_free(i_sample); } diff --git a/components/bt/host/bluedroid/btc/profile/std/gap/btc_gap_ble.c b/components/bt/host/bluedroid/btc/profile/std/gap/btc_gap_ble.c index a606852bc6..de3c5e68f4 100644 --- a/components/bt/host/bluedroid/btc/profile/std/gap/btc_gap_ble.c +++ b/components/bt/host/bluedroid/btc/profile/std/gap/btc_gap_ble.c @@ -88,6 +88,10 @@ static void btc_gap_ble_get_dev_name_callback(UINT8 status, char *name) ret = btc_transfer_context(&msg, ¶m, sizeof(esp_ble_gap_cb_param_t), NULL, NULL); if (ret != BT_STATUS_SUCCESS) { + if (param.get_dev_name_cmpl.name) { + osi_free(param.get_dev_name_cmpl.name); + } + BTC_TRACE_ERROR("%s btc_transfer_context failed\n", __func__); } } @@ -213,6 +217,9 @@ static void btc_to_bta_adv_data(esp_ble_adv_data_t *p_adv_data, tBTA_BLE_ADV_DAT mask |= BTM_BLE_AD_BIT_MANU; bta_adv_data->p_manu->len = p_adv_data->manufacturer_len; memcpy(bta_adv_data->p_manu->p_val, p_adv_data->p_manufacturer_data, p_adv_data->manufacturer_len); + } else { + osi_free(bta_adv_data->p_manu); + bta_adv_data->p_manu = NULL; } } } @@ -246,6 +253,11 @@ static void btc_to_bta_adv_data(esp_ble_adv_data_t *p_adv_data, tBTA_BLE_ADV_DAT p_elem = p_prop->p_elem; if (NULL != p_elem) { memcpy(p_elem++, p_elem_service_data, sizeof(tBTA_BLE_PROP_ELEM)); + } else { + osi_free(p_elem_service_data->p_val); + osi_free(bta_adv_data->p_proprietary); + bta_adv_data->p_proprietary = NULL; + mask &= ~BTM_BLE_AD_BIT_PROPRIETARY; } } osi_free(p_elem_service_data); @@ -274,6 +286,10 @@ static void btc_to_bta_adv_data(esp_ble_adv_data_t *p_adv_data, tBTA_BLE_ADV_DAT mask |= BTM_BLE_AD_BIT_SERVICE; ++bta_adv_data->p_services->num_service; *p_uuid_out16++ = bt_uuid.uu.uuid16; + } else { + osi_free(bta_adv_data->p_services); + bta_adv_data->p_services = NULL; + BTC_TRACE_ERROR("%s - memory malloc failed", __FUNCTION__); } break; } @@ -2117,6 +2133,9 @@ void btc_gap_ble_arg_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src) } else { BTC_TRACE_ERROR("%s %d no mem\n",__func__, msg->act); } + } else { + dst->periodic_adv_cfg_data.data = NULL; + dst->periodic_adv_cfg_data.len = 0; } break; } @@ -2205,6 +2224,7 @@ void btc_gap_ble_arg_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src) case BTC_GAP_BLE_SET_PA_RSP_DATA: { btc_ble_5_gap_args_t *src = (btc_ble_5_gap_args_t *)p_src; btc_ble_5_gap_args_t *dst = (btc_ble_5_gap_args_t *)p_dest; + dst->per_adv_response_data_params.response_data = NULL; if (src->per_adv_response_data_params.response_data && src->per_adv_response_data_params.response_data_len) { dst->per_adv_response_data_params.response_data = osi_malloc(src->per_adv_response_data_params.response_data_len); if (dst->per_adv_response_data_params.response_data) { @@ -2218,6 +2238,7 @@ void btc_gap_ble_arg_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src) case BTC_GAP_BLE_SET_PA_SYNC_SUBEVT: { btc_ble_5_gap_args_t *src = (btc_ble_5_gap_args_t *)p_src; btc_ble_5_gap_args_t *dst = (btc_ble_5_gap_args_t *)p_dest; + dst->per_sync_subevent_params.subevent = NULL; if (src->per_sync_subevent_params.subevent && src->per_sync_subevent_params.num_subevents_to_sync) { dst->per_sync_subevent_params.subevent = osi_malloc(src->per_sync_subevent_params.num_subevents_to_sync); if (dst->per_sync_subevent_params.subevent) { @@ -2301,9 +2322,9 @@ void btc_gap_ble_cb_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src) break; #endif // (BT_BLE_FEAT_PAWR_EN == TRUE) #if (BT_BLE_FEAT_CHANNEL_SOUNDING == TRUE) - case BTA_BLE_GAP_CS_SUBEVENT_RESULT_EVT: + case ESP_GAP_BLE_CS_SUBEVENT_RESULT_EVT: if (src->cs_subevt_result.step_info) { - dst->cs_subevt_result.step_info = osi_malloc(src->cs_subevt_result.num_steps_reported * sizeof(esp_ble_cs_step_info)); + dst->cs_subevt_result.step_info = osi_calloc(src->cs_subevt_result.num_steps_reported * sizeof(esp_ble_cs_step_info)); if (dst->cs_subevt_result.step_info) { for (UINT8 i = 0; i < src->cs_subevt_result.num_steps_reported; i++) { @@ -2324,9 +2345,9 @@ void btc_gap_ble_cb_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src) } } break; - case BTA_BLE_GAP_CS_SUBEVENT_RESULT_CONTINUE_EVT: + case ESP_GAP_BLE_CS_SUBEVENT_RESULT_CONTINUE_EVT: if (src->cs_subevt_result_continue.step_info) { - dst->cs_subevt_result_continue.step_info = osi_malloc(src->cs_subevt_result_continue.num_steps_reported * sizeof(esp_ble_cs_step_info)); + dst->cs_subevt_result_continue.step_info = osi_calloc(src->cs_subevt_result_continue.num_steps_reported * sizeof(esp_ble_cs_step_info)); if (dst->cs_subevt_result_continue.step_info) { for (UINT8 i = 0; i < src->cs_subevt_result_continue.num_steps_reported; i++) { @@ -2336,7 +2357,7 @@ void btc_gap_ble_cb_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src) if (src->cs_subevt_result_continue.step_info[i].step_data_len) { dst->cs_subevt_result_continue.step_info[i].data = osi_malloc(src->cs_subevt_result_continue.step_info[i].step_data_len); if (dst->cs_subevt_result_continue.step_info[i].data) { - memcpy(dst->cs_subevt_result_continue.step_info[i].data, src->cs_subevt_result_continue.step_info[i].data, src->cs_subevt_result.step_info[i].step_data_len); + memcpy(dst->cs_subevt_result_continue.step_info[i].data, src->cs_subevt_result_continue.step_info[i].data, src->cs_subevt_result_continue.step_info[i].step_data_len); } else { BTC_TRACE_ERROR("%s, data, no enough memory.", __func__); } @@ -2545,7 +2566,7 @@ void btc_gap_ble_cb_deep_free(btc_msg_t *msg) break; #endif // (BT_BLE_FEAT_PAWR_EN == TRUE) #if (BT_BLE_FEAT_CHANNEL_SOUNDING == TRUE) - case BTA_BLE_GAP_CS_SUBEVENT_RESULT_EVT: + case ESP_GAP_BLE_CS_SUBEVENT_RESULT_EVT: { esp_ble_cs_step_info *step_info = ((esp_ble_gap_cb_param_t *)msg->arg)->cs_subevt_result.step_info; if (step_info) { @@ -2560,7 +2581,7 @@ void btc_gap_ble_cb_deep_free(btc_msg_t *msg) } } break; - case BTA_BLE_GAP_CS_SUBEVENT_RESULT_CONTINUE_EVT: + case ESP_GAP_BLE_CS_SUBEVENT_RESULT_CONTINUE_EVT: { esp_ble_cs_step_info *step_info = ((esp_ble_gap_cb_param_t *)msg->arg)->cs_subevt_result_continue.step_info; if (step_info) { @@ -2797,14 +2818,14 @@ void btc_gap_ble_call_handler(btc_msg_t *msg) } case BTC_GAP_BLE_PASSKEY_REPLY_EVT: { BD_ADDR bd_addr; - memcpy(bd_addr, arg->enc_passkey_replay.bd_addr, sizeof(BD_ADDR)); - BTA_DmBlePasskeyReply(bd_addr, arg->enc_passkey_replay.accept, arg->enc_passkey_replay.passkey); + memcpy(bd_addr, arg->enc_passkey_reply.bd_addr, sizeof(BD_ADDR)); + BTA_DmBlePasskeyReply(bd_addr, arg->enc_passkey_reply.accept, arg->enc_passkey_reply.passkey); break; } case BTC_GAP_BLE_CONFIRM_REPLY_EVT: { BD_ADDR bd_addr; - memcpy(bd_addr, arg->enc_comfirm_replay.bd_addr, sizeof(BD_ADDR)); - BTA_DmBleConfirmReply(bd_addr, arg->enc_comfirm_replay.accept); + memcpy(bd_addr, arg->enc_confirm_reply.bd_addr, sizeof(BD_ADDR)); + BTA_DmBleConfirmReply(bd_addr, arg->enc_confirm_reply.accept); break; } case BTC_GAP_BLE_REMOVE_BOND_DEV_EVT: { diff --git a/components/bt/host/bluedroid/btc/profile/std/gatt/btc_gatt_util.c b/components/bt/host/bluedroid/btc/profile/std/gatt/btc_gatt_util.c index 9d4d108bef..4d0a7b272f 100644 --- a/components/bt/host/bluedroid/btc/profile/std/gatt/btc_gatt_util.c +++ b/components/bt/host/bluedroid/btc/profile/std/gatt/btc_gatt_util.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -27,6 +27,10 @@ int uuidType(unsigned char *p_uuid) int all_zero = 1; for (i = 0; i != 16; ++i) { + /* Check if bytes 12-13 are non-zero for all_zero detection */ + if (p_uuid[i] != 0) { + all_zero = 0; + } if (i == 12 || i == 13) { continue; } @@ -34,10 +38,6 @@ int uuidType(unsigned char *p_uuid) if (p_uuid[i] == BASE_UUID[i]) { ++match; } - - if (p_uuid[i] != 0) { - all_zero = 0; - } } if (all_zero) { return 0; diff --git a/components/bt/host/bluedroid/btc/profile/std/gatt/btc_gattc.c b/components/bt/host/bluedroid/btc/profile/std/gatt/btc_gattc.c index 9928a7ab2e..b0741c6b0f 100644 --- a/components/bt/host/bluedroid/btc/profile/std/gatt/btc_gattc.c +++ b/components/bt/host/bluedroid/btc/profile/std/gatt/btc_gattc.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 @@ -40,6 +40,7 @@ void btc_gattc_arg_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src) memcpy(dst->write_char.value, src->write_char.value, src->write_char.value_len); } else { BTC_TRACE_ERROR("%s %d no mem\n", __func__, msg->act); + dst->write_char.value_len = 0; } break; } @@ -49,6 +50,7 @@ void btc_gattc_arg_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src) memcpy(dst->write_descr.value, src->write_descr.value, src->write_descr.value_len); } else { BTC_TRACE_ERROR("%s %d no mem\n", __func__, msg->act); + dst->write_descr.value_len = 0; } break; } @@ -58,6 +60,7 @@ void btc_gattc_arg_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src) memcpy(dst->prep_write.value, src->prep_write.value, src->prep_write.value_len); } else { BTC_TRACE_ERROR("%s %d no mem\n", __func__, msg->act); + dst->prep_write.value_len = 0; } break; } @@ -67,6 +70,7 @@ void btc_gattc_arg_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src) memcpy(dst->prep_write_descr.value, src->prep_write_descr.value, src->prep_write_descr.value_len); } else { BTC_TRACE_ERROR("%s %d no mem\n", __func__, msg->act); + dst->prep_write_descr.value_len = 0; } break; } @@ -332,6 +336,11 @@ esp_gatt_status_t btc_ble_gattc_get_service(uint16_t conn_id, esp_bt_uuid_t *svc tBT_UUID *bta_uuid = NULL; if (svc_uuid) { bta_uuid = osi_malloc(sizeof(tBT_UUID)); + if (bta_uuid == NULL) { + *count = 0; + return ESP_GATT_NO_RESOURCES; + } + btc_to_bta_uuid(bta_uuid, svc_uuid); } @@ -616,16 +625,16 @@ static void btc_gattc_read_char(btc_ble_gattc_args_t *arg) static void btc_gattc_read_multiple_char(btc_ble_gattc_args_t *arg) { tBTA_GATTC_MULTI bta_multi; - bta_multi.num_attr = arg->read_multiple.num_attr; - memcpy(bta_multi.handles, arg->read_multiple.handles, BTA_GATTC_MULTI_MAX); + bta_multi.num_attr = (arg->read_multiple.num_attr > BTA_GATTC_MULTI_MAX) ? BTA_GATTC_MULTI_MAX : arg->read_multiple.num_attr; + memcpy(bta_multi.handles, arg->read_multiple.handles, sizeof(uint16_t) * bta_multi.num_attr); BTA_GATTC_ReadMultiple(arg->read_multiple.conn_id, &bta_multi, arg->read_multiple.auth_req); } static void btc_gattc_read_multiple_variable_char(btc_ble_gattc_args_t *arg) { tBTA_GATTC_MULTI bta_multi; - bta_multi.num_attr = arg->read_multiple.num_attr; - memcpy(bta_multi.handles, arg->read_multiple.handles, BTA_GATTC_MULTI_MAX); + bta_multi.num_attr = (arg->read_multiple.num_attr > BTA_GATTC_MULTI_MAX) ? BTA_GATTC_MULTI_MAX : arg->read_multiple.num_attr; + memcpy(bta_multi.handles, arg->read_multiple.handles, sizeof(uint16_t) * bta_multi.num_attr); BTA_GATTC_ReadMultipleVariable(arg->read_multiple.conn_id, &bta_multi, arg->read_multiple.auth_req); } @@ -676,7 +685,11 @@ static void btc_gattc_prepare_write(btc_ble_gattc_args_t *arg) static void btc_gattc_prepare_write_char_descr(btc_ble_gattc_args_t *arg) { tBTA_GATT_UNFMT descr_val; - + /* + According to the Bluetooth Core Specification, a Prepare Write Request can have a zero-length value. + The underlying BTA layer function BTA_GATTC_PrepareWriteCharDescr is implemented to handle zero-length data correctly by skipping the memory copy + but still sending the message to the stack. + */ descr_val.len = arg->prep_write_descr.value_len; descr_val.p_value = arg->prep_write_descr.value; BTA_GATTC_PrepareWriteCharDescr(arg->prep_write_descr.conn_id, diff --git a/components/bt/host/bluedroid/btc/profile/std/gatt/btc_gatts.c b/components/bt/host/bluedroid/btc/profile/std/gatt/btc_gatts.c index e1b06cffba..893e29e173 100644 --- a/components/bt/host/bluedroid/btc/profile/std/gatt/btc_gatts.c +++ b/components/bt/host/bluedroid/btc/profile/std/gatt/btc_gatts.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -74,9 +74,11 @@ void btc_gatts_arg_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src) memcpy(dst->send_ind.value, src->send_ind.value, src->send_ind.value_len); } else { BTC_TRACE_ERROR("%s %d no mem\n", __func__, msg->act); + dst->send_ind.value_len = 0; } } else { dst->send_ind.value = NULL; + dst->send_ind.value_len = 0; if (src->send_ind.value) { BTC_TRACE_ERROR("%s %d, invalid length", __func__, msg->act); } @@ -103,9 +105,11 @@ void btc_gatts_arg_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src) src->add_char.char_val.attr_len); } else { BTC_TRACE_ERROR("%s %d no mem\n", __func__, msg->act); + dst->add_char.char_val.attr_len = 0; } } else { dst->add_char.char_val.attr_value = NULL; + dst->add_char.char_val.attr_len = 0; if (src->add_char.char_val.attr_value) { BTC_TRACE_ERROR("%s %d, invalid length", __func__, msg->act); } @@ -120,9 +124,11 @@ void btc_gatts_arg_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src) src->add_descr.descr_val.attr_len); } else { BTC_TRACE_ERROR("%s %d no mem\n", __func__, msg->act); + dst->add_descr.descr_val.attr_len = 0; } } else { dst->add_descr.descr_val.attr_value = NULL; + dst->add_descr.descr_val.attr_len = 0; if (src->add_descr.descr_val.attr_value) { BTC_TRACE_ERROR("%s %d, invalid length", __func__, msg->act); } @@ -138,8 +144,11 @@ void btc_gatts_arg_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src) sizeof(esp_gatts_attr_db_t) * num_attr); } else { BTC_TRACE_ERROR("%s %d no mem\n",__func__, msg->act); + dst->create_attr_tab.max_nb_attr = 0; } } else { + dst->create_attr_tab.gatts_attr_db = NULL; + dst->create_attr_tab.max_nb_attr = 0; BTC_TRACE_ERROR("%s %d, NULL data", __func__, msg->act); } break; @@ -151,9 +160,11 @@ void btc_gatts_arg_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src) memcpy(dst->set_attr_val.value, src->set_attr_val.value, src->set_attr_val.length); } else { BTC_TRACE_ERROR("%s %d no mem\n",__func__, msg->act); + dst->set_attr_val.length = 0; } } else { dst->set_attr_val.value = NULL; + dst->set_attr_val.length = 0; if (src->set_attr_val.value) { BTC_TRACE_ERROR("%s %d, invalid length", __func__, msg->act); } else { @@ -462,8 +473,8 @@ static esp_gatt_status_t btc_gatts_check_valid_attr_tab(esp_gatts_attr_db_t *gat break; } case ESP_GATT_UUID_CHAR_DECLARE: - if((gatts_attr_db[i].att_desc.value) == NULL) { - BTC_TRACE_ERROR("%s, Characteristic declaration should not be NULL.", __func__); + if((gatts_attr_db[i].att_desc.value) == NULL || ((i + 1) >= max_nb_attr)) { + BTC_TRACE_ERROR("%s, att_desc.value is NULL or (%d + 1) >= %d", __func__, i, max_nb_attr); return ESP_GATT_INVALID_PDU; } @@ -788,6 +799,10 @@ void btc_gatts_cb_handler(btc_msg_t *msg) param.read.conn_id = BTC_GATT_GET_CONN_ID(p_data->req_data.conn_id); param.read.trans_id = p_data->req_data.trans_id; memcpy(param.read.bda, p_data->req_data.remote_bda, ESP_BD_ADDR_LEN); + if (p_data->req_data.p_data == NULL) { + BTC_TRACE_ERROR("%s READ_EVT p_data NULL", __func__); + break; + } param.read.handle = p_data->req_data.p_data->read_req.handle; param.read.offset = p_data->req_data.p_data->read_req.offset; param.read.is_long = p_data->req_data.p_data->read_req.is_long; @@ -816,23 +831,26 @@ void btc_gatts_cb_handler(btc_msg_t *msg) break; } case BTA_GATTS_EXEC_WRITE_EVT: { + if (p_data->req_data.p_data == NULL) { + break; + } gatts_if = BTC_GATT_GET_GATT_IF(p_data->req_data.conn_id); param.exec_write.conn_id = BTC_GATT_GET_CONN_ID(p_data->req_data.conn_id); param.exec_write.trans_id = p_data->req_data.trans_id; memcpy(param.exec_write.bda, p_data->req_data.remote_bda, ESP_BD_ADDR_LEN); - if (p_data->req_data.p_data == NULL) { - break; - } param.exec_write.exec_write_flag = p_data->req_data.p_data->exec_write; btc_gatts_cb_to_app(ESP_GATTS_EXEC_WRITE_EVT, gatts_if, ¶m); break; } case BTA_GATTS_MTU_EVT: + if (p_data->req_data.p_data == NULL) { + BTC_TRACE_ERROR("%s MTU_EVT p_data NULL", __func__); + break; + } gatts_if = BTC_GATT_GET_GATT_IF(p_data->req_data.conn_id); param.mtu.conn_id = BTC_GATT_GET_CONN_ID(p_data->req_data.conn_id); param.mtu.mtu = p_data->req_data.p_data->mtu; - btc_gatts_cb_to_app(ESP_GATTS_MTU_EVT, gatts_if, ¶m); break; case BTA_GATTS_CONF_EVT: diff --git a/components/bt/host/bluedroid/btc/profile/std/include/btc_ble_cte.h b/components/bt/host/bluedroid/btc/profile/std/include/btc_ble_cte.h index 659bfb3199..161955ac77 100644 --- a/components/bt/host/bluedroid/btc/profile/std/include/btc_ble_cte.h +++ b/components/bt/host/bluedroid/btc/profile/std/include/btc_ble_cte.h @@ -76,12 +76,12 @@ typedef union { uint8_t req_cte_len; uint8_t req_cte_Type; } cte_req_en; -#endif // #if (BLE_FEAT_CTE_CONNECTION_EN == TRUE) struct cte_rsp_en_arg { uint16_t conn_handle; uint8_t enable; } cte_rsp_en; +#endif // #if (BLE_FEAT_CTE_CONNECTION_EN == TRUE) } btc_ble_cte_args_t; diff --git a/components/bt/host/bluedroid/btc/profile/std/include/btc_gap_ble.h b/components/bt/host/bluedroid/btc/profile/std/include/btc_gap_ble.h index a429751293..37bd4771b6 100644 --- a/components/bt/host/bluedroid/btc/profile/std/include/btc_gap_ble.h +++ b/components/bt/host/bluedroid/btc/profile/std/include/btc_gap_ble.h @@ -287,12 +287,12 @@ typedef union { esp_bd_addr_t bd_addr; bool accept; uint32_t passkey; - } enc_passkey_replay; + } enc_passkey_reply; //BTC_GAP_BLE_CONFIRM_REPLY_EVT struct enc_comfirm_reply_args { esp_bd_addr_t bd_addr; bool accept; - } enc_comfirm_replay; + } enc_confirm_reply; //BTC_GAP_BLE_OOB_DATA_REPLY_EVT struct oob_req_reply_args { esp_bd_addr_t bd_addr; @@ -513,12 +513,12 @@ typedef union { #if (BLE_FEAT_POWER_CONTROL_EN == TRUE) // BTC_GAP_BLE_ENH_READ_TRANS_POWER_LEVEL struct enh_read_trans_pwr_level_args { - uint8_t conn_handle; + uint16_t conn_handle; uint8_t phy; } enh_read_trans_pwr_level; // BTC_GAP_BLE_READ_REM_TRANS_POWER_LEVEL struct read_rem_trans_pwr_level_args { - uint8_t conn_handle; + uint16_t conn_handle; uint8_t phy; } read_rem_trans_pwr_level; // BTC_GAP_BLE_SET_PATH_LOSS_REPORT_PARAMS diff --git a/components/bt/host/bluedroid/btc/profile/std/include/btc_iso_ble.h b/components/bt/host/bluedroid/btc/profile/std/include/btc_iso_ble.h index 4e734b1202..6b51941c48 100644 --- a/components/bt/host/bluedroid/btc/profile/std/include/btc_iso_ble.h +++ b/components/bt/host/bluedroid/btc/profile/std/include/btc_iso_ble.h @@ -41,11 +41,11 @@ struct btc_iso_cis_hdls { }__attribute__((packed)); typedef enum { -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) BTC_ISO_ACT_BIG_CREATE, BTC_ISO_ACT_BIG_CREATE_TEST, BTC_ISO_ACT_BIG_TERMINATE, -#endif // #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif // #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) BTC_ISO_ACT_BIG_SYNC_CREATE, BTC_ISO_ACT_BIG_SYNC_TERMINATE, @@ -71,7 +71,7 @@ typedef enum { /* btc_ble_iso_args_t */ typedef union { -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) struct iso_big_create_args { uint8_t big_handle; uint8_t adv_handle; @@ -110,7 +110,7 @@ typedef union { uint8_t big_handle; uint8_t reason; } iso_big_terminate_params; -#endif // #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif // #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) struct iso_big_sync_creat_arg { diff --git a/components/bt/host/bluedroid/btc/profile/std/iso/btc_iso_ble.c b/components/bt/host/bluedroid/btc/profile/std/iso/btc_iso_ble.c index 2f0381501b..ec25805cff 100644 --- a/components/bt/host/bluedroid/btc/profile/std/iso/btc_iso_ble.c +++ b/components/bt/host/bluedroid/btc/profile/std/iso/btc_iso_ble.c @@ -34,7 +34,7 @@ static void btc_ble_iso_callback(tBTM_BLE_ISO_EVENT event, msg.pid = BTC_PID_ISO_BLE; switch(event) { -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) case BTA_BLE_ISO_BIG_CREATE_COMPLETE_EVT: msg.act = ESP_BLE_ISO_BIG_CREATE_CMPL_EVT; param.create_big_cmpl.status = btc_btm_status_to_esp_status(params->btm_big_cmpl.status); @@ -60,7 +60,7 @@ static void btc_ble_iso_callback(tBTM_BLE_ISO_EVENT event, param.term_big_cmpl.big_handle = params->btm_big_term.big_handle; param.term_big_cmpl.reason = params->btm_big_term.reason; break; -#endif // #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif // #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) case BTA_BLE_ISO_BIG_SYNC_ESTABLISHED_EVT: msg.act = ESP_BLE_ISO_BIG_SYNC_ESTABLISHED_EVT; @@ -244,6 +244,7 @@ void btc_iso_ble_arg_deep_copy(btc_msg_t *msg, void *p_dest, void *p_src) memcpy(dst->iso_set_data_path_params.codec_cfg, src->iso_set_data_path_params.codec_cfg, src->iso_set_data_path_params.codec_cfg_len); } else { BTC_TRACE_ERROR("%s %d no mem\n",__func__, msg->act); + dst->iso_set_data_path_params.codec_cfg_len = 0; } } break; @@ -300,7 +301,7 @@ void btc_iso_ble_call_handler(btc_msg_t *msg) BTC_TRACE_DEBUG("%s act %d", __func__, msg->act); switch (msg->act) { -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) case BTC_ISO_ACT_BIG_CREATE: BTA_DmBleGapIsoBigCreate((tBTA_DM_BLE_BIG_CREATE_PARAMS *)&arg->iso_big_creat_params); break; @@ -310,7 +311,7 @@ void btc_iso_ble_call_handler(btc_msg_t *msg) case BTC_ISO_ACT_BIG_TERMINATE: BTA_DmBleGapIsoBigTerminate((tBTA_DM_BLE_BIG_TERMINATE_PARAMS *)&arg->iso_big_terminate_params); break; -#endif // #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif // #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) case BTC_ISO_ACT_BIG_SYNC_CREATE: BTA_DmBleGapIsoBigSyncCreate((tBTA_DM_BLE_BIG_SYNC_CREATE_PARAMS *)&arg->iso_big_sync_creat_params); @@ -329,6 +330,7 @@ void btc_iso_ble_call_handler(btc_msg_t *msg) BTA_DmBleGapIsoReadTxSync(arg->iso_read_tx_sync_params.iso_handle); break; case BTC_ISO_ACT_READ_ISO_LINK_QUALITY: + BTA_DmBleGapIsoReadLinkQuality(arg->iso_read_link_quality_params.iso_handle); break; #if (BLE_FEAT_ISO_CIG_CENTRAL_EN == TRUE) case BTC_ISO_ACT_SET_CIG_PARAMS: { diff --git a/components/bt/host/bluedroid/common/include/common/bluedroid_user_config.h b/components/bt/host/bluedroid/common/include/common/bluedroid_user_config.h index d82ec6b547..ca66639b36 100644 --- a/components/bt/host/bluedroid/common/include/common/bluedroid_user_config.h +++ b/components/bt/host/bluedroid/common/include/common/bluedroid_user_config.h @@ -303,9 +303,9 @@ #endif #ifdef CONFIG_BT_BLE_FEAT_ISO_BIG_BROCASTER -#define UC_BT_BLE_FEAT_ISO_BIG_BROCASTER CONFIG_BT_BLE_FEAT_ISO_BIG_BROCASTER +#define UC_BT_BLE_FEAT_ISO_BIG_BROADCASTER CONFIG_BT_BLE_FEAT_ISO_BIG_BROCASTER #else -#define UC_BT_BLE_FEAT_ISO_BIG_BROCASTER FALSE +#define UC_BT_BLE_FEAT_ISO_BIG_BROADCASTER FALSE #endif #ifdef CONFIG_BT_BLE_FEAT_ISO_CIG_CENTRAL diff --git a/components/bt/host/bluedroid/common/include/common/bt_target.h b/components/bt/host/bluedroid/common/include/common/bt_target.h index 2766a27fa9..df0cdbc1ba 100644 --- a/components/bt/host/bluedroid/common/include/common/bt_target.h +++ b/components/bt/host/bluedroid/common/include/common/bt_target.h @@ -337,10 +337,10 @@ #define BLE_FEAT_ISO_60_EN FALSE #endif -#if (UC_BT_BLE_FEAT_ISO_BIG_BROCASTER == TRUE) -#define BLE_FEAT_ISO_BIG_BROCASTER_EN TRUE +#if (UC_BT_BLE_FEAT_ISO_BIG_BROADCASTER == TRUE) +#define BLE_FEAT_ISO_BIG_BROADCASTER_EN TRUE #else -#define BLE_FEAT_ISO_BIG_BROCASTER_EN FALSE +#define BLE_FEAT_ISO_BIG_BROADCASTER_EN FALSE #endif #if (UC_BT_BLE_FEAT_ISO_BIG_SYNCER == TRUE) diff --git a/components/bt/host/bluedroid/hci/ble_hci_iso.c b/components/bt/host/bluedroid/hci/ble_hci_iso.c index 6a61836ef2..92db66d311 100644 --- a/components/bt/host/bluedroid/hci/ble_hci_iso.c +++ b/components/bt/host/bluedroid/hci/ble_hci_iso.c @@ -79,33 +79,6 @@ ble_hci_set_iso_buf_sz(uint16_t pktlen, uint8_t max_pkts) return 0; } -void -ble_hci_get_iso_buf_size(uint16_t *pktlen, uint8_t *max_pkts) -{ - assert(pktlen && max_pkts); - - *pktlen = ble_hs_iso_buf_sz; - *max_pkts = ble_hs_iso_max_pkts; -} - -#if (BLE_ISO_STD_FLOW_CTRL == TRUE) -void -ble_hci_add_iso_avail_pkts(uint16_t delta) -{ - osi_mutex_global_lock(); - - if (ble_hs_iso_avail_pkts + delta > ble_hs_iso_max_pkts) { - HCI_TRACE_ERROR("ISO_HS_RESET %u %u %u\n", ble_hs_iso_avail_pkts, delta, ble_hs_iso_max_pkts); - // ble_hs_sched_reset(BLE_HS_ECONTROLLER); - assert(0); - } else { - ble_hs_iso_avail_pkts += delta; - } - - osi_mutex_global_unlock(); -} -#endif /* (BLE_ISO_STD_FLOW_CTRL) */ - #define BLE_ARRAY_SIZE(x) (sizeof(x)/sizeof((x)[0])) struct ble_hci_iso_conn * @@ -156,39 +129,6 @@ ble_hci_iso_alloc_conn(uint16_t conn_handle) return NULL; } -#if (BLE_ISO_STD_FLOW_CTRL == TRUE) -static uint8_t -ble_hci_iso_buf_needed(struct ble_hs_iso_conn *conn) -{ - uint16_t sdu_offset; - uint16_t dl_len; - uint8_t dlh_len; - uint8_t count; - - dlh_len = (conn->ts_flag ? BLE_HCI_ISO_DATA_LOAD_TS_SZ : 0) + BLE_HCI_ISO_DATA_LOAD_HDR_SZ; - sdu_offset = 0; - count = 1; /* 1 extra since framed pdu may be used */ - - while (1) { - dl_len = min(dlh_len + conn->sdu_len - sdu_offset, ble_hs_iso_buf_sz); - - count += 1; - - sdu_offset += dl_len - dlh_len; - assert(sdu_offset <= conn->sdu_len); - - if (sdu_offset == conn->sdu_len) { - break; - } - - /* No data load header for continuation/last segment */ - dlh_len = 0; - } - - return count; -} -#endif /* (BLE_ISO_STD_FLOW_CTRL) */ - static void ble_hci_iso_hdr_append(struct ble_hci_iso_conn *conn, uint8_t *frag, diff --git a/components/bt/host/bluedroid/hci/hci_hal_h4.c b/components/bt/host/bluedroid/hci/hci_hal_h4.c index 53316950b7..b4b3ec17d6 100644 --- a/components/bt/host/bluedroid/hci/hci_hal_h4.c +++ b/components/bt/host/bluedroid/hci/hci_hal_h4.c @@ -357,7 +357,8 @@ int hci_adv_credits_prep_to_release(uint16_t num) osi_mutex_lock(&hci_hal_env.adv_flow_lock, OSI_MUTEX_MAX_TIMEOUT); int credits_to_release = hci_hal_env.adv_credits_to_release + num; - assert(hci_hal_env.adv_credits_to_release <= BLE_ADV_REPORT_FLOW_CONTROL_NUM); + assert(num <= BLE_ADV_REPORT_FLOW_CONTROL_NUM); + assert(credits_to_release >= 0 && credits_to_release <= BLE_ADV_REPORT_FLOW_CONTROL_NUM); hci_hal_env.adv_credits_to_release = credits_to_release; osi_mutex_unlock(&hci_hal_env.adv_flow_lock); diff --git a/components/bt/host/bluedroid/hci/include/hci/ble_hci_iso.h b/components/bt/host/bluedroid/hci/include/hci/ble_hci_iso.h index 9b28967796..4394363ead 100644 --- a/components/bt/host/bluedroid/hci/include/hci/ble_hci_iso.h +++ b/components/bt/host/bluedroid/hci/include/hci/ble_hci_iso.h @@ -69,10 +69,6 @@ struct ble_hci_iso_conn { int ble_hci_set_iso_buf_sz(uint16_t pktlen, uint8_t max_pkts); -void ble_hci_get_iso_buf_size(uint16_t *pktlen, uint8_t *max_pkts); - -void ble_hci_add_iso_avail_pkts(uint16_t delta); - struct ble_hci_iso_conn *ble_hci_iso_conn_find(uint16_t conn_handle); int esp_ble_hci_iso_tx(uint16_t conn_handle, const uint8_t *sdu, uint16_t sdu_len, diff --git a/components/bt/host/bluedroid/stack/btm/btm_acl.c b/components/bt/host/bluedroid/stack/btm/btm_acl.c index a5aed0a91b..e0d07d440d 100644 --- a/components/bt/host/bluedroid/stack/btm/btm_acl.c +++ b/components/bt/host/bluedroid/stack/btm/btm_acl.c @@ -271,8 +271,12 @@ void btm_acl_created (BD_ADDR bda, DEV_CLASS dc, UINT8 bdn[BTM_MAX_REM_BD_NAME_L } else { p = (tACL_CONN *)osi_malloc(sizeof(tACL_CONN)); - if (p && list_append(btm_cb.p_acl_db_list, p)) { - memset(p, 0, sizeof(tACL_CONN)); + if (p && !list_append(btm_cb.p_acl_db_list, p)) { + osi_free(p); + return; + } + if (p) { + memset(p, 0, sizeof(tACL_CONN)); p->in_use = TRUE; p->hci_handle = hci_handle; p->link_role = link_role; @@ -2308,7 +2312,7 @@ void btm_read_channel_map_complete(UINT8 *p) void btm_read_rssi_complete (UINT8 *p, UINT16 evt_len) { tBTM_CMPL_CB *p_cb = btm_cb.devcb.p_rssi_cmpl_cb; - tBTM_RSSI_RESULTS results; + tBTM_RSSI_RESULTS results = {0}; UINT16 handle; tACL_CONN *p_acl_cb = NULL; BTM_TRACE_DEBUG ("btm_read_rssi_complete\n"); @@ -2340,10 +2344,12 @@ void btm_read_rssi_complete (UINT8 *p, UINT16 evt_len) results.rssi, results.hci_status); /* Search through the list of active channels for the correct BD Addr */ - p_acl_cb = btm_handle_to_acl(handle); - if (p_acl_cb) { + p_acl_cb = btm_handle_to_acl(handle); + if (p_acl_cb) { memcpy (results.rem_bda, p_acl_cb->remote_addr, BD_ADDR_LEN); - } + } else { + results.status = BTM_UNKNOWN_ADDR; + } } else { results.status = BTM_ERR_PROCESSING; } diff --git a/components/bt/host/bluedroid/stack/btm/btm_ble.c b/components/bt/host/bluedroid/stack/btm/btm_ble.c index 60601893da..7ea143e756 100644 --- a/components/bt/host/bluedroid/stack/btm/btm_ble.c +++ b/components/bt/host/bluedroid/stack/btm/btm_ble.c @@ -407,8 +407,9 @@ void BTM_BlePasskeyReply (BD_ADDR bd_addr, UINT8 res, UINT32 passkey) BTM_TRACE_ERROR("Passkey reply to Unknown device"); return; } - - p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED; + if (res_smp == SMP_SUCCESS) { + p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED; + } BTM_TRACE_DEBUG ("BTM_BlePasskeyReply"); SMP_PasskeyReply(bd_addr, res_smp, passkey); #endif @@ -487,8 +488,9 @@ void BTM_BleOobDataReply(BD_ADDR bd_addr, UINT8 res, UINT8 len, UINT8 *p_data) BTM_TRACE_ERROR("BTM_BleOobDataReply() to Unknown device"); return; } - - p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED; + if (res_smp == SMP_SUCCESS) { + p_dev_rec->sec_flags |= BTM_SEC_LE_AUTHENTICATED; + } SMP_OobDataReply(bd_addr, res_smp, len, p_data); #endif } @@ -1431,6 +1433,7 @@ void btm_ble_link_sec_check(BD_ADDR bd_addr, tBTM_LE_AUTH_REQ auth_req, tBTM_BLE if (p_dev_rec == NULL) { BTM_TRACE_ERROR ("btm_ble_link_sec_check received for unknown device"); + *p_sec_req_act = BTM_BLE_SEC_REQ_ACT_NONE; return; } diff --git a/components/bt/host/bluedroid/stack/btm/btm_ble_5_gap.c b/components/bt/host/bluedroid/stack/btm/btm_ble_5_gap.c index 46f0eadbeb..3ecfe99c69 100644 --- a/components/bt/host/bluedroid/stack/btm/btm_ble_5_gap.c +++ b/components/bt/host/bluedroid/stack/btm/btm_ble_5_gap.c @@ -16,7 +16,9 @@ tBTM_BLE_EXTENDED_CB extend_adv_cb; tBTM_BLE_5_HCI_CBACK ble_5_hci_cb; -#define INVALID_VALUE 0XFF +#define INVALID_VALUE_8BIT 0XFF +#define INVALID_VALUE_16BIT 0XFFFF +#define INVALID_VALUE_32BIT 0XFFFFFFFF extern BOOLEAN BTM_GetLocalResolvablePrivateAddr(BD_ADDR bda); extern void BTM_UpdateAddrInfor(uint8_t addr_type, BD_ADDR bda); @@ -529,13 +531,21 @@ tBTM_STATUS BTM_BleStartExtAdv(BOOLEAN enable, UINT8 num, tBTM_BLE_EXT_ADV *ext_ UINT8 *max_events = NULL; // when enable = true, ext_adv = NULL or num = 0, goto end - if ((!ext_adv || num == 0) && enable) { + if (num > MAX_BLE_ADV_INSTANCE || (num > 0 && !ext_adv) || (enable && num == 0)) { status = BTM_ILLEGAL_VALUE; BTM_TRACE_ERROR("%s invalid parameters", __func__); goto end; } if (num != 0 && ext_adv != NULL) { + for (int i = 0; i < num; i++) { + if (ext_adv[i].instance >= MAX_BLE_ADV_INSTANCE) { + status = BTM_ILLEGAL_VALUE; + BTM_TRACE_ERROR("%s instance ID %d out of range", __func__, ext_adv[i].instance); + goto end; + } + } + instance = osi_malloc(num); duration = osi_malloc(num*sizeof(UINT16)); max_events = osi_malloc(num*sizeof(UINT8)); @@ -583,9 +593,9 @@ end: { adv_record[i].invalid = false; adv_record[i].enabled = false; - adv_record[i].instance = INVALID_VALUE; - adv_record[i].duration = INVALID_VALUE; - adv_record[i].max_events = INVALID_VALUE; + adv_record[i].instance = INVALID_VALUE_8BIT; + adv_record[i].duration = INVALID_VALUE_32BIT; + adv_record[i].max_events = INVALID_VALUE_32BIT; adv_record[i].retry_count = 0; } } else { @@ -594,9 +604,9 @@ end: uint8_t index = ext_adv[i].instance; adv_record[index].invalid = false; adv_record[index].enabled = false; - adv_record[index].instance = INVALID_VALUE; - adv_record[index].duration = INVALID_VALUE; - adv_record[index].max_events = INVALID_VALUE; + adv_record[index].instance = INVALID_VALUE_8BIT; + adv_record[index].duration = INVALID_VALUE_32BIT; + adv_record[index].max_events = INVALID_VALUE_32BIT; adv_record[index].retry_count = 0; } } @@ -616,9 +626,12 @@ end: } cb_params.adv_start.status = status; + num = (num > MAX_BLE_ADV_INSTANCE) ? MAX_BLE_ADV_INSTANCE : num; cb_params.adv_start.instance_num = num; - for (uint8_t i = 0; i < num; i++) { - cb_params.adv_start.instance[i] = ext_adv[i].instance; + if (ext_adv) { + for (uint8_t i = 0; i < num; i++) { + cb_params.adv_start.instance[i] = ext_adv[i].instance; + } } BTM_ExtBleCallbackTrigger(enable ? BTM_BLE_5_GAP_EXT_ADV_START_COMPLETE_EVT : BTM_BLE_5_GAP_EXT_ADV_STOP_COMPLETE_EVT, &cb_params); @@ -626,10 +639,10 @@ end: return status; } -tBTM_STATUS BTM_BleStartExtAdvRestart(uint8_t con_handle) +tBTM_STATUS BTM_BleStartExtAdvRestart(uint16_t con_handle) { tBTM_BLE_EXT_ADV ext_adv; - uint8_t index = INVALID_VALUE; + uint8_t index = INVALID_VALUE_8BIT; for (uint8_t i = 0; i < MAX_BLE_ADV_INSTANCE; i++) { if(adv_record[i].ter_con_handle == con_handle) { @@ -798,7 +811,7 @@ tBTM_STATUS BTM_BlePeriodicAdvCfgDataRaw(UINT8 instance, UINT16 len, UINT8 *data } } - if ((err = btsnd_hcic_ble_set_periodic_adv_data(instance, operation, send_data_len, &data[data_offset])) != HCI_SUCCESS) { + if ((err = btsnd_hcic_ble_set_periodic_adv_data(instance, operation, send_data_len, (data == NULL)? NULL : &data[data_offset])) != HCI_SUCCESS) { BTM_TRACE_ERROR("LE PA SetData: cmd err=0x%x", err); status = BTM_HCI_ERROR | err; break; @@ -900,7 +913,7 @@ tBTM_STATUS BTM_BlePeriodicAdvCreateSync(tBTM_BLE_Periodic_Sync_Params *params) sync_retry_cb.in_use = true; #endif // #if (BLE_FEAT_CREATE_SYNC_RETRY_MAX > 0) if (!btsnd_hcic_ble_periodic_adv_create_sync(option, params->sid, params->addr_type, - params->addr, params->sync_timeout, params->sync_cte_type)) { + params->addr, params->skip, params->sync_timeout, params->sync_cte_type)) { BTM_TRACE_ERROR("LE PA CreateSync cmd failed"); status = BTM_ILLEGAL_VALUE; #if (BLE_FEAT_CREATE_SYNC_RETRY_MAX > 0) @@ -1310,7 +1323,7 @@ void btm_ble_adv_set_terminated_evt(tBTM_BLE_ADV_TERMINAT *params) if(params->status == 0x00) { adv_record[params->adv_handle].ter_con_handle = params->conn_handle; } else { - adv_record[params->adv_handle].ter_con_handle = INVALID_VALUE; + adv_record[params->adv_handle].ter_con_handle = INVALID_VALUE_16BIT; adv_record[params->adv_handle].invalid = false; } adv_record[params->adv_handle].enabled = false; @@ -1454,6 +1467,7 @@ void btm_ble_periodic_adv_sync_establish_evt(tBTM_BLE_PERIOD_ADV_SYNC_ESTAB *par sync_retry_cb.params.sid, sync_retry_cb.params.addr_type, sync_retry_cb.params.addr, + sync_retry_cb.params.skip, sync_retry_cb.params.sync_timeout, sync_retry_cb.params.sync_cte_type)) { /* Retry command sent successfully, wait for next event */ @@ -1991,6 +2005,7 @@ void btm_ble_cs_security_enable_cmd_status(UINT8 status) tBTM_BLE_CS_SEC_ENABLE_CMPL_EVT cs_security_enable = {0}; if (status != HCI_SUCCESS) { cs_security_enable.status = (status | BTM_HCI_ERROR); + cs_security_enable.conn_handle = 0xFFFF; // Invalid handle BTM_ExtBleCallbackTrigger(BTM_BLE_GAP_CS_SECURITY_ENABLE_CMPL_EVT, (tBTM_BLE_5_GAP_CB_PARAMS *)&cs_security_enable); } } diff --git a/components/bt/host/bluedroid/stack/btm/btm_ble_addr.c b/components/bt/host/bluedroid/stack/btm/btm_ble_addr.c index cb29e93c4c..7d8c3b0b93 100644 --- a/components/bt/host/bluedroid/stack/btm/btm_ble_addr.c +++ b/components/bt/host/bluedroid/stack/btm/btm_ble_addr.c @@ -221,7 +221,7 @@ static void btm_ble_resolve_address_cmpl(void) { tBTM_LE_RANDOM_CB *p_mgnt_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb; - BTM_TRACE_EVENT ("btm_ble_resolve_address_cmpl p_mgnt_cb->p_dev_rec = 0x%08x", (uint32_t)p_mgnt_cb->p_dev_rec); + BTM_TRACE_EVENT ("btm_ble_resolve_address_cmpl p_mgnt_cb->p_dev_rec = 0x%08x", p_mgnt_cb->p_dev_rec ? (uint32_t)p_mgnt_cb->p_dev_rec : 0); p_mgnt_cb->busy = FALSE; @@ -405,7 +405,9 @@ void btm_ble_resolve_random_addr(BD_ADDR random_bda, tBTM_BLE_RESOLVE_CBACK *p_c p_dev_rec = list_node(p_node); p_mgnt_cb->p_dev_rec = p_dev_rec; if (btm_ble_match_random_bda(p_dev_rec)) { - break; + // if matched, btm_ble_match_random_bda->btm_ble_proc_resolve_x->btm_ble_resolve_address_cmpl + p_mgnt_cb->p_dev_rec = NULL; + return; } p_mgnt_cb->p_dev_rec = NULL; } diff --git a/components/bt/host/bluedroid/stack/btm/btm_ble_gap.c b/components/bt/host/bluedroid/stack/btm/btm_ble_gap.c index 831dbf7c0a..90461db35c 100644 --- a/components/bt/host/bluedroid/stack/btm/btm_ble_gap.c +++ b/components/bt/host/bluedroid/stack/btm/btm_ble_gap.c @@ -917,7 +917,7 @@ static void btm_ble_resolve_random_addr_on_adv(void *p_rec, void *p) tBTM_SEC_DEV_REC *match_rec = (tBTM_SEC_DEV_REC *) p_rec; UINT8 addr_type = BLE_ADDR_RANDOM; BD_ADDR bda; - UINT8 *pp = (UINT8 *)p + 1; + UINT8 *pp = (UINT8 *)p; UINT8 evt_type; BTM_TRACE_EVENT ("btm_ble_resolve_random_addr_on_adv "); @@ -937,6 +937,7 @@ static void btm_ble_resolve_random_addr_on_adv(void *p_rec, void *p) // Assign the original address to be the current report address memcpy(bda, match_rec->ble.pseudo_addr, BD_ADDR_LEN); } + addr_type = match_rec->ble.ble_addr_type; } btm_ble_process_adv_pkt_cont(bda, addr_type, evt_type, pp); @@ -1112,7 +1113,6 @@ static UINT8 btm_set_conn_mode_adv_init_addr(tBTM_BLE_INQ_CB *p_cb, { UINT8 evt_type; #if BLE_PRIVACY_SPT == TRUE - UINT8 i = BTM_SEC_MAX_DEVICE_RECORDS; tBTM_SEC_DEV_REC *p_dev_rec; list_node_t *p_node = NULL; #endif ///BLE_PRIVACY_SPT == TRUE @@ -1165,14 +1165,12 @@ static UINT8 btm_set_conn_mode_adv_init_addr(tBTM_BLE_INQ_CB *p_cb, memcpy(p_peer_addr_ptr, p_dev_rec->ble.static_addr, BD_ADDR_LEN); *p_peer_addr_type = p_dev_rec->ble.static_addr_type; break; - } - } + } + } - if (i != BTM_SEC_MAX_DEVICE_RECORDS) { + if (p_node) { *p_own_addr_type = BLE_ADDR_RANDOM_ID; - } else - /* resolving list is empty, not enabled */ - { + } else { *p_own_addr_type = BLE_ADDR_RANDOM; } } @@ -3125,6 +3123,10 @@ void btm_ble_process_adv_pkt (UINT8 *p_data) STREAM_TO_UINT8(num_reports, p); while (num_reports--) { +#if (defined BLE_PRIVACY_SPT && BLE_PRIVACY_SPT == TRUE) + /* Save current report start position for address resolution callback */ + UINT8 *pp = p; +#endif /* Extract inquiry results */ STREAM_TO_UINT8 (evt_type, p); STREAM_TO_UINT8 (addr_type, p); @@ -3145,7 +3147,7 @@ void btm_ble_process_adv_pkt (UINT8 *p_data) // bda[0],bda[1],bda[2],bda[3],bda[4],bda[5]); /* always do RRA resolution on host */ if (!match && BTM_BLE_IS_RESOLVE_BDA(bda)) { - btm_ble_resolve_random_addr(bda, btm_ble_resolve_random_addr_on_adv, p_data); + btm_ble_resolve_random_addr(bda, btm_ble_resolve_random_addr_on_adv, pp); } else #endif btm_ble_process_adv_pkt_cont(bda, addr_type, evt_type, p); @@ -3539,6 +3541,7 @@ tBTM_STATUS btm_ble_start_adv(void) //btm_ble_enable_resolving_list_for_platform(BTM_BLE_RL_ADV); } #endif + UINT8 wl_state = btm_cb.ble_ctr_cb.wl_state; if (p_cb->afp != AP_SCAN_CONN_ALL) { //find the device in the btm dev buffer and write it to the controller white list btm_execute_wl_dev_operation(); @@ -3558,17 +3561,19 @@ tBTM_STATUS btm_ble_start_adv(void) rt = adv_enable_status; BTM_TRACE_EVENT ("BTM_SUCCESS\n"); } else { - p_cb->adv_mode = BTM_BLE_ADV_DISABLE; + rt = BTM_NO_RESOURCES; + // reinit adv_enable_status + // There is no suitable value, temporarily changed to 0xff + adv_enable_status = 0xff; + } + + if(adv_enable_status != HCI_SUCCESS) { p_cb->state = temp_state; p_cb->adv_mode = adv_mode; #if (BLE_TOPOLOGY_CHECK == TRUE) btm_ble_adv_states_operation(btm_ble_clear_topology_mask, p_cb->evt_type); #endif // (BLE_TOPOLOGY_CHECK == TRUE) - btm_cb.ble_ctr_cb.wl_state &= ~BTM_BLE_WL_ADV; - } - - if(adv_enable_status != HCI_SUCCESS) { - p_cb->adv_mode = adv_mode; + btm_cb.ble_ctr_cb.wl_state = wl_state; } osi_mutex_unlock(&adv_enable_lock); return rt; @@ -3609,6 +3614,12 @@ tBTM_STATUS btm_ble_stop_adv(void) osi_sem_take(&adv_enable_sem, OSI_SEM_MAX_TIMEOUT); rt = adv_enable_status; } else { + rt = BTM_NO_RESOURCES; + // reinit adv_enable_status + // There is no suitable value, temporarily changed to 0xff + adv_enable_status = 0xff; + } + if(adv_enable_status != HCI_SUCCESS) { // reset state p_cb->fast_adv_on = temp_fast_adv_on; p_cb->adv_mode = temp_adv_mode; @@ -3617,10 +3628,6 @@ tBTM_STATUS btm_ble_stop_adv(void) #if (BLE_TOPOLOGY_CHECK == TRUE) btm_ble_set_topology_mask (temp_mask); #endif // (BLE_TOPOLOGY_CHECK == TRUE) - rt = BTM_NO_RESOURCES; - } - if(adv_enable_status != HCI_SUCCESS) { - p_cb->adv_mode = temp_adv_mode; } osi_mutex_unlock(&adv_enable_lock); } diff --git a/components/bt/host/bluedroid/stack/btm/btm_ble_iso.c b/components/bt/host/bluedroid/stack/btm/btm_ble_iso.c index f0aa7ca56c..49483702a8 100644 --- a/components/bt/host/bluedroid/stack/btm/btm_ble_iso.c +++ b/components/bt/host/bluedroid/stack/btm/btm_ble_iso.c @@ -162,7 +162,7 @@ void btm_ble_cis_request_evt(tBTM_BLE_CIS_REQUEST_CMPL *params) } #endif // #if (BLE_FEAT_ISO_CIG_PERIPHERAL_EN == TRUE) -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) void btm_ble_big_create_cmpl_evt(tBTM_BLE_BIG_CREATE_CMPL *params) { BTM_TRACE_DEBUG("%s", __func__); @@ -217,7 +217,7 @@ void btm_ble_big_terminate_cmpl_evt(tBTM_BLE_BIG_TERMINATE_CMPL *params) BTM_IsoBleCallbackTrigger(BTM_BLE_ISO_BIG_TERMINATE_COMPLETE_EVT, &cb_params); } -#endif // #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif // #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) void btm_ble_big_sync_estab_evt(tBTM_BLE_BIG_SYNC_ESTAB_CMPL *params) @@ -315,7 +315,7 @@ void btm_ble_iso_data_path_update_complete(UINT16 opcode, UINT8 hci_status, UINT BTM_IsoBleCallbackTrigger(BTM_BLE_ISO_DATA_PATH_UPFATE_EVT, &cb_params); } -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) tBTM_STATUS BTM_BleBigCreate(uint8_t big_handle, uint8_t adv_handle, uint8_t num_bis, uint32_t sdu_interval, uint16_t max_sdu, uint16_t max_transport_latency, uint8_t rtn, uint8_t phy, uint8_t packing, uint8_t framing, @@ -356,23 +356,11 @@ tBTM_STATUS BTM_BleBigCreateTest(uint8_t big_handle, uint8_t adv_handle, uint8_t tBTM_STATUS BTM_BleBigTerminate(UINT8 big_handle, UINT8 reason) { - tHCI_STATUS err = HCI_SUCCESS; - tBTM_STATUS status = BTM_SUCCESS; - tBTM_BLE_ISO_CB_PARAMS cb_params = {0}; - - if ((err = btsnd_hcic_ble_big_terminate(big_handle, reason)) != TRUE) { - BTM_TRACE_ERROR("LE PA SyncCancel, cmd err=0x%x", err); - status = BTM_HCI_ERROR | err; - } - - if (status != BTM_SUCCESS) { - cb_params.status = status; - BTM_IsoBleCallbackTrigger(BTM_BLE_ISO_BIG_TERMINATE_COMPLETE_EVT, &cb_params); - } - - return status; + // event will be triggered in command status and complete event + btsnd_hcic_ble_big_terminate(big_handle, reason); + return BTM_SUCCESS; } -#endif // #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif // #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) tBTM_STATUS BTM_BleBigSyncCreate(uint8_t big_handle, uint16_t sync_handle, @@ -488,6 +476,11 @@ tBTM_STATUS BTM_BleSetCigParams(uint8_t cig_id, uint32_t sdu_int_c_to_p, uint32_ BTM_TRACE_ERROR("%s, cis_cnt %d exceeds BLE_ISO_CIS_MAX_COUNT %d", __func__, cis_cnt, BLE_ISO_CIS_MAX_COUNT); return BTM_ILLEGAL_VALUE; } + // HCI_LE_Set_CIG_Parameters param length = 15 + 9*cis_cnt (UINT8). Max 255 => cis_cnt <= 26. + if (cis_cnt > 26) { + BTM_TRACE_ERROR("%s, cis_cnt %d exceeds HCI transport limit", __func__, cis_cnt); + return BTM_ILLEGAL_VALUE; + } if ((err = btsnd_hcic_ble_iso_set_cig_params(cig_id, sdu_int_c_to_p, sdu_int_p_to_c, worse_case_SCA, packing, framing, mtl_c_to_p, mtl_p_to_c, cis_cnt, (struct ble_hci_le_cis_params *)cis_params)) != HCI_SUCCESS) { @@ -508,6 +501,11 @@ tBTM_STATUS BTM_BleSetCigParamsTest(uint8_t cig_id, uint32_t sdu_int_c_to_p, uin BTM_TRACE_ERROR("%s, cis_cnt %d exceeds BLE_ISO_CIS_MAX_COUNT %d", __func__, cis_cnt, BLE_ISO_CIS_MAX_COUNT); return BTM_ILLEGAL_VALUE; } + // HCI_LE_Set_CIG_Parameters_Test param length = 15 + 14*cis_cnt (UINT8). Max 255 => cis_cnt <= 17. + if (cis_cnt > 17) { + BTM_TRACE_ERROR("%s, cis_cnt %d exceeds HCI transport limit", __func__, cis_cnt); + return BTM_ILLEGAL_VALUE; + } if ((err = btsnd_hcic_ble_iso_set_cig_params_test(cig_id, sdu_int_c_to_p, sdu_int_p_to_c,ft_c_to_p, ft_p_to_c, iso_interval, worse_case_SCA, packing, framing, cis_cnt, (struct ble_hci_le_cis_params_test *)cis_params)) != HCI_SUCCESS) { @@ -562,8 +560,14 @@ void btm_ble_accept_cis_req_cmd_status(tBTM_BLE_ISO_CB_PARAMS *cb_params) tBTM_STATUS BTM_BleAcceptCisReq(uint16_t cis_handle) { - btsnd_hcic_ble_iso_accept_cis_req(cis_handle); - return BTM_SUCCESS; + if (btsnd_hcic_ble_iso_accept_cis_req(cis_handle)) { + return BTM_SUCCESS; + } + // failed to send command + tBTM_BLE_ISO_CB_PARAMS cb_params = {0}; + cb_params.status = BTM_NO_RESOURCES; + btm_ble_accept_cis_req_cmd_status(&cb_params); + return BTM_NO_RESOURCES; } tBTM_STATUS BTM_BleRejectCisReq(uint16_t cis_handle, uint8_t reason) diff --git a/components/bt/host/bluedroid/stack/btm/btm_ble_privacy.c b/components/bt/host/bluedroid/stack/btm/btm_ble_privacy.c index 633d15e253..09a0835f6a 100644 --- a/components/bt/host/bluedroid/stack/btm/btm_ble_privacy.c +++ b/components/bt/host/bluedroid/stack/btm/btm_ble_privacy.c @@ -71,7 +71,14 @@ static bool is_deleting_zero_addr; void btm_ble_enq_resolving_list_pending(BD_ADDR pseudo_bda, UINT8 op_code) { tBTM_BLE_RESOLVE_Q *p_q = &btm_cb.ble_ctr_cb.resolving_list_pend_q; - + UINT8 max_size = controller_get_interface()->get_ble_resolving_list_max_size(); + if (max_size <= 1) { + return; + } + if (((p_q->q_next + 1) % max_size) == p_q->q_pending) { + BTM_TRACE_ERROR("%s, resolving pending queue full\n", __func__); + return; + } memcpy(p_q->resolve_q_random_pseudo[p_q->q_next], pseudo_bda, BD_ADDR_LEN); p_q->resolve_q_action[p_q->q_next] = op_code; p_q->q_next ++; @@ -244,10 +251,11 @@ void btm_ble_clear_resolving_list_complete(UINT8 *p, UINT16 evt_len) if (controller_get_interface()->get_ble_resolving_list_max_size() == 0) { btm_ble_resolving_list_init(irk_list_sz_max); } - - uint8_t irk_mask_size = (irk_list_sz_max % 8) ? + if (btm_cb.ble_ctr_cb.irk_list_mask != NULL) { + uint8_t irk_mask_size = (irk_list_sz_max % 8) ? (irk_list_sz_max / 8 + 1) : (irk_list_sz_max / 8); - memset(btm_cb.ble_ctr_cb.irk_list_mask, 0, irk_mask_size); + memset(btm_cb.ble_ctr_cb.irk_list_mask, 0, irk_mask_size); + } } btm_cb.ble_ctr_cb.resolving_list_avail_size = @@ -709,8 +717,9 @@ BOOLEAN btm_ble_suspend_resolving_list_activity(void) #if (BLE_42_ADV_EN == TRUE) if (p_ble_cb->inq_var.adv_mode == BTM_BLE_ADV_ENABLE) { - btm_ble_stop_adv(); - p_ble_cb->suspended_rl_state |= BTM_BLE_RL_ADV; + if (btm_ble_stop_adv() == BTM_SUCCESS) { + p_ble_cb->suspended_rl_state |= BTM_BLE_RL_ADV; + } } #endif // #if (BLE_42_ADV_EN == TRUE) @@ -1124,14 +1133,31 @@ void btm_ble_resolving_list_init(UINT8 max_irk_list_sz) tBTM_BLE_RESOLVE_Q *p_q = &btm_cb.ble_ctr_cb.resolving_list_pend_q; UINT8 irk_mask_size = (max_irk_list_sz % 8) ? (max_irk_list_sz / 8 + 1) : (max_irk_list_sz / 8); + // free them if they are already allocated. + btm_ble_resolving_list_cleanup(); + + p_q->q_next = 0; + p_q->q_pending = 0; if (max_irk_list_sz > 0) { p_q->resolve_q_random_pseudo = (BD_ADDR *)osi_malloc(sizeof(BD_ADDR) * max_irk_list_sz); + if (p_q->resolve_q_random_pseudo == NULL) { + BTM_TRACE_ERROR("%s - Out of memory for random pseudo address", __FUNCTION__); + goto _mem_error; + } p_q->resolve_q_action = (UINT8 *)osi_malloc(max_irk_list_sz); + if (p_q->resolve_q_action == NULL) { + BTM_TRACE_ERROR("%s - Out of memory for resolve action", __FUNCTION__); + goto _mem_error; + } /* RPA offloading feature */ if (btm_cb.ble_ctr_cb.irk_list_mask == NULL) { btm_cb.ble_ctr_cb.irk_list_mask = (UINT8 *)osi_malloc(irk_mask_size); + if (btm_cb.ble_ctr_cb.irk_list_mask == NULL) { + BTM_TRACE_ERROR("%s - Out of memory for IRK list mask", __FUNCTION__); + goto _mem_error; + } } BTM_TRACE_DEBUG ("%s max_irk_list_sz = %d", __func__, max_irk_list_sz); @@ -1140,6 +1166,12 @@ void btm_ble_resolving_list_init(UINT8 max_irk_list_sz) controller_get_interface()->set_ble_resolving_list_max_size(max_irk_list_sz); btm_ble_clear_resolving_list(); btm_cb.ble_ctr_cb.resolving_list_avail_size = max_irk_list_sz; + + return; + +_mem_error: + btm_ble_resolving_list_cleanup(); + btm_cb.ble_ctr_cb.resolving_list_avail_size = 0; } /******************************************************************************* diff --git a/components/bt/host/bluedroid/stack/btm/btm_sec.c b/components/bt/host/bluedroid/stack/btm/btm_sec.c index 4dcfaffe52..a744bc3032 100644 --- a/components/bt/host/bluedroid/stack/btm/btm_sec.c +++ b/components/bt/host/bluedroid/stack/btm/btm_sec.c @@ -3491,6 +3491,12 @@ void btm_io_capabilities_rsp (UINT8 *p) /* Allocate a new device record or reuse the oldest one */ p_dev_rec = btm_find_or_alloc_dev (evt_data.bd_addr); + if (p_dev_rec == NULL) { + BTM_TRACE_ERROR ("%s: no device record available\n", __FUNCTION__); + return; + } + + /* If no security is in progress, this indicates incoming security */ if (btm_cb.pairing_state == BTM_PAIR_STATE_IDLE) { memcpy (btm_cb.pairing_bda, evt_data.bd_addr, BD_ADDR_LEN); @@ -4337,6 +4343,16 @@ void btm_sec_connected (UINT8 *bda, UINT16 handle, UINT8 status, UINT8 enc_mode) /* There is no device record for new connection. Allocate one */ if (status == HCI_SUCCESS) { p_dev_rec = btm_sec_alloc_dev (bda); + // no memory to allocate device record + if (p_dev_rec == NULL) { + if ((btm_cb.pairing_state != BTM_PAIR_STATE_IDLE) && + (memcmp (btm_cb.pairing_bda, bda, BD_ADDR_LEN) == 0)) { + btm_sec_change_pairing_state(BTM_PAIR_STATE_IDLE); + } + BTM_TRACE_ERROR ("%s: no device record available\n", __FUNCTION__); + return; + } + } else { /* If the device matches with stored paring address * reset the paring state to idle */ @@ -4899,6 +4915,12 @@ void btm_sec_link_key_notification (UINT8 *p_bda, UINT8 *p_link_key, UINT8 key_t void btm_sec_link_key_request (UINT8 *p_bda) { tBTM_SEC_DEV_REC *p_dev_rec = btm_find_or_alloc_dev (p_bda); + // no memory to allocate device record + if (p_dev_rec == NULL) { + btsnd_hcic_link_key_neg_reply (p_bda); + BTM_TRACE_ERROR ("%s: no device record available\n", __FUNCTION__); + return; + } BTM_TRACE_EVENT ("btm_sec_link_key_request() BDA: %02x:%02x:%02x:%02x:%02x:%02x\n", p_bda[0], p_bda[1], p_bda[2], p_bda[3], p_bda[4], p_bda[5]); @@ -6011,13 +6033,22 @@ static BOOLEAN btm_sec_queue_encrypt_request (BD_ADDR bd_addr, tBT_TRANSPORT tra tBTM_SEC_CALLBACK *p_callback, void *p_ref_data) { tBTM_SEC_QUEUE_ENTRY *p_e; + if (bd_addr == NULL) { + BTM_TRACE_ERROR("%s: bd_addr is NULL\n", __func__); + return FALSE; + } + p_e = (tBTM_SEC_QUEUE_ENTRY *)osi_malloc(sizeof(tBTM_SEC_QUEUE_ENTRY) + 1); if (p_e) { p_e->psm = 0; /* if PSM 0, encryption request */ p_e->p_callback = p_callback; - p_e->p_ref_data = (void *)(p_e + 1); - *(UINT8 *)p_e->p_ref_data = *(UINT8 *)(p_ref_data); + if (p_ref_data != NULL) { + p_e->p_ref_data = (void *)(p_e + 1); + *(UINT8 *)p_e->p_ref_data = *(UINT8 *)p_ref_data; + } else { + p_e->p_ref_data = NULL; + } p_e->transport = transport; memcpy(p_e->bd_addr, bd_addr, BD_ADDR_LEN); fixed_queue_enqueue(btm_cb.sec_pending_q, p_e, FIXED_QUEUE_MAX_TIMEOUT); @@ -6256,36 +6287,6 @@ BOOLEAN btm_sec_is_le_capable_dev (BD_ADDR bda) return le_capable; } -/******************************************************************************* -** -** Function btm_sec_find_bonded_dev -** -** Description Find a bonded device starting from the specified index -** -** Returns TRUE - found a bonded device -** -*******************************************************************************/ -#if (BLE_INCLUDED == TRUE) -BOOLEAN btm_sec_find_bonded_dev (UINT8 start_idx, UINT16 *p_found_handle, tBTM_SEC_DEV_REC **p_rec) -{ - BOOLEAN found = FALSE; - -#if (SMP_INCLUDED== TRUE) - tBTM_SEC_DEV_REC *p_dev_rec; - list_node_t *p_node = NULL; - for (p_node = list_begin(btm_cb.p_sec_dev_rec_list); p_node; p_node = list_next(p_node)) { - p_dev_rec = list_node(p_node); - if (p_dev_rec->ble.key_type || (p_dev_rec->sec_flags & BTM_SEC_LINK_KEY_KNOWN)) { - *p_found_handle = p_dev_rec->hci_handle; - *p_rec = p_dev_rec; - break; - } - } - BTM_TRACE_DEBUG ("%s() found=%d\n", __func__, found); -#endif - return (found); -} -#endif ///BLE_INCLUDED == TRUE /******************************************************************************* ** ** Function btm_sec_use_smp_br_chnl diff --git a/components/bt/host/bluedroid/stack/btm/include/btm_ble_int.h b/components/bt/host/bluedroid/stack/btm/include/btm_ble_int.h index 76b34bcefe..06a2023599 100644 --- a/components/bt/host/bluedroid/stack/btm/include/btm_ble_int.h +++ b/components/bt/host/bluedroid/stack/btm/include/btm_ble_int.h @@ -574,10 +574,10 @@ void btm_ble_accept_cis_req_cmd_status(tBTM_BLE_ISO_CB_PARAMS *cb_params); void btm_ble_create_cis_cmd_status(tBTM_BLE_ISO_CB_PARAMS *cb_params); void btm_ble_iso_set_cig_params_complete(UINT8 *p); #endif // #if (BLE_FEAT_ISO_CIG_CENTRAL_EN == TRUE) -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) void btm_ble_big_create_cmpl_evt(tBTM_BLE_BIG_CREATE_CMPL *param); void btm_ble_big_terminate_cmpl_evt(tBTM_BLE_BIG_TERMINATE_CMPL *params); -#endif // #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif // #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) void btm_ble_big_sync_estab_evt(tBTM_BLE_BIG_SYNC_ESTAB_CMPL *params); void btm_ble_big_sync_lost_evt(tBTM_BLE_BIG_SYNC_LOST_EVT *params); diff --git a/components/bt/host/bluedroid/stack/btm/include/btm_int.h b/components/bt/host/bluedroid/stack/btm/include/btm_int.h index 25a45d2e88..2e98d7a5d3 100644 --- a/components/bt/host/bluedroid/stack/btm/include/btm_int.h +++ b/components/bt/host/bluedroid/stack/btm/include/btm_int.h @@ -1281,7 +1281,6 @@ void btm_sec_set_peer_sec_caps (tACL_CONN *p_acl_cb, tBTM_SEC_DEV_REC *p_dev_rec #if BLE_INCLUDED == TRUE void btm_sec_clear_ble_keys (tBTM_SEC_DEV_REC *p_dev_rec); -BOOLEAN btm_sec_find_bonded_dev (UINT8 start_idx, UINT16 *p_found_handle, tBTM_SEC_DEV_REC **p_rec); BOOLEAN btm_sec_is_a_bonded_dev (BD_ADDR bda); void btm_consolidate_dev(tBTM_SEC_DEV_REC *p_target_rec); BOOLEAN btm_sec_is_le_capable_dev (BD_ADDR bda); diff --git a/components/bt/host/bluedroid/stack/btu/btu_hcif.c b/components/bt/host/bluedroid/stack/btu/btu_hcif.c index b3d5ffe36f..9a3636c7bf 100644 --- a/components/bt/host/bluedroid/stack/btu/btu_hcif.c +++ b/components/bt/host/bluedroid/stack/btu/btu_hcif.c @@ -192,12 +192,12 @@ static void btu_ble_periodic_adv_sync_trans_recv(UINT8 *p); #if (BLE_FEAT_ISO_EN == TRUE) -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) void btu_ble_create_big_cmd_status(UINT8 status); static void btu_ble_big_create_complete_evt(UINT8 *p); void btu_ble_big_terminate_cmd_status(UINT8 status); static void btu_ble_big_terminate_complete_evt(UINT8 *p); -#endif // #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif // #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) static void btu_ble_create_big_sync_cmd_status(UINT8 status); @@ -570,14 +570,14 @@ void btu_hcif_process_event (UNUSED_ATTR UINT8 controller_id, BT_HDR *p_msg) btu_ble_cis_request_evt(p); break; #endif // #if (BLE_FEAT_ISO_CIG_PERIPHERAL_EN == TRUE) -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) case HCI_BLE_BIG_CREATE_COMPLETE_EVT: btu_ble_big_create_complete_evt(p); break; case HCI_BLE_BIG_TERMINATE_COMPLETE_EVT: btu_ble_big_terminate_complete_evt(p); break; -#endif // #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif // #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) case HCI_BLE_BIG_SYNC_ESTABLISHED_EVT: btu_ble_big_sync_establish_evt(p); @@ -1633,7 +1633,7 @@ static void btu_hcif_hdl_command_status (UINT16 opcode, UINT8 status, UINT8 *p_c } #endif // #if (BLE_50_FEATURE_SUPPORT == TRUE) #if (BLE_FEAT_ISO_EN == TRUE) -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) case HCI_BLE_CREATE_BIG: case HCI_BLE_CREATE_BIG_TEST: btu_ble_create_big_cmd_status(status); @@ -1641,7 +1641,7 @@ static void btu_hcif_hdl_command_status (UINT16 opcode, UINT8 status, UINT8 *p_c case HCI_BLE_TERMINATE_BIG: btu_ble_big_terminate_cmd_status(status); break; -#endif // #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif // #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) case HCI_BLE_BIG_CREATE_SYNC: btu_ble_create_big_sync_cmd_status(status); @@ -2538,9 +2538,9 @@ static void btm_ble_resolve_random_addr_adv_ext(void *p_rec, void *p) { tBTM_SEC_DEV_REC *match_rec = (tBTM_SEC_DEV_REC *) p_rec; BD_ADDR bda; - UINT8 *pp = (UINT8 *)p+4; //jump to the location of bd addr + UINT8 *pp = (UINT8 *)p+2; //jump to the location of addr_type if (match_rec) { - // Assign the original address to be the current report address + UINT8_TO_STREAM(pp, match_rec->ble.ble_addr_type); memcpy(bda, match_rec->ble.pseudo_addr, BD_ADDR_LEN); BDADDR_TO_STREAM(pp,bda); } @@ -2554,15 +2554,13 @@ static void btu_ble_ext_adv_report_evt(UINT8 *p, UINT16 evt_len) tBTM_BLE_EXT_ADV_REPORT ext_adv_report = {0}; UINT8 num_reports = {0}; #if (defined BLE_PRIVACY_SPT && BLE_PRIVACY_SPT == TRUE) - UINT8 *pp = p; + UINT8 *pp; + BOOLEAN match = FALSE; #endif //UINT8 legacy_event_type = 0; UINT16 evt_type = 0; uint8_t addr_type; BD_ADDR bda; - #if (defined BLE_PRIVACY_SPT && BLE_PRIVACY_SPT == TRUE) - BOOLEAN match = FALSE; - #endif if (!p) { HCI_TRACE_ERROR("%s, Invalid params.", __func__); @@ -2576,6 +2574,10 @@ static void btu_ble_ext_adv_report_evt(UINT8 *p, UINT16 evt_len) } while (num_reports--) { +#if (defined BLE_PRIVACY_SPT && BLE_PRIVACY_SPT == TRUE) + /* Save current report start position for address resolution callback */ + pp = p; +#endif STREAM_TO_UINT16(evt_type, p); ext_adv_report.event_type = evt_type & 0x1F; if(ext_adv_report.event_type & BTM_BLE_ADV_LEGACY_MASK) { @@ -2601,8 +2603,9 @@ static void btu_ble_ext_adv_report_evt(UINT8 *p, UINT16 evt_len) match = btm_identity_addr_to_random_pseudo(bda, &addr_type, FALSE); if (!match && BTM_BLE_IS_RESOLVE_BDA(bda)) { btm_ble_resolve_random_addr(bda, btm_ble_resolve_random_addr_adv_ext, pp); - //the BDADDR may be updated, so read it again - p = p - sizeof(bda); + //the addr_type and BDADDR may be updated, so read them again + p = p - sizeof(bda) - 1; + STREAM_TO_UINT8(addr_type, p); STREAM_TO_BDADDR(bda, p); } } @@ -2656,6 +2659,13 @@ static void btu_ble_periodic_adv_sync_establish_evt(UINT8 *p, bool v2_evt) STREAM_TO_UINT8(sync_estab.rsp_slot_delay, p); STREAM_TO_UINT8(sync_estab.rsp_slot_spacing, p); } +#else + if (v2_evt) { + STREAM_SKIP_UINT8(p); + STREAM_SKIP_UINT8(p); + STREAM_SKIP_UINT8(p); + STREAM_SKIP_UINT8(p); + } #endif // (BT_BLE_FEAT_PAWR_EN == TRUE) btm_ble_periodic_adv_sync_establish_evt(&sync_estab); @@ -2666,15 +2676,15 @@ static void btu_ble_periodic_adv_report_evt(UINT8 *p, UINT8 evt_len, bool v2_evt tBTM_PERIOD_ADV_REPORT adv_report = {0}; /* This parameter is intended to be used in a future feature. */ UINT8 unused = 0; - UINT8 min_len = MIN_BLE_PERIODIC_ADV_REPORT_LEN; + UINT8 min_len = v2_evt ? (MIN_BLE_PERIODIC_ADV_REPORT_LEN + 3) : MIN_BLE_PERIODIC_ADV_REPORT_LEN; if (!p) { HCI_TRACE_ERROR("%s, Invalid params.", __func__); return; } - if (evt_len < MIN_BLE_PERIODIC_ADV_REPORT_LEN) { - HCI_TRACE_ERROR("%s, Invalid params, the adv len is too short.", __func__); + if (evt_len < min_len) { + HCI_TRACE_ERROR("%s, Invalid params, the adv len %d is too short.", __func__, evt_len); return; } @@ -2686,7 +2696,11 @@ static void btu_ble_periodic_adv_report_evt(UINT8 *p, UINT8 evt_len, bool v2_evt if (v2_evt) { STREAM_TO_UINT16(adv_report.periodic_evt_cnt, p); STREAM_TO_UINT8(adv_report.subevt, p); - min_len += 3; + } +#else + if (v2_evt) { + STREAM_SKIP_UINT16(p); + STREAM_SKIP_UINT8(p); } #endif // (BT_BLE_FEAT_PAWR_EN == TRUE) STREAM_TO_UINT8(adv_report.data_status, p); @@ -2885,6 +2899,15 @@ static void btu_ble_cis_established_evt(UINT8 *p, bool v2_evt) STREAM_TO_UINT24(cis_estab_evt.sdu_int_p_to_c, p); STREAM_TO_UINT8(cis_estab_evt.framing, p); } +#else + if (v2_evt) { + STREAM_SKIP_UINT24(p); + STREAM_SKIP_UINT16(p); + STREAM_SKIP_UINT16(p); + STREAM_SKIP_UINT24(p); + STREAM_SKIP_UINT24(p); + STREAM_SKIP_UINT8(p); + } #endif // #if (BLE_FEAT_ISO_60_EN == TRUE) btm_ble_cis_established_evt(&cis_estab_evt); @@ -2912,7 +2935,7 @@ static void btu_ble_cis_request_evt(UINT8 *p) } #endif // #if (BLE_FEAT_ISO_CIG_PERIPHERAL_EN == TRUE) -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) void btu_ble_create_big_cmd_status(UINT8 status) { if (status != HCI_SUCCESS) { @@ -2987,7 +3010,7 @@ static void btu_ble_big_terminate_complete_evt(UINT8 *p) btm_ble_big_terminate_cmpl_evt(&big_term); } -#endif // #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif // #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) void btu_ble_create_big_sync_cmd_status(UINT8 status) @@ -3534,6 +3557,8 @@ static void btu_ble_cs_subevt_result_continue_evt(UINT8 *p) HCI_TRACE_ERROR("%s, no memory.", __func__); } } + } else { + HCI_TRACE_ERROR("%s, no memory for step_info.", __func__); } btm_ble_cs_subevt_continue_result_evt(&subevt_continue_result); diff --git a/components/bt/host/bluedroid/stack/btu/btu_task.c b/components/bt/host/bluedroid/stack/btu/btu_task.c index f6ce7e4426..b1b5c423b2 100644 --- a/components/bt/host/bluedroid/stack/btu/btu_task.c +++ b/components/bt/host/bluedroid/stack/btu/btu_task.c @@ -559,6 +559,12 @@ void btu_start_quick_timer(TIMER_LIST_ENT *p_tle, UINT16 type, UINT32 timeout_ti osi_mutex_lock(&btu_l2cap_alarm_lock, OSI_MUTEX_MAX_TIMEOUT); if (!hash_map_has_key(btu_l2cap_alarm_hash_map, p_tle)) { alarm = osi_alarm_new("btu_l2cap", btu_l2cap_alarm_cb, (void *)p_tle, 0); + if (alarm == NULL) { + HCI_TRACE_ERROR("%s Unable to create alarm", __func__); + osi_mutex_unlock(&btu_l2cap_alarm_lock); + return; + } + hash_map_set(btu_l2cap_alarm_hash_map, p_tle, (void *)alarm); } osi_mutex_unlock(&btu_l2cap_alarm_lock); diff --git a/components/bt/host/bluedroid/stack/gap/gap_ble.c b/components/bt/host/bluedroid/stack/gap/gap_ble.c index 154fcca0b0..823fadc983 100644 --- a/components/bt/host/bluedroid/stack/gap/gap_ble.c +++ b/components/bt/host/bluedroid/stack/gap/gap_ble.c @@ -775,6 +775,7 @@ BOOLEAN gap_ble_accept_cl_operation(BD_ADDR peer_bda, UINT16 uuid, tGAP_BLE_CMPL { tGAP_CLCB *p_clcb; BOOLEAN started = FALSE; + BOOLEAN is_new_clcb = FALSE; if (p_cback == NULL && uuid != GATT_UUID_GAP_PREF_CONN_PARAM) { return (started); @@ -785,6 +786,7 @@ BOOLEAN gap_ble_accept_cl_operation(BD_ADDR peer_bda, UINT16 uuid, tGAP_BLE_CMPL GAP_TRACE_ERROR("gap_ble_accept_cl_operation max connection reached"); return started; } + is_new_clcb = TRUE; } GAP_TRACE_EVENT ("%s() - BDA: %08x%04x cl_op_uuid: 0x%04x", @@ -798,11 +800,25 @@ BOOLEAN gap_ble_accept_cl_operation(BD_ADDR peer_bda, UINT16 uuid, tGAP_BLE_CMPL /* hold the link here */ if (!GATT_Connect(gap_cb.gatt_if, p_clcb->bda, BLE_ADDR_UNKNOWN_TYPE, TRUE, BT_TRANSPORT_LE, FALSE, FALSE, 0xFF, 0xFF)) { + if (is_new_clcb) { + gap_ble_dealloc_clcb(p_clcb); + } return started; } /* enqueue the request */ - gap_ble_enqueue_request(p_clcb, uuid, p_cback); + if (gap_ble_enqueue_request(p_clcb, uuid, p_cback) == FALSE) { + GAP_TRACE_ERROR("gap_ble_accept_cl_operation enqueue request failed"); + if (is_new_clcb) { + if (p_clcb->connected) { + GATT_Disconnect(p_clcb->conn_id); + } else { + GATT_CancelConnect(gap_cb.gatt_if, p_clcb->bda, TRUE); + } + gap_ble_dealloc_clcb(p_clcb); + } + return started; + } if (p_clcb->connected && p_clcb->cl_op_uuid == 0) { started = gap_ble_send_cl_read_request(p_clcb); diff --git a/components/bt/host/bluedroid/stack/gatt/att_protocol.c b/components/bt/host/bluedroid/stack/gatt/att_protocol.c index f2654f1a15..686820071a 100644 --- a/components/bt/host/bluedroid/stack/gatt/att_protocol.c +++ b/components/bt/host/bluedroid/stack/gatt/att_protocol.c @@ -166,6 +166,11 @@ BT_HDR *attp_build_read_by_type_value_cmd (UINT16 payload_size, tGATT_FIND_TYPE_ UINT8 *p; UINT16 len = p_value_type->value_len; + if (payload_size < GATT_DEF_BLE_MTU_SIZE) { + // never build packet smaller than default MTU size + return NULL; + } + if ((p_buf = (BT_HDR *)osi_malloc((UINT16)(sizeof(BT_HDR) + payload_size + L2CAP_MIN_OFFSET))) != NULL) { p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET; diff --git a/components/bt/host/bluedroid/stack/gatt/gatt_api.c b/components/bt/host/bluedroid/stack/gatt/gatt_api.c index a245247d56..6a22bd01d7 100644 --- a/components/bt/host/bluedroid/stack/gatt/gatt_api.c +++ b/components/bt/host/bluedroid/stack/gatt/gatt_api.c @@ -1029,6 +1029,12 @@ tGATT_STATUS GATTC_Read (UINT16 conn_id, tGATT_READ_TYPE type, tGATT_READ_PARAM p_clcb->s_handle = 0; /* copy multiple handles in CB */ p_read_multi = (tGATT_READ_MULTI *)osi_malloc(sizeof(tGATT_READ_MULTI)); + if (p_read_multi == NULL) { + GATT_TRACE_ERROR("GATTC_Read no resources for multiple read"); + status = GATT_NO_RESOURCES; + gatt_clcb_dealloc(p_clcb); + return status; + } p_clcb->p_attr_buf = (UINT8 *)p_read_multi; memcpy (p_read_multi, &p_read->read_multiple, sizeof(tGATT_READ_MULTI)); case GATT_READ_BY_HANDLE: @@ -1386,7 +1392,8 @@ void GATT_Deregister (tGATT_IF gatt_if) (p_clcb->p_tcb->tcb_idx == p_tcb->tcb_idx)) { btu_stop_timer(&p_clcb->rsp_timer_ent); gatt_clcb_dealloc (p_clcb); - break; + // Removed break to ensure all CLCBs are cleaned up + // break; } } } @@ -1398,6 +1405,10 @@ void GATT_Deregister (tGATT_IF gatt_if) memset (p_reg, 0, sizeof(tGATT_REG)); } +void gatt_start_if_conn_cb(UINT8 tcb_idx, tBT_TRANSPORT transport, BD_ADDR bda) +{ + +} /******************************************************************************* ** @@ -1416,21 +1427,19 @@ void GATT_StartIf (tGATT_IF gatt_if) { tGATT_REG *p_reg; tGATT_TCB *p_tcb; - BD_ADDR bda; - UINT8 start_idx, found_idx; UINT16 conn_id; - tGATT_TRANSPORT transport ; + list_node_t *p_node = NULL; GATT_TRACE_API ("GATT_StartIf gatt_if=%d", gatt_if); if ((p_reg = gatt_get_regcb(gatt_if)) != NULL) { - start_idx = 0; - while (gatt_find_the_connected_bda(start_idx, bda, &found_idx, &transport)) { - p_tcb = gatt_find_tcb_by_addr(bda, transport); - if (p_reg->app_cb.p_conn_cb && p_tcb) { - conn_id = GATT_CREATE_CONN_ID(p_tcb->tcb_idx, gatt_if); - (*p_reg->app_cb.p_conn_cb)(gatt_if, bda, conn_id, TRUE, 0, transport); + for (p_node = list_begin(gatt_cb.p_tcb_list); p_node; p_node = list_next(p_node)) { + p_tcb = list_node(p_node); + if (p_tcb->in_use && p_tcb->ch_state == GATT_CH_OPEN) { + if (p_reg->app_cb.p_conn_cb && p_tcb) { + conn_id = GATT_CREATE_CONN_ID(p_tcb->tcb_idx, gatt_if); + (*p_reg->app_cb.p_conn_cb)(gatt_if, p_tcb->peer_bda, conn_id, TRUE, 0, p_tcb->transport); + } } - start_idx = ++found_idx; } } } @@ -1597,11 +1606,10 @@ tGATT_STATUS GATT_Disconnect (UINT16 conn_id) *******************************************************************************/ tGATT_STATUS GATT_SendServiceChangeIndication (BD_ADDR bd_addr) { - UINT8 start_idx, found_idx; BOOLEAN srv_chg_ind_pending = FALSE; tGATT_TCB *p_tcb; - tBT_TRANSPORT transport; tGATT_STATUS status = GATT_NOT_FOUND; + list_node_t *p_node = NULL; if (gatt_cb.srv_chg_mode == GATTS_SEND_SERVICE_CHANGE_AUTO) { status = GATT_WRONG_STATE; @@ -1612,19 +1620,17 @@ tGATT_STATUS GATT_SendServiceChangeIndication (BD_ADDR bd_addr) if(bd_addr) { status = gatt_send_srv_chg_ind(bd_addr); } else { - start_idx = 0; - BD_ADDR addr; - while (gatt_find_the_connected_bda(start_idx, addr, &found_idx, &transport)) { - p_tcb = gatt_get_tcb_by_idx(found_idx); - srv_chg_ind_pending = gatt_is_srv_chg_ind_pending(p_tcb); - - if (!srv_chg_ind_pending) { - status = gatt_send_srv_chg_ind(addr); - } else { - status = GATT_BUSY; - GATT_TRACE_DEBUG("discard srv chg - already has one in the queue"); + for (p_node = list_begin(gatt_cb.p_tcb_list); p_node; p_node = list_next(p_node)) { + p_tcb = list_node(p_node); + if (p_tcb->in_use && p_tcb->ch_state == GATT_CH_OPEN) { + srv_chg_ind_pending = gatt_is_srv_chg_ind_pending(p_tcb); + if (!srv_chg_ind_pending) { + status = gatt_send_srv_chg_ind(p_tcb->peer_bda); + } else { + status = GATT_BUSY; + GATT_TRACE_DEBUG("discard srv chg - already has one in the queue"); + } } - start_idx = ++found_idx; } } diff --git a/components/bt/host/bluedroid/stack/gatt/gatt_auth.c b/components/bt/host/bluedroid/stack/gatt/gatt_auth.c index a5769a83d7..7ceea18845 100644 --- a/components/bt/host/bluedroid/stack/gatt/gatt_auth.c +++ b/components/bt/host/bluedroid/stack/gatt/gatt_auth.c @@ -80,6 +80,8 @@ static BOOLEAN gatt_sign_data (tGATT_CLCB *p_clcb) } osi_free(p_data); + } else { + gatt_end_operation(p_clcb, GATT_NO_RESOURCES, NULL); } return status; diff --git a/components/bt/host/bluedroid/stack/gatt/gatt_cl.c b/components/bt/host/bluedroid/stack/gatt/gatt_cl.c index 1bdbfaec08..98214f8797 100644 --- a/components/bt/host/bluedroid/stack/gatt/gatt_cl.c +++ b/components/bt/host/bluedroid/stack/gatt/gatt_cl.c @@ -449,7 +449,7 @@ void gatt_process_find_type_value_rsp (tGATT_TCB *p_tcb, tGATT_CLCB *p_clcb, UIN void gatt_process_read_info_rsp(tGATT_TCB *p_tcb, tGATT_CLCB *p_clcb, UINT8 op_code, UINT16 len, UINT8 *p_data) { - tGATT_DISC_RES result; + tGATT_DISC_RES result = {0}; UINT8 *p = p_data, uuid_len = 0, type; UNUSED(p_tcb); @@ -472,6 +472,10 @@ void gatt_process_read_info_rsp(tGATT_TCB *p_tcb, tGATT_CLCB *p_clcb, UINT8 op_c uuid_len = LEN_UUID_16; } else if (type == GATT_INFO_TYPE_PAIR_128) { uuid_len = LEN_UUID_128; + } else { + GATT_TRACE_ERROR("invalid Info Response PDU format: %d", type); + gatt_end_operation(p_clcb, GATT_INVALID_PDU, NULL); + return; } while (len >= uuid_len + 2) { @@ -796,7 +800,7 @@ void gatt_process_read_by_type_rsp (tGATT_TCB *p_tcb, tGATT_CLCB *p_clcb, UINT8 if ((value_len > (p_tcb->payload_size - 2)) || (value_len > (len - 1)) ) { /* this is an error case that server's response containing a value length which is larger than MTU-2 or value_len > message total length -1 */ - GATT_TRACE_ERROR("gatt_process_read_by_type_rsp: Discard response op_code=%d vale_len=%d > (MTU-2=%d or msg_len-1=%d)", + GATT_TRACE_ERROR("gatt_process_read_by_type_rsp: Discard response op_code=%d value_len=%d > (MTU-2=%d or msg_len-1=%d)", op_code, value_len, (p_tcb->payload_size - 2), (len - 1)); gatt_end_operation(p_clcb, GATT_ERROR, NULL); return; @@ -884,7 +888,8 @@ void gatt_process_read_by_type_rsp (tGATT_TCB *p_tcb, tGATT_CLCB *p_clcb, UINT8 } /* read by type */ else if (p_clcb->operation == GATTC_OPTYPE_READ && p_clcb->op_subtype == GATT_READ_BY_TYPE) { - p_clcb->counter = len - 2; + /* value_len is the length of current record's value; use it to avoid overread when multiple records present */ + p_clcb->counter = value_len; p_clcb->s_handle = handle; if ( p_clcb->counter == (p_clcb->p_tcb->payload_size - 4)) { p_clcb->op_subtype = GATT_READ_BY_HANDLE; @@ -916,7 +921,7 @@ void gatt_process_read_by_type_rsp (tGATT_TCB *p_tcb, tGATT_CLCB *p_clcb, UINT8 /* UUID not matching */ if (!gatt_uuid_compare(record_value.dclr_value.char_uuid, p_clcb->uuid)) { - len -= (value_len + 2); + len -= (value_len + handle_len); continue; /* skip the result, and look for next one */ } else if (p_clcb->operation == GATTC_OPTYPE_READ) /* UUID match for read characteristic value */ @@ -1000,7 +1005,7 @@ void gatt_process_read_rsp(tGATT_TCB *p_tcb, tGATT_CLCB *p_clcb, UINT8 op_code, gatt_end_operation(p_clcb, GATT_SUCCESS, (void *)p_clcb->p_attr_buf); } } else { /* exception, should not happen */ - GATT_TRACE_ERROR("attr offset = %d p_attr_buf = %p ", offset, p_clcb->p_attr_buf); + GATT_TRACE_ERROR("attr offset = %d p_attr_buf = %p ", offset, p_clcb->p_attr_buf ? p_clcb->p_attr_buf:0); gatt_end_operation(p_clcb, GATT_NO_RESOURCES, (void *)p_clcb->p_attr_buf); } } diff --git a/components/bt/host/bluedroid/stack/gatt/gatt_db.c b/components/bt/host/bluedroid/stack/gatt/gatt_db.c index 6c578e678f..73037155f2 100644 --- a/components/bt/host/bluedroid/stack/gatt/gatt_db.c +++ b/components/bt/host/bluedroid/stack/gatt/gatt_db.c @@ -363,6 +363,7 @@ tGATT_STATUS gatts_db_read_attr_value_by_type (tGATT_TCB *p_tcb, if (p_attr->handle >= s_handle && gatt_uuid_compare(type, attr_uuid)) { if (*p_len <= 2) { + *p_cur_handle = p_attr->handle; status = GATT_NO_RESOURCES; break; } @@ -375,15 +376,19 @@ tGATT_STATUS gatts_db_read_attr_value_by_type (tGATT_TCB *p_tcb, need_rsp = TRUE; status = gatts_send_app_read_request(p_tcb, op_code, p_attr->handle, 0, trans_id, need_rsp); - + if (status != GATT_PENDING) { + *p_cur_handle = p_attr->handle; + } /* one callback at a time */ break; } else if (status == GATT_SUCCESS || status == GATT_STACK_RSP) { if (status == GATT_STACK_RSP){ need_rsp = FALSE; status = gatts_send_app_read_request(p_tcb, op_code, p_attr->handle, 0, trans_id, need_rsp); - if(status == GATT_BUSY) + if (status != GATT_STACK_RSP) { + *p_cur_handle = p_attr->handle; break; + } if (!have_send_request){ have_send_request = true; @@ -400,6 +405,7 @@ tGATT_STATUS gatts_db_read_attr_value_by_type (tGATT_TCB *p_tcb, *p_len -= (len + 2); } else { GATT_TRACE_WARNING("format mismatch"); + *p_cur_handle = p_attr->handle; status = GATT_NO_RESOURCES; break; } @@ -546,6 +552,7 @@ UINT16 gatts_add_characteristic (tGATT_SVC_DB *p_db, tGATT_PERM perm, if (attr_val != NULL) { if (!copy_extra_byte_in_db(p_db, (void **)&p_char_val->p_value, sizeof(tGATT_ATTR_VAL))) { + deallocate_attr_in_db(p_db, p_char_decl); deallocate_attr_in_db(p_db, p_char_val); return 0; } @@ -733,7 +740,7 @@ tGATT_STATUS gatts_set_attribute_value(tGATT_SVC_DB *p_db, UINT16 attr_handle, } p_cur = (tGATT_ATTR16 *) p_db->p_attr_list; - + BOOLEAN found = FALSE; while (p_cur != NULL) { if (p_cur->handle == attr_handle) { /* for characteristic should not be set, return GATT_NOT_FOUND */ @@ -758,13 +765,14 @@ tGATT_STATUS gatts_set_attribute_value(tGATT_SVC_DB *p_db, UINT16 attr_handle, } else{ memcpy(p_cur->p_value->attr_val.attr_val, value, length); p_cur->p_value->attr_val.attr_len = length; + found = TRUE; } break; } p_cur = p_cur->p_next; } - return GATT_SUCCESS; + return found ? GATT_SUCCESS : GATT_NOT_FOUND; } /******************************************************************************* @@ -1205,8 +1213,8 @@ tGATT_STATUS gatts_write_attr_perm_check (tGATT_SVC_DB *p_db, UINT8 op_code, GATT_TRACE_ERROR( "gatts_write_attr_perm_check - GATT_INSUF_AUTHORIZATION,handle %04x,perm %04x", handle, perm); } /* LE security mode 2 attribute */ - else if (perm & GATT_WRITE_SIGNED_PERM && op_code != GATT_SIGN_CMD_WRITE && !(sec_flag & GATT_SEC_FLAG_ENCRYPTED) - && (perm & GATT_WRITE_ALLOWED) == 0) { + else if ((perm & GATT_WRITE_SIGNED_PERM) && op_code != GATT_SIGN_CMD_WRITE && !(sec_flag & GATT_SEC_FLAG_ENCRYPTED) + && !(perm & (GATT_PERM_WRITE | GATT_PERM_WRITE_ENCRYPTED | GATT_PERM_WRITE_ENC_MITM))) { status = GATT_INSUF_AUTHENTICATION; GATT_TRACE_ERROR( "gatts_write_attr_perm_check - GATT_INSUF_AUTHENTICATION: LE security mode 2 required,handle %04x,perm %04x", handle, perm); } else { /* writable: must be char value declaration or char descriptors */ diff --git a/components/bt/host/bluedroid/stack/gatt/gatt_main.c b/components/bt/host/bluedroid/stack/gatt/gatt_main.c index 30b2d46833..5d57534f6c 100644 --- a/components/bt/host/bluedroid/stack/gatt/gatt_main.c +++ b/components/bt/host/bluedroid/stack/gatt/gatt_main.c @@ -1174,27 +1174,25 @@ void gatt_init_srv_chg (void) #if (GATTS_INCLUDED == TRUE) void gatt_proc_srv_chg (void) { - UINT8 start_idx, found_idx; - BD_ADDR bda; BOOLEAN srv_chg_ind_pending = FALSE; tGATT_TCB *p_tcb; - tBT_TRANSPORT transport; + list_node_t *p_node = NULL; GATT_TRACE_DEBUG ("gatt_proc_srv_chg"); if (gatt_cb.cb_info.p_srv_chg_callback && gatt_cb.handle_of_h_r) { gatt_set_srv_chg(); - start_idx = 0; - while (gatt_find_the_connected_bda(start_idx, bda, &found_idx, &transport)) { - p_tcb = gatt_get_tcb_by_idx(found_idx); - srv_chg_ind_pending = gatt_is_srv_chg_ind_pending(p_tcb); - if (!srv_chg_ind_pending) { - gatt_send_srv_chg_ind(bda); - } else { - GATT_TRACE_DEBUG ("discard srv chg - already has one in the queue"); + for (p_node = list_begin(gatt_cb.p_tcb_list); p_node; p_node = list_next(p_node)) { + p_tcb = list_node(p_node); + if (p_tcb->in_use && p_tcb->ch_state == GATT_CH_OPEN) { + srv_chg_ind_pending = gatt_is_srv_chg_ind_pending(p_tcb); + if (!srv_chg_ind_pending) { + gatt_send_srv_chg_ind(p_tcb->peer_bda); + } else { + GATT_TRACE_DEBUG ("discard srv chg - already has one in the queue"); + } } - start_idx = ++found_idx; } } } diff --git a/components/bt/host/bluedroid/stack/gatt/gatt_sr.c b/components/bt/host/bluedroid/stack/gatt/gatt_sr.c index 118dad4cb3..25bc51a02c 100644 --- a/components/bt/host/bluedroid/stack/gatt/gatt_sr.c +++ b/components/bt/host/bluedroid/stack/gatt/gatt_sr.c @@ -166,6 +166,12 @@ static BOOLEAN process_read_multi_rsp (tGATT_SR_CMD *p_cmd, tGATT_STATUS status, GATT_TRACE_DEBUG ("process_read_multi_rsp status=%d mtu=%d", status, mtu); + if (!p_msg) { + p_cmd->status = GATT_INVALID_PDU; + GATT_TRACE_ERROR("process_read_multi_rsp - invalid p_msg"); + return TRUE; + } + if (p_cmd->multi_rsp_q == NULL) { p_cmd->multi_rsp_q = fixed_queue_new(QUEUE_SIZE_MAX); } @@ -287,6 +293,12 @@ static BOOLEAN process_read_multi_var_rsp (tGATT_SR_CMD *p_cmd, tGATT_STATUS sta GATT_TRACE_DEBUG ("process_read_multi_var rsp status=%d mtu=%d", status, mtu); + if (!p_msg) { + GATT_TRACE_ERROR("process_read_multi_var_rsp - invalid p_msg"); + p_cmd->status = GATT_INVALID_PDU; + return TRUE; + } + if (p_cmd->multi_rsp_q == NULL) { p_cmd->multi_rsp_q = fixed_queue_new(QUEUE_SIZE_MAX); } diff --git a/components/bt/host/bluedroid/stack/gatt/gatt_sr_hash.c b/components/bt/host/bluedroid/stack/gatt/gatt_sr_hash.c index d5a4b3a5e9..c7db69b6f5 100644 --- a/components/bt/host/bluedroid/stack/gatt/gatt_sr_hash.c +++ b/components/bt/host/bluedroid/stack/gatt/gatt_sr_hash.c @@ -56,6 +56,15 @@ static void attr_uuid_to_bt_uuid(void *p_attr, tBT_UUID *p_uuid) } } +static UINT8 get_uuid_stream_len(tBT_UUID uuid) +{ + // gatt_build_uuid_to_stream always converts 32-bit UUID to 128-bit UUID + if (uuid.len == LEN_UUID_32) { + return LEN_UUID_128; + } + return uuid.len; +} + static size_t calculate_database_info_size(void) { UINT8 i; @@ -71,17 +80,17 @@ static size_t calculate_database_info_size(void) if (p_attr->uuid == GATT_UUID_PRI_SERVICE || p_attr->uuid == GATT_UUID_SEC_SERVICE) { // Service declaration - len += 4 + p_attr->p_value->uuid.len; + len += 4 + get_uuid_stream_len(p_attr->p_value->uuid); } else if (p_attr->uuid == GATT_UUID_INCLUDE_SERVICE) { // Included service declaration - len += 8 + p_attr->p_value->incl_handle.service_type.len; + len += 8 + get_uuid_stream_len(p_attr->p_value->incl_handle.service_type); } else if (p_attr->uuid == GATT_UUID_CHAR_DECLARE) { tBT_UUID char_uuid = {0}; // Characteristic declaration p_attr = (tGATT_ATTR16 *)p_attr->p_next; attr_uuid_to_bt_uuid((void *)p_attr, &char_uuid); // Increment 1 to fetch characteristic uuid from value declaration attribute - len += 7 + char_uuid.len; + len += 7 + get_uuid_stream_len(char_uuid); } else if (p_attr->uuid == GATT_UUID_CHAR_DESCRIPTION || p_attr->uuid == GATT_UUID_CHAR_CLIENT_CONFIG || p_attr->uuid == GATT_UUID_CHAR_SRVR_CONFIG || diff --git a/components/bt/host/bluedroid/stack/gatt/gatt_utils.c b/components/bt/host/bluedroid/stack/gatt/gatt_utils.c index e950b67932..451ce28709 100644 --- a/components/bt/host/bluedroid/stack/gatt/gatt_utils.c +++ b/components/bt/host/bluedroid/stack/gatt/gatt_utils.c @@ -74,7 +74,7 @@ const char *const op_code_name[] = { "ATT_OP_CODE_MAX" }; -static const UINT8 base_uuid[LEN_UUID_128] = {0xFB, 0x34, 0x9B, 0x5F, 0x80, 0x00, 0x00, 0x80, +const UINT8 base_uuid[LEN_UUID_128] = {0xFB, 0x34, 0x9B, 0x5F, 0x80, 0x00, 0x00, 0x80, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; @@ -216,11 +216,12 @@ tGATTS_PENDING_NEW_SRV_START *gatt_sr_is_new_srv_chg(tBT_UUID *p_app_uuid128, tB list_t *list = fixed_queue_get_list(gatt_cb.pending_new_srv_start_q); for (const list_node_t *node = list_begin(list); node != list_end(list); node = list_next(node)) { - p_buf = (tGATTS_PENDING_NEW_SRV_START *)list_node(node); - tGATTS_HNDL_RANGE *p = p_buf->p_new_srv_start; + tGATTS_PENDING_NEW_SRV_START *p_temp = (tGATTS_PENDING_NEW_SRV_START *)list_node(node); + tGATTS_HNDL_RANGE *p = p_temp->p_new_srv_start; if (gatt_uuid_compare(*p_app_uuid128, p->app_uuid128) && gatt_uuid_compare (*p_svc_uuid, p->svc_uuid) && (svc_inst == p->svc_inst)) { + p_buf = p_temp; GATT_TRACE_DEBUG("gatt_sr_is_new_srv_chg: Yes"); break; } @@ -449,19 +450,17 @@ void gatt_free_hdl_buffer(tGATT_HDL_LIST_ELEM *p) void gatt_free_srvc_db_buffer_app_id(tBT_UUID *p_app_id) { tGATT_HDL_LIST_ELEM *p_elem = &gatt_cb.hdl_list[0]; + tGATT_HDL_LIST_INFO *p_list_info = &gatt_cb.hdl_list_info; UINT8 i; for (i = 0; i < GATT_MAX_SR_PROFILES; i ++, p_elem ++) { if (memcmp(p_app_id, &p_elem->asgn_range.app_uuid128, sizeof(tBT_UUID)) == 0) { + /* Remove from linked list first */ + gatt_remove_an_item_from_list(p_list_info, p_elem); + /* Free attribute value buffers */ gatt_free_attr_value_buffer(p_elem); - while (!fixed_queue_is_empty(p_elem->svc_db.svc_buffer)) { - osi_free(fixed_queue_dequeue(p_elem->svc_db.svc_buffer, 0)); - } - fixed_queue_free(p_elem->svc_db.svc_buffer, NULL); - p_elem->svc_db.svc_buffer = NULL; - - p_elem->svc_db.mem_free = 0; - p_elem->svc_db.p_attr_list = p_elem->svc_db.p_free_mem = NULL; + /* Free the handle buffer completely (including svc_buffer and setting in_use = FALSE) */ + gatt_free_hdl_buffer(p_elem); } } } @@ -631,7 +630,17 @@ BOOLEAN gatt_remove_a_srv_from_list(tGATT_SRV_LIST_INFO *p_list, tGATT_SRV_LIST_ p_remove->p_next->p_prev = p_remove->p_prev; p_remove->p_prev->p_next = p_remove->p_next; } - p_list->count--; + // If the list is now empty, update p_last to NULL + if(p_list->p_first == NULL) { + p_list->p_last = NULL; + } + if (p_list->count) { + p_list->count --; + } else { + GATT_TRACE_ERROR("Error: p_list->count is already zero"); + } + + gatt_update_last_pri_srv_info(p_list); return TRUE; @@ -722,46 +731,20 @@ BOOLEAN gatt_remove_an_item_from_list(tGATT_HDL_LIST_INFO *p_list, tGATT_HDL_LIS p_remove->p_next->p_prev = p_remove->p_prev; p_remove->p_prev->p_next = p_remove->p_next; } - p_list->count--; + // If the list is now empty, update p_last to NULL + if (p_list->p_first == NULL) { + p_list->p_last = NULL; + } + + if(p_list->count > 0) { + p_list->count--; + } else { + GATT_TRACE_ERROR("Error: p_list->count is already zero"); + } return TRUE; } -/******************************************************************************* -** -** Function gatt_find_the_connected_bda -** -** Description This function find the connected bda -** -** Returns TRUE if found -** -*******************************************************************************/ -BOOLEAN gatt_find_the_connected_bda(UINT8 start_idx, BD_ADDR bda, UINT8 *p_found_idx, - tBT_TRANSPORT *p_transport) -{ - BOOLEAN found = FALSE; - GATT_TRACE_DEBUG("gatt_find_the_connected_bda start_idx=%d", start_idx); - tGATT_TCB *p_tcb = NULL; - list_node_t *p_node = NULL; - p_tcb = gatt_get_tcb_by_idx(start_idx); - if (p_tcb) { - for(p_node = list_get_node(gatt_cb.p_tcb_list, p_tcb); p_node; p_node = list_next(p_node)) { - p_tcb = list_node(p_node); - if (p_tcb->in_use && p_tcb->ch_state == GATT_CH_OPEN) { - memcpy( bda, p_tcb->peer_bda, BD_ADDR_LEN); - *p_found_idx = p_tcb->tcb_idx; - *p_transport = p_tcb->transport; - found = TRUE; - GATT_TRACE_DEBUG("gatt_find_the_connected_bda bda :%02x-%02x-%02x-%02x-%02x-%02x", - bda[0], bda[1], bda[2], bda[3], bda[4], bda[5]); - break; - } - } - GATT_TRACE_DEBUG("gatt_find_the_connected_bda found=%d found_idx=%d", found, p_tcb->tcb_idx); - } - return found; -} - #if (GATTS_INCLUDED == TRUE) /******************************************************************************* ** @@ -1736,14 +1719,18 @@ tGATT_CLCB *gatt_clcb_alloc (UINT16 conn_id) if (list_length(gatt_cb.p_clcb_list) < GATT_CL_MAX_LCB) { p_clcb = (tGATT_CLCB *)osi_malloc(sizeof(tGATT_CLCB)); if (p_clcb) { - list_append(gatt_cb.p_clcb_list, p_clcb); - memset(p_clcb, 0, sizeof(tGATT_CLCB)); - p_clcb->in_use = TRUE; - p_clcb->conn_id = conn_id; - //Add index of the clcb same as conn_id - p_clcb->clcb_idx = conn_id; - p_clcb->p_reg = p_reg; - p_clcb->p_tcb = p_tcb; + if (!list_append(gatt_cb.p_clcb_list, p_clcb)) { + osi_free(p_clcb); + GATT_TRACE_ERROR("gatt_clcb_alloc: could not add clcb to list"); + return NULL; + } + memset(p_clcb, 0, sizeof(tGATT_CLCB)); + p_clcb->in_use = TRUE; + p_clcb->conn_id = conn_id; + //Add index of the clcb same as conn_id + p_clcb->clcb_idx = conn_id; + p_clcb->p_reg = p_reg; + p_clcb->p_tcb = p_tcb; } } return p_clcb; @@ -1761,6 +1748,10 @@ tGATT_CLCB *gatt_clcb_alloc (UINT16 conn_id) void gatt_clcb_dealloc (tGATT_CLCB *p_clcb) { if (p_clcb && p_clcb->in_use) { + if (p_clcb->p_attr_buf) { + osi_free(p_clcb->p_attr_buf); + p_clcb->p_attr_buf = NULL; + } btu_free_timer(&p_clcb->rsp_timer_ent); memset(p_clcb, 0, sizeof(tGATT_CLCB)); list_remove(gatt_cb.p_clcb_list, p_clcb); @@ -2265,6 +2256,7 @@ void gatt_end_operation(tGATT_CLCB *p_clcb, tGATT_STATUS status, void *p_data) if (p_clcb->p_attr_buf) { osi_free(p_clcb->p_attr_buf); + p_clcb->p_attr_buf = NULL; } #if !CONFIG_BT_STACK_NO_LOG diff --git a/components/bt/host/bluedroid/stack/gatt/include/gatt_int.h b/components/bt/host/bluedroid/stack/gatt/include/gatt_int.h index 933312a46e..02b36f0fa4 100644 --- a/components/bt/host/bluedroid/stack/gatt/include/gatt_int.h +++ b/components/bt/host/bluedroid/stack/gatt/include/gatt_int.h @@ -605,6 +605,8 @@ extern void gatt_set_err_rsp(BOOLEAN enable, UINT8 req_op_code, UINT8 err_status } #endif +extern const UINT8 base_uuid[LEN_UUID_128]; + /* internal functions */ extern void gatt_init (void); extern void gatt_free(void); @@ -660,7 +662,6 @@ extern tGATTS_PENDING_NEW_SRV_START *gatt_sr_is_new_srv_chg(tBT_UUID *p_app_uuid extern BOOLEAN gatt_is_srv_chg_ind_pending (tGATT_TCB *p_tcb); extern tGATTS_SRV_CHG *gatt_is_bda_in_the_srv_chg_clt_list (BD_ADDR bda); -extern BOOLEAN gatt_find_the_connected_bda(UINT8 start_idx, BD_ADDR bda, UINT8 *p_found_idx, tBT_TRANSPORT *p_transport); extern void gatt_set_srv_chg(void); extern void gatt_delete_dev_from_srv_chg_clt_list(BD_ADDR bd_addr); extern tGATTS_PENDING_NEW_SRV_START *gatt_add_pending_new_srv_start( tGATTS_HNDL_RANGE *p_new_srv_start); diff --git a/components/bt/host/bluedroid/stack/hcic/hciblecmds.c b/components/bt/host/bluedroid/stack/hcic/hciblecmds.c index fef574fd6a..a688c12b00 100644 --- a/components/bt/host/bluedroid/stack/hcic/hciblecmds.c +++ b/components/bt/host/bluedroid/stack/hcic/hciblecmds.c @@ -1419,7 +1419,7 @@ UINT8 btsnd_hcic_ble_read_max_adv_len(void) UINT8 *pp; HCI_TRACE_EVENT("%s", __func__); - HCIC_BLE_CMD_CREATED(p, pp, HCIC_PARAM_SIZE_READ_MAX_ADV_SIZE + 1); + HCIC_BLE_CMD_CREATED(p, pp, HCIC_PARAM_SIZE_READ_MAX_ADV_SIZE); UINT16_TO_STREAM(pp, HCI_BLE_RD_MAX_ADV_DATA_LEN); UINT8_TO_STREAM(pp, HCIC_PARAM_SIZE_READ_MAX_ADV_SIZE); @@ -1433,7 +1433,7 @@ UINT8 btsnd_hcic_ble_read_num_support_adv_set(void) UINT8 *pp; HCI_TRACE_EVENT("%s", __func__); - HCIC_BLE_CMD_CREATED(p, pp, HCIC_PARAM_SIZE_NUM_SUPPORT_ADV_SET + 1); + HCIC_BLE_CMD_CREATED(p, pp, HCIC_PARAM_SIZE_NUM_SUPPORT_ADV_SET); UINT16_TO_STREAM(pp, HCI_BLE_RD_NUM_OF_ADV_SETS); UINT8_TO_STREAM(pp, HCIC_PARAM_SIZE_NUM_SUPPORT_ADV_SET); @@ -1447,7 +1447,7 @@ UINT8 btsnd_hcic_ble_remove_adv_set(UINT8 adv_handle) UINT8 *pp; HCI_TRACE_EVENT("%s, adv_handle = %d", __func__, adv_handle); - HCIC_BLE_CMD_CREATED(p, pp, HCIC_PARAM_SIZE_REMOVE_ADV_SET + 1); + HCIC_BLE_CMD_CREATED(p, pp, HCIC_PARAM_SIZE_REMOVE_ADV_SET); UINT16_TO_STREAM(pp, HCI_BLE_REMOVE_ADV_SET); UINT8_TO_STREAM(pp, HCIC_PARAM_SIZE_REMOVE_ADV_SET); @@ -1462,7 +1462,7 @@ UINT8 btsnd_hcic_ble_clear_adv_set(void) UINT8 *pp; HCI_TRACE_EVENT("%s", __func__); - HCIC_BLE_CMD_CREATED(p, pp, HCIC_PARAM_SIZE_CLEAR_ADV_SET + 1); + HCIC_BLE_CMD_CREATED(p, pp, HCIC_PARAM_SIZE_CLEAR_ADV_SET); UINT16_TO_STREAM(pp, HCI_BLE_CLEAR_ADV_SETS); UINT8_TO_STREAM(pp, HCIC_PARAM_SIZE_CLEAR_ADV_SET); @@ -1781,15 +1781,16 @@ BOOLEAN btsnd_hcic_ble_create_ext_conn_v2(tHCI_CreatExtConn *p_conn) #if (BLE_50_EXTEND_SYNC_EN == TRUE) BOOLEAN btsnd_hcic_ble_periodic_adv_create_sync(UINT8 option, UINT8 adv_sid, UINT8 adv_addr_type, BD_ADDR adv_addr, + UINT16 skip, UINT16 sync_timeout, UINT8 sync_cte_type) { BT_HDR *p; UINT8 *pp; - HCI_TRACE_EVENT("%s, option = %d, adv_sid = %d, adv_addr_type = %d, sync_timeout = %d, sync_cte_type = %d", - __func__, option, adv_sid, adv_addr_type, sync_timeout, sync_cte_type); + HCI_TRACE_EVENT("%s, option = %d, adv_sid = %d, adv_addr_type = %d, skip = %d, sync_timeout = %d, sync_cte_type = %d", + __func__, option, adv_sid, adv_addr_type, skip, sync_timeout, sync_cte_type); HCI_TRACE_EVENT("addr %02x %02x %02x %02x %02x %02x", adv_addr[0], adv_addr[1], adv_addr[2], adv_addr[3], adv_addr[4], adv_addr[5]); - uint16_t skip = 0; + HCIC_BLE_CMD_CREATED(p, pp, HCIC_PARAM_SIZE_PERIODIC_ADV_CREATE_SYNC + 2); UINT16_TO_STREAM(pp, HCI_BLE_PERIOD_ADV_CREATE_SYNC); @@ -1949,7 +1950,7 @@ UINT8 btsnd_hcic_ble_write_rf_path_compensation(UINT16 rf_tx_path, UINT16 rf_rx_ UINT8_TO_STREAM(pp, HCIC_PARAM_SIZE_WRITE_RF_PATH_COMPENSATION); UINT16_TO_STREAM(pp, rf_tx_path); - UINT16_TO_STREAM(pp, rf_tx_path); + UINT16_TO_STREAM(pp, rf_rx_path); return btu_hcif_send_cmd_sync(LOCAL_BR_EDR_CONTROLLER_ID, p); } @@ -2157,7 +2158,7 @@ BOOLEAN btsnd_hcic_ble_set_vendor_evt_mask (UINT32 evt_mask) #if (BLE_FEAT_ISO_EN == TRUE) -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) UINT8 btsnd_hcic_ble_big_create(uint8_t big_handle, uint8_t adv_handle, uint8_t num_bis, uint32_t sdu_interval, uint16_t max_sdu, uint16_t max_transport_latency, uint8_t rtn, uint8_t phy, uint8_t packing, uint8_t framing, @@ -2255,7 +2256,7 @@ UINT8 btsnd_hcic_ble_big_terminate(uint8_t big_handle, uint8_t reason) btu_hcif_send_cmd(LOCAL_BR_EDR_CONTROLLER_ID, p); return TRUE; } -#endif // #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif // #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) UINT8 btsnd_hcic_ble_big_sync_create(uint8_t big_handle, uint16_t sync_handle, uint8_t encryption, uint8_t *bc_code, @@ -3395,7 +3396,7 @@ UINT8 btsnd_hcic_ble_cs_procedure_enable(UINT16 conn_handle, UINT8 config_id, UI UINT8_TO_STREAM(pp, config_id); UINT8_TO_STREAM(pp, enable); - btu_hcif_send_cmd_sync(LOCAL_BR_EDR_CONTROLLER_ID, p); + btu_hcif_send_cmd(LOCAL_BR_EDR_CONTROLLER_ID, p); return TRUE; } diff --git a/components/bt/host/bluedroid/stack/include/stack/bt_types.h b/components/bt/host/bluedroid/stack/include/stack/bt_types.h index 4050b79d3b..9d59bdda53 100644 --- a/components/bt/host/bluedroid/stack/include/stack/bt_types.h +++ b/components/bt/host/bluedroid/stack/include/stack/bt_types.h @@ -260,6 +260,7 @@ typedef struct { #define STREAM_SKIP_UINT8(p) do { (p) += 1; } while (0) #define STREAM_SKIP_UINT16(p) do { (p) += 2; } while (0) +#define STREAM_SKIP_UINT24(p) do { (p) += 3; } while (0) /******************************************************************************** ** Macros to get and put bytes to and from a field (Little Endian format). diff --git a/components/bt/host/bluedroid/stack/include/stack/btm_api.h b/components/bt/host/bluedroid/stack/include/stack/btm_api.h index 3f932d087d..b1d9469f47 100644 --- a/components/bt/host/bluedroid/stack/include/stack/btm_api.h +++ b/components/bt/host/bluedroid/stack/include/stack/btm_api.h @@ -805,16 +805,6 @@ typedef struct { BD_ADDR rem_bda; /* Remote device Bluetooth address */ } tBTM_BLE_CH_MAP_RESULTS; -/* Structure returned with read current TX power event (in tBTM_CMPL_CB callback function) -** in response to BTM_ReadTxPower call. -*/ -typedef struct { - tBTM_STATUS status; - UINT8 hci_status; - INT8 tx_power; - BD_ADDR rem_bda; -} tBTM_TX_POWER_RESULTS; - /* Structure returned with read link quality event (in tBTM_CMPL_CB callback function) ** in response to BTM_ReadLinkQuality call. */ diff --git a/components/bt/host/bluedroid/stack/include/stack/btm_ble_api.h b/components/bt/host/bluedroid/stack/include/stack/btm_ble_api.h index e331a39bf2..57c4660bc6 100644 --- a/components/bt/host/bluedroid/stack/include/stack/btm_ble_api.h +++ b/components/bt/host/bluedroid/stack/include/stack/btm_ble_api.h @@ -978,10 +978,10 @@ typedef void (tBTM_SET_VENDOR_EVT_MASK_CBACK) (tBTM_STATUS status); typedef UINT8 tBTM_BLE_5_GAP_EVENT; #if (BLE_FEAT_ISO_EN == TRUE) -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #define BTM_BLE_ISO_BIG_CREATE_COMPLETE_EVT 1 #define BTM_BLE_ISO_BIG_TERMINATE_COMPLETE_EVT 2 -#endif // #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif // #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) #define BTM_BLE_ISO_BIG_SYNC_ESTABLISHED_EVT 3 #define BTM_BLE_ISO_BIG_SYNC_LOST_EVT 4 @@ -1099,7 +1099,7 @@ typedef struct { typedef struct { UINT8 status; UINT8 instance_num; - UINT8 instance[10]; + UINT8 instance[MAX_BLE_ADV_INSTANCE]; } tBTM_BLE_EXT_ADV_START_CMPL; typedef struct { @@ -1537,7 +1537,7 @@ typedef struct { #endif // (BT_BLE_FEAT_CHANNEL_SOUNDING == TRUE) #if (BLE_FEAT_ISO_EN == TRUE) -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) typedef struct { UINT8 status; UINT8 big_handle; @@ -1559,7 +1559,7 @@ typedef struct { UINT8 big_handle; UINT8 reason; } tBTM_BLE_BIG_TERMINATE_CMPL; -#endif // #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif // #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) typedef struct { @@ -1704,10 +1704,10 @@ typedef struct { typedef union { UINT8 status; -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) tBTM_BLE_BIG_CREATE_CMPL btm_big_cmpl; tBTM_BLE_BIG_TERMINATE_CMPL btm_big_term; -#endif // #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif // #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) tBTM_BLE_BIG_SYNC_ESTAB_CMPL btm_big_sync_estab; tBTM_BLE_BIG_SYNC_LOST_EVT btm_big_sync_lost; @@ -3107,7 +3107,7 @@ void BTM_BleSetPeriodicAdvSyncTransParams(BD_ADDR bd_addr, UINT8 mode, UINT16 sk #if (BLE_FEAT_ISO_EN == TRUE) void BTM_BleIsoRegisterCallback(tBTM_BLE_ISO_CBACK cb); -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) tBTM_STATUS BTM_BleBigCreate(uint8_t big_handle, uint8_t adv_handle, uint8_t num_bis, uint32_t sdu_interval, uint16_t max_sdu, uint16_t max_transport_latency, uint8_t rtn, uint8_t phy, uint8_t packing, uint8_t framing, @@ -3120,7 +3120,7 @@ tBTM_STATUS BTM_BleBigCreateTest(uint8_t big_handle, uint8_t adv_handle, uint8_t uint8_t pto, uint8_t encryption, uint8_t *broadcast_code); tBTM_STATUS BTM_BleBigTerminate(UINT8 big_handle, UINT8 reason); -#endif // #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif // #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) tBTM_STATUS BTM_BleBigSyncCreate(uint8_t big_handle, uint16_t sync_handle, uint8_t encryption, uint8_t *bc_code, diff --git a/components/bt/host/bluedroid/stack/include/stack/hcidefs.h b/components/bt/host/bluedroid/stack/include/stack/hcidefs.h index ca6f901377..44e68223c8 100644 --- a/components/bt/host/bluedroid/stack/include/stack/hcidefs.h +++ b/components/bt/host/bluedroid/stack/include/stack/hcidefs.h @@ -914,10 +914,10 @@ #if (BLE_FEAT_ISO_EN == TRUE) #define HCI_BLE_CIS_ESTABLISHED_V1_EVT 0x19 #define HCI_BLE_CIS_REQUEST_EVT 0x1A -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #define HCI_BLE_BIG_CREATE_COMPLETE_EVT 0x1B #define HCI_BLE_BIG_TERMINATE_COMPLETE_EVT 0x1C -#endif // #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif // #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) #define HCI_BLE_BIG_SYNC_ESTABLISHED_EVT 0x1D #define HCI_BLE_BIG_SYNC_LOST_EVT 0x1E diff --git a/components/bt/host/bluedroid/stack/include/stack/hcimsgs.h b/components/bt/host/bluedroid/stack/include/stack/hcimsgs.h index 2e003353da..450fbfef20 100644 --- a/components/bt/host/bluedroid/stack/include/stack/hcimsgs.h +++ b/components/bt/host/bluedroid/stack/include/stack/hcimsgs.h @@ -1042,6 +1042,7 @@ BOOLEAN btsnd_hcic_ble_create_ext_conn_v2(tHCI_CreatExtConn *p_conn); BOOLEAN btsnd_hcic_ble_periodic_adv_create_sync(UINT8 filter_policy, UINT8 adv_sid, UINT8 adv_addr_type, BD_ADDR adv_addr, + UINT16 skip, UINT16 sync_timeout, UINT8 sync_cte_type); UINT8 btsnd_hcic_ble_periodic_adv_create_sync_cancel(void); @@ -1100,11 +1101,11 @@ UINT8 btsnd_hcic_ble_set_default_periodic_adv_sync_trans_params(UINT8 mode, UINT #define HCIC_PARAM_SIZE_ISO_ACCEPT_CIS_REQ_PARAMS 2 #define HCIC_PARAM_SIZE_ISO_REJECT_CIS_REQ_PARAMS 3 #define HCIC_PARAM_SIZE_ISO_READ_LINK_QUALITY_PARAMS 2 -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #define HCIC_PARAM_SIZE_BIG_CREATE_PARAMS 31 #define HCIC_PARAM_SIZE_BIG_CREATE_TEST_PARAMS 36 #define HCIC_PARAM_SIZE_BIG_TERMINATE_PARAMS 2 -#endif // #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif // #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) #define HCIC_PARAM_SIZE_BIG_SYNC_CREATE_PARAMS 55 #define HCIC_PARAM_SIZE_BIG_SYNC_TERMINATE_PARAMS 1 @@ -1155,7 +1156,7 @@ UINT8 btsnd_hcic_ble_iso_accept_cis_req(uint16_t cis_handle); UINT8 btsnd_hcic_ble_iso_reject_cis_req(uint16_t cis_handle, uint8_t reason); #endif // #if (BLE_FEAT_ISO_CIG_PERIPHERAL_EN == TRUE) -#if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) UINT8 btsnd_hcic_ble_big_create(uint8_t big_handle, uint8_t adv_handle, uint8_t num_bis, uint32_t sdu_interval, uint16_t max_sdu, uint16_t max_transport_latency, uint8_t rtn, uint8_t phy, uint8_t packing, uint8_t framing, @@ -1168,7 +1169,7 @@ UINT8 btsnd_hcic_ble_big_create_test(uint8_t big_handle, uint8_t adv_handle, uin uint8_t pto, uint8_t encryption, uint8_t *broadcast_code); UINT8 btsnd_hcic_ble_big_terminate(uint8_t big_handle, uint8_t reason); -#endif // #if (BLE_FEAT_ISO_BIG_BROCASTER_EN == TRUE) +#endif // #if (BLE_FEAT_ISO_BIG_BROADCASTER_EN == TRUE) #if (BLE_FEAT_ISO_BIG_SYNCER_EN == TRUE) UINT8 btsnd_hcic_ble_big_sync_create(uint8_t big_handle, uint16_t sync_handle, diff --git a/components/bt/host/bluedroid/stack/l2cap/l2c_ble.c b/components/bt/host/bluedroid/stack/l2cap/l2c_ble.c index e0f787c9a1..88cc764dcf 100644 --- a/components/bt/host/bluedroid/stack/l2cap/l2c_ble.c +++ b/components/bt/host/bluedroid/stack/l2cap/l2c_ble.c @@ -234,6 +234,7 @@ BOOLEAN L2CA_EnableUpdateBleConnParams (BD_ADDR rem_bda, BOOLEAN enable) return (FALSE); } bool is_disable = (p_lcb->conn_update_mask & L2C_BLE_CONN_UPDATE_DISABLE); + // for multiple links, actively updating the parameters to 7.5ms may degrade multi-connection performance if(l2cu_ble_plcb_active_count() >1 && !(enable && is_disable)) { return FALSE; } @@ -875,10 +876,11 @@ void l2cble_process_sig_cmd (tL2C_LCB *p_lcb, UINT8 *p, UINT16 pkt_len) p_ccb = l2cu_find_ccb_by_cid(p_lcb, lcid); if (p_ccb) { p_ccb->remote_id = id; - // TODO + l2cu_send_peer_disc_rsp(p_lcb, id, lcid, rcid); + } else { + L2CAP_TRACE_WARNING ("L2CAP - LE - disc req with invalid lcid, send cmd reject"); + l2cu_send_peer_cmd_reject(p_lcb, L2CAP_CMD_REJ_INVALID_CID, id, rcid, lcid); } - - l2cu_send_peer_disc_rsp(p_lcb, id, lcid, rcid); break; } default: @@ -1073,19 +1075,29 @@ BOOLEAN l2cble_init_direct_conn (tL2C_LCB *p_lcb) #if (BT_BLE_FEAT_PAWR_EN == TRUE) if (p_lcb->is_pawr_synced) { if(!btsnd_hcic_ble_create_ext_conn_v2(&aux_conn)) { + l2cb.is_ble_connecting = FALSE; + memset(l2cb.ble_connecting_bda, 0, BD_ADDR_LEN); + btm_ble_set_conn_st (BLE_CONN_IDLE); l2cu_release_lcb (p_lcb); L2CAP_TRACE_ERROR("initiate pawr sync connection failed, no resources"); + return (FALSE); } } else #endif // (BT_BLE_FEAT_PAWR_EN == TRUE) { if(!btsnd_hcic_ble_create_ext_conn(&aux_conn)) { + l2cb.is_ble_connecting = FALSE; + memset(l2cb.ble_connecting_bda, 0, BD_ADDR_LEN); + btm_ble_set_conn_st (BLE_CONN_IDLE); l2cu_release_lcb (p_lcb); L2CAP_TRACE_ERROR("initiate Aux connection failed, no resources"); + return (FALSE); } } #else + l2cu_release_lcb (p_lcb); L2CAP_TRACE_ERROR("BLE 5.0 not support!\n"); + return (FALSE); #endif // #if (BLE_50_FEATURE_SUPPORT == TRUE) return (TRUE); } @@ -1293,7 +1305,7 @@ void l2cble_process_rc_param_request_evt(UINT16 handle, UINT16 int_min, UINT16 i btsnd_hcic_ble_rc_param_req_reply(handle, int_min, int_max, latency, timeout, BLE_CE_LEN_MIN, BLE_CE_LEN_MIN); }else { L2CAP_TRACE_EVENT ("L2CAP - LE - update currently disabled"); - p_lcb->conn_update_mask |= L2C_BLE_NEW_CONN_PARAM; + // p_lcb->conn_update_mask |= L2C_BLE_NEW_CONN_PARAM; btsnd_hcic_ble_rc_param_req_neg_reply (handle, HCI_ERR_UNACCEPT_CONN_INTERVAL); } } diff --git a/components/bt/host/bluedroid/stack/l2cap/l2c_link.c b/components/bt/host/bluedroid/stack/l2cap/l2c_link.c index a51c4e8427..9eefc8c075 100644 --- a/components/bt/host/bluedroid/stack/l2cap/l2c_link.c +++ b/components/bt/host/bluedroid/stack/l2cap/l2c_link.c @@ -43,7 +43,7 @@ static BOOLEAN l2c_link_send_to_lower (tL2C_LCB *p_lcb, BT_HDR *p_buf); #if (BLE_50_FEATURE_SUPPORT == TRUE) -extern tBTM_STATUS BTM_BleStartExtAdvRestart(uint8_t handle); +extern tBTM_STATUS BTM_BleStartExtAdvRestart(uint16_t handle); #endif// #if (BLE_50_FEATURE_SUPPORT == TRUE) extern bool btm_ble_inter_get(void); diff --git a/components/bt/host/bluedroid/stack/l2cap/l2c_main.c b/components/bt/host/bluedroid/stack/l2cap/l2c_main.c index d5d6b91dbb..c2c3150b2d 100644 --- a/components/bt/host/bluedroid/stack/l2cap/l2c_main.c +++ b/components/bt/host/bluedroid/stack/l2cap/l2c_main.c @@ -909,7 +909,7 @@ void l2c_init (void) l2cb.l2c_ble_fixed_chnls_mask = L2CAP_FIXED_CHNL_ATT_BIT | L2CAP_FIXED_CHNL_BLE_SIG_BIT | L2CAP_FIXED_CHNL_SMP_BIT; #endif - + // Free callback must be NULL l2cb.rcv_pending_q = list_new(NULL); if (l2cb.rcv_pending_q == NULL) { L2CAP_TRACE_ERROR("%s unable to allocate memory for link layer control block", __func__); @@ -948,6 +948,10 @@ void l2c_free_p_ccb_pool(void) void l2c_free(void) { + // check again + if (l2cb.rcv_pending_q && list_length(l2cb.rcv_pending_q) > 0) { + assert(0); + } list_free(l2cb.rcv_pending_q); l2cb.rcv_pending_q = NULL; l2c_free_p_lcb_pool(); diff --git a/components/bt/host/bluedroid/stack/l2cap/l2c_utils.c b/components/bt/host/bluedroid/stack/l2cap/l2c_utils.c index de1faec749..3d3c1cc3ff 100644 --- a/components/bt/host/bluedroid/stack/l2cap/l2c_utils.c +++ b/components/bt/host/bluedroid/stack/l2cap/l2c_utils.c @@ -170,6 +170,10 @@ void l2cu_release_lcb (tL2C_LCB *p_lcb) p_lcb->start_time_s = 0; #endif // #if (BLE_INCLUDED == TRUE) +#if (BT_BLE_FEAT_PAWR_EN == TRUE) + p_lcb->is_pawr_synced = FALSE; +#endif + /* Stop and release timers */ btu_free_timer (&p_lcb->timer_entry); memset(&p_lcb->timer_entry, 0, sizeof(TIMER_LIST_ENT)); @@ -364,10 +368,7 @@ uint8_t l2cu_ble_plcb_active_count(void) active_count ++; } } - if (active_count >= MAX_L2CAP_CHANNELS) { - L2CAP_TRACE_ERROR("error active count"); - active_count = 0; - } + L2CAP_TRACE_DEBUG("plcb active count %d", active_count); return active_count; @@ -3286,7 +3287,7 @@ tL2C_LCB *l2cu_find_lcb_by_handle (UINT16 handle) bool l2cu_find_ccb_in_list(void *p_ccb_node, void *p_local_cid) { tL2C_CCB *p_ccb = (tL2C_CCB *)p_ccb_node; - uint8_t local_cid = *((uint8_t *)p_local_cid); + uint16_t local_cid = *((uint16_t *)p_local_cid); if (p_ccb->local_cid == local_cid && p_ccb->in_use) { return FALSE; diff --git a/components/bt/host/bluedroid/stack/smp/p_256_ecc_pp.c b/components/bt/host/bluedroid/stack/smp/p_256_ecc_pp.c index d3b9452c1e..4cd5150b05 100644 --- a/components/bt/host/bluedroid/stack/smp/p_256_ecc_pp.c +++ b/components/bt/host/bluedroid/stack/smp/p_256_ecc_pp.c @@ -177,9 +177,16 @@ static void ECC_NAF(uint8_t *naf, uint32_t *NumNAF, DWORD *k, uint32_t keyLength k[0] = k[0] + 1; if (k[0] == 0) { //overflow j = 1; - do { + while (j < keyLength && k[j] == 0xFFFFFFFF) { + k[j] = 0; + j++; + } + if (j < keyLength) { k[j]++; - } while (k[j++] == 0); //overflow + } + // If j >= keyLength, the entire key is 0xFFFFFFFF, + // which should not happen for a valid private key. + // In this case, we stop the propagation to prevent buffer overflow. } } } else { diff --git a/components/bt/host/bluedroid/stack/smp/smp_keys.c b/components/bt/host/bluedroid/stack/smp/smp_keys.c index 63fd74b65e..30c602b4b1 100644 --- a/components/bt/host/bluedroid/stack/smp/smp_keys.c +++ b/components/bt/host/bluedroid/stack/smp/smp_keys.c @@ -621,10 +621,10 @@ void smp_concatenate_peer( tSMP_CB *p_cb, UINT8 **p_data, UINT8 op_code) ** Description Generate Confirm/Compare Step1: ** p1 = press || preq || rat' || iat' ** -** Returns void +** Returns BOOLEAN ** *******************************************************************************/ -void smp_gen_p1_4_confirm( tSMP_CB *p_cb, BT_OCTET16 p1) +BOOLEAN smp_gen_p1_4_confirm( tSMP_CB *p_cb, BT_OCTET16 p1) { UINT8 *p = (UINT8 *)p1; tBLE_ADDR_TYPE addr_type = 0; @@ -634,7 +634,7 @@ void smp_gen_p1_4_confirm( tSMP_CB *p_cb, BT_OCTET16 p1) if (!BTM_ReadRemoteConnectionAddr(p_cb->pairing_bda, remote_bda, &addr_type)) { SMP_TRACE_ERROR("can not generate confirm for unknown device\n"); - return; + return FALSE; } BTM_ReadConnectionAddr( p_cb->pairing_bda, p_cb->local_bda, &p_cb->addr_type); @@ -662,6 +662,7 @@ void smp_gen_p1_4_confirm( tSMP_CB *p_cb, BT_OCTET16 p1) SMP_TRACE_DEBUG("p1 = press || preq || rat' || iat'\n"); smp_debug_print_nbyte_little_endian ((UINT8 *)p1, (const UINT8 *)"P1", 16); #endif + return TRUE; } /******************************************************************************* @@ -725,7 +726,11 @@ void smp_calculate_comfirm (tSMP_CB *p_cb, BT_OCTET16 rand, BD_ADDR bda) SMP_TRACE_DEBUG ("smp_calculate_comfirm \n"); /* generate p1 = press || preq || rat' || iat' */ - smp_gen_p1_4_confirm(p_cb, p1); + if (!smp_gen_p1_4_confirm(p_cb, p1)) { + + smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &status); + return ; + } /* p1 = rand XOR p1 */ smp_xor_128(p1, rand); @@ -1138,6 +1143,12 @@ void smp_continue_private_key_creation (tSMP_CB *p_cb, tBTM_RAND_ENC *p) UINT8 state = p_cb->rand_enc_proc_state & ~0x80; SMP_TRACE_DEBUG ("%s state=0x%x\n", __func__, state); + /* Validate param_len to prevent buffer overflow/underflow */ + if (p == NULL || p->param_len != BT_OCTET8_LEN) { + SMP_TRACE_ERROR("invalid param_len: %d, expected %d\n", p ? p->param_len : 0, BT_OCTET8_LEN); + return; + } + switch (state) { case SMP_GENERATE_PRIVATE_KEY_0_7: memcpy((void *)p_cb->private_key, p->param_buf, p->param_len); @@ -1543,6 +1554,9 @@ void smp_calculate_peer_commitment(tSMP_CB *p_cb, BT_OCTET16 output_buf) ** ** Note The LSB is the first octet, the MSB is the last octet of ** the AES-CMAC input/output stream. +** In little-endian implementation, the message is constructed +** as Z||V||U (reversed parameter order) to compensate for +** byte order differences with the big-endian specification. ** *******************************************************************************/ void smp_calculate_f4(UINT8 *u, UINT8 *v, UINT8 *x, UINT8 z, UINT8 *c) @@ -2041,11 +2055,16 @@ BOOLEAN smp_calculate_f5_key(UINT8 *w, UINT8 *t) *******************************************************************************/ void smp_calculate_local_dhkey_check(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) { - UINT8 iocap[3], a[7], b[7]; + UINT8 iocap[3], a[7] = {0}, b[7] = {0}; SMP_TRACE_DEBUG ("%s", __FUNCTION__); - smp_calculate_f5_mackey_and_long_term_key(p_cb); + if (!smp_calculate_f5_mackey_and_long_term_key(p_cb)) { + UINT8 reason = SMP_PAIR_FAIL_UNKNOWN; + p_cb->failure = reason; + smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason); + return; + } smp_collect_local_io_capabilities(iocap, p_cb); @@ -2068,7 +2087,7 @@ void smp_calculate_local_dhkey_check(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) *******************************************************************************/ void smp_calculate_peer_dhkey_check(tSMP_CB *p_cb, tSMP_INT_DATA *p_data) { - UINT8 iocap[3], a[7], b[7]; + UINT8 iocap[3], a[7] = {0}, b[7] = {0}; BT_OCTET16 param_buf; BOOLEAN ret; tSMP_KEY key; @@ -2482,37 +2501,62 @@ static void smp_rand_back(tBTM_RAND_ENC *p) UINT8 *pp = NULL; UINT8 failure = SMP_PAIR_FAIL_UNKNOWN; UINT8 state = p_cb->rand_enc_proc_state & ~0x80; + BOOLEAN check_failed = FALSE; SMP_TRACE_DEBUG ("%s state=0x%x", __FUNCTION__, state); if (p && p->status == HCI_SUCCESS) { switch (state) { case SMP_GEN_SRAND_MRAND: + if (p->param_len != BT_OCTET8_LEN) { + check_failed = TRUE; + break; + } memcpy((void *)p_cb->rand, p->param_buf, p->param_len); smp_generate_rand_cont(p_cb, NULL); break; case SMP_GEN_SRAND_MRAND_CONT: + if (p->param_len != BT_OCTET8_LEN) { + check_failed = TRUE; + break; + } memcpy((void *)&p_cb->rand[8], p->param_buf, p->param_len); smp_generate_confirm(p_cb, NULL); break; case SMP_GEN_DIV_LTK: + if (p->param_len < 2) { + check_failed = TRUE; + break; + } pp = p->param_buf; STREAM_TO_UINT16(p_cb->div, pp); smp_generate_ltk_cont(p_cb, NULL); break; case SMP_GEN_DIV_CSRK: + if (p->param_len < 2) { + check_failed = TRUE; + break; + } pp = p->param_buf; STREAM_TO_UINT16(p_cb->div, pp); smp_compute_csrk(p_cb, NULL); break; case SMP_GEN_TK: + if (p->param_len < 4) { + check_failed = TRUE; + break; + } smp_proc_passkey(p_cb, p); break; case SMP_GEN_RAND_V: + if (p->param_len != BT_OCTET8_LEN) { + check_failed = TRUE; + break; + } memcpy(p_cb->enc_rand, p->param_buf, BT_OCTET8_LEN); smp_generate_y(p_cb, NULL); break; @@ -2521,21 +2565,34 @@ static void smp_rand_back(tBTM_RAND_ENC *p) case SMP_GENERATE_PRIVATE_KEY_8_15: case SMP_GENERATE_PRIVATE_KEY_16_23: case SMP_GENERATE_PRIVATE_KEY_24_31: + if (p->param_len != BT_OCTET8_LEN) { + check_failed = TRUE; + break; + } smp_continue_private_key_creation(p_cb, p); break; case SMP_GEN_NONCE_0_7: + if (p->param_len != BT_OCTET8_LEN) { + check_failed = TRUE; + break; + } memcpy((void *)p_cb->rand, p->param_buf, p->param_len); smp_finish_nonce_generation(p_cb); break; case SMP_GEN_NONCE_8_15: + if (p->param_len != BT_OCTET8_LEN) { + check_failed = TRUE; + break; + } memcpy((void *)&p_cb->rand[8], p->param_buf, p->param_len); smp_process_new_nonce(p_cb); break; } - - return; + if (!check_failed) { + return; + } } SMP_TRACE_ERROR("%s key generation failed: (%d)", __FUNCTION__, p_cb->rand_enc_proc_state); diff --git a/components/bt/host/bluedroid/stack/smp/smp_utils.c b/components/bt/host/bluedroid/stack/smp/smp_utils.c index f4d0987029..1660d78fb1 100644 --- a/components/bt/host/bluedroid/stack/smp/smp_utils.c +++ b/components/bt/host/bluedroid/stack/smp/smp_utils.c @@ -749,11 +749,14 @@ static BT_HDR *smp_build_pairing_commitment_cmd(UINT8 cmd_code, tSMP_CB *p_cb) UINT8 *p; UNUSED(cmd_code); - SMP_TRACE_EVENT("%s\n", __func__); if ((p_buf = (BT_HDR *)osi_malloc(sizeof(BT_HDR) + SMP_PAIR_COMMITM_SIZE + L2CAP_MIN_OFFSET)) != NULL) { p = (UINT8 *)(p_buf + 1) + L2CAP_MIN_OFFSET; - + /* The transmitter sends 0x03 universally. + The receiver performs automatic conversion according to its capabilities to ensure backward compatibility. + The state machine operates using the translated opcode. please refer to smp_data_received() in smp_l2c.c + Please note that using SMP OPCODE to CONFIRM is not an error. + */ UINT8_TO_STREAM (p, SMP_OPCODE_CONFIRM); ARRAY_TO_STREAM (p, p_cb->commitment, BT_OCTET16_LEN); @@ -1462,7 +1465,7 @@ void smp_collect_peer_io_capabilities(UINT8 *iocap, tSMP_CB *p_cb) void smp_collect_local_ble_address(UINT8 *le_addr, tSMP_CB *p_cb) { tBLE_ADDR_TYPE addr_type = 0; - BD_ADDR bda; + BD_ADDR bda = {0}; UINT8 *p = le_addr; SMP_TRACE_DEBUG("%s\n", __func__); @@ -1485,7 +1488,7 @@ void smp_collect_local_ble_address(UINT8 *le_addr, tSMP_CB *p_cb) void smp_collect_peer_ble_address(UINT8 *le_addr, tSMP_CB *p_cb) { tBLE_ADDR_TYPE addr_type = 0; - BD_ADDR bda; + BD_ADDR bda = {0}; UINT8 *p = le_addr; SMP_TRACE_DEBUG("%s\n", __func__); @@ -1574,8 +1577,8 @@ void smp_save_secure_connections_long_term_key(tSMP_CB *p_cb) *******************************************************************************/ BOOLEAN smp_calculate_f5_mackey_and_long_term_key(tSMP_CB *p_cb) { - UINT8 a[7]; - UINT8 b[7]; + UINT8 a[7] = {0}; + UINT8 b[7] = {0}; UINT8 *p_na; UINT8 *p_nb; diff --git a/examples/bluetooth/bluedroid/ble_50/ble_conn_subrating_central/main/main.c b/examples/bluetooth/bluedroid/ble_50/ble_conn_subrating_central/main/main.c index cebe3804e4..2eb6989bb9 100644 --- a/examples/bluetooth/bluedroid/ble_50/ble_conn_subrating_central/main/main.c +++ b/examples/bluetooth/bluedroid/ble_50/ble_conn_subrating_central/main/main.c @@ -208,7 +208,11 @@ static void gap_event_handler(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param creat_conn_params.phy_1m_conn_params = &phy_1m_conn_params; creat_conn_params.phy_2m_conn_params = &phy_2m_conn_params; creat_conn_params.phy_coded_conn_params = &phy_coded_conn_params; - esp_ble_gattc_enh_open(gl_profile_tab[PROFILE_A_APP_ID].gattc_if, &creat_conn_params); + if (esp_ble_gattc_enh_open(gl_profile_tab[PROFILE_A_APP_ID].gattc_if, &creat_conn_params) != ESP_OK) + { + connect = false; + ESP_LOGE(TAG, "Failed to open connection"); + } } } break; diff --git a/examples/bluetooth/bluedroid/ble_50/ble_conn_subrating_peripheral/main/main.c b/examples/bluetooth/bluedroid/ble_50/ble_conn_subrating_peripheral/main/main.c index 49eaa96b07..ae4d6b80fc 100644 --- a/examples/bluetooth/bluedroid/ble_50/ble_conn_subrating_peripheral/main/main.c +++ b/examples/bluetooth/bluedroid/ble_50/ble_conn_subrating_peripheral/main/main.c @@ -51,8 +51,6 @@ } \ } while(0); -static uint16_t conn_handle = 0xFFFF; - uint16_t subrating_handle_table[SUBRATING_IDX_NB]; /* UUIDs */ @@ -249,7 +247,6 @@ static void gatts_profile_event_handler(esp_gatts_cb_event_t event, esp_gatt_if_ ESP_LOGI(TAG, "Connected, conn_id %u, remote "ESP_BD_ADDR_STR"", param->connect.conn_id, ESP_BD_ADDR_HEX(param->connect.remote_bda)); gl_profile_tab[PROFILE_A_APP_ID].conn_id = param->connect.conn_id; - conn_handle = param->connect.conn_id; esp_ble_conn_update_params_t conn_params = {0}; memcpy(conn_params.bda, param->connect.remote_bda, sizeof(esp_bd_addr_t)); @@ -267,7 +264,6 @@ static void gatts_profile_event_handler(esp_gatts_cb_event_t event, esp_gatt_if_ case ESP_GATTS_DISCONNECT_EVT: ESP_LOGI(TAG, "Disconnected, remote "ESP_BD_ADDR_STR", reason 0x%02x", ESP_BD_ADDR_HEX(param->disconnect.remote_bda), param->disconnect.reason); - conn_handle = 0xFFFF; // Restart extended advertising esp_ble_gap_ext_adv_start(NUM_EXT_ADV, ext_adv); break; diff --git a/examples/bluetooth/bluedroid/ble_50/ble_connection_central_with_cte/main/connection_central_with_cte.c b/examples/bluetooth/bluedroid/ble_50/ble_connection_central_with_cte/main/connection_central_with_cte.c index 985e517e43..a3346407f0 100644 --- a/examples/bluetooth/bluedroid/ble_50/ble_connection_central_with_cte/main/connection_central_with_cte.c +++ b/examples/bluetooth/bluedroid/ble_50/ble_connection_central_with_cte/main/connection_central_with_cte.c @@ -316,6 +316,7 @@ static void gattc_profile_event_handler(esp_gattc_cb_event_t event, esp_gatt_if_ ESP_BD_ADDR_HEX(p_data->disconnect.remote_bda), p_data->disconnect.reason); connect = false; get_service = false; + esp_ble_gap_start_ext_scan(EXT_SCAN_DURATION, EXT_SCAN_PERIOD); break; default: break; @@ -476,7 +477,7 @@ static void cte_event_handler(esp_ble_cte_cb_event_t event, esp_ble_cte_cb_param param->conn_iq_rpt.pkt_status, param->conn_iq_rpt.conn_evt_counter, param->conn_iq_rpt.sample_count); ESP_LOG_BUFFER_HEX("i_sample", ¶m->conn_iq_rpt.i_sample[0], param->conn_iq_rpt.sample_count); - ESP_LOG_BUFFER_HEX("q_sample", ¶m->conn_iq_rpt.i_sample[0], param->conn_iq_rpt.sample_count); + ESP_LOG_BUFFER_HEX("q_sample", ¶m->conn_iq_rpt.q_sample[0], param->conn_iq_rpt.sample_count); break; case ESP_BLE_CTE_REQUEST_FAILED_EVT: ESP_LOGI(LOG_TAG, "CTE connection request failed, conn_handle %d reason 0x%x", param->req_failed_evt.conn_handle, param->req_failed_evt.reason); diff --git a/examples/bluetooth/bluedroid/ble_50/ble_pawr_advertiser_conn/main/main.c b/examples/bluetooth/bluedroid/ble_50/ble_pawr_advertiser_conn/main/main.c index d6ba479011..23e7e7b465 100644 --- a/examples/bluetooth/bluedroid/ble_50/ble_pawr_advertiser_conn/main/main.c +++ b/examples/bluetooth/bluedroid/ble_50/ble_pawr_advertiser_conn/main/main.c @@ -371,6 +371,7 @@ static void gattc_profile_event_handler(esp_gattc_cb_event_t event, esp_gatt_if_ } case ESP_GATTC_OPEN_EVT: if (p_data->open.status != ESP_GATT_OK) { + is_connected = false; ESP_LOGE(TAG, "GATTC open failed, status %d", p_data->open.status); break; } diff --git a/examples/bluetooth/bluedroid/ble_50/ble_pawr_synchronizer/main/ble_pawr_synchronizer_demo.c b/examples/bluetooth/bluedroid/ble_50/ble_pawr_synchronizer/main/ble_pawr_synchronizer_demo.c index 91e3ef2dcb..e6d1b44e37 100644 --- a/examples/bluetooth/bluedroid/ble_50/ble_pawr_synchronizer/main/ble_pawr_synchronizer_demo.c +++ b/examples/bluetooth/bluedroid/ble_50/ble_pawr_synchronizer/main/ble_pawr_synchronizer_demo.c @@ -182,18 +182,28 @@ static void gap_event_handler(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param break; case ESP_GAP_BLE_PERIODIC_ADV_CREATE_SYNC_COMPLETE_EVT: ESP_LOGI(LOG_TAG, "Periodic advertising create sync, status %d", param->period_adv_create_sync.status); + if (param->period_adv_create_sync.status != ESP_BT_STATUS_SUCCESS) { + periodic_sync = false; + } break; case ESP_GAP_BLE_PERIODIC_ADV_SYNC_CANCEL_COMPLETE_EVT: ESP_LOGI(LOG_TAG, "Periodic advertising sync cancel, status %d", param->period_adv_sync_cancel.status); + periodic_sync = false; break; case ESP_GAP_BLE_PERIODIC_ADV_SYNC_TERMINATE_COMPLETE_EVT: ESP_LOGI(LOG_TAG, "Periodic advertising sync terminate, status %d", param->period_adv_sync_term.status); + periodic_sync = false; break; case ESP_GAP_BLE_PERIODIC_ADV_SYNC_LOST_EVT: ESP_LOGI(LOG_TAG, "Periodic advertising sync lost, sync handle %d", param->periodic_adv_sync_lost.sync_handle); + periodic_sync = false; break; case ESP_GAP_BLE_PERIODIC_ADV_SYNC_ESTAB_EVT: ESP_LOGI(LOG_TAG, "Periodic advertising sync establish, status %d", param->periodic_adv_sync_estab.status); + if (param->periodic_adv_sync_estab.status != ESP_BT_STATUS_SUCCESS) { + periodic_sync = false; + break; + } ESP_LOGI(LOG_TAG, "address "ESP_BD_ADDR_STR"", ESP_BD_ADDR_HEX(param->periodic_adv_sync_estab.adv_addr)); ESP_LOGI(LOG_TAG, "sync handle %d sid %d perioic adv interval %d adv phy %d", param->periodic_adv_sync_estab.sync_handle, param->periodic_adv_sync_estab.sid, diff --git a/examples/bluetooth/bluedroid/ble_50/ble_periodic_adv_with_cte/main/periodic_adv_with_cte_demo.c b/examples/bluetooth/bluedroid/ble_50/ble_periodic_adv_with_cte/main/periodic_adv_with_cte_demo.c index 752043f9ea..3ca88c88d0 100644 --- a/examples/bluetooth/bluedroid/ble_50/ble_periodic_adv_with_cte/main/periodic_adv_with_cte_demo.c +++ b/examples/bluetooth/bluedroid/ble_50/ble_periodic_adv_with_cte/main/periodic_adv_with_cte_demo.c @@ -224,7 +224,11 @@ void app_main(void) return; } - esp_ble_cte_register_callback(cte_event_handler); + ret = esp_ble_cte_register_callback(cte_event_handler); + if (ret != ESP_OK) { + ESP_LOGE(LOG_TAG, "CTE register error, error code = %x", ret); + return; + } vTaskDelay(200 / portTICK_PERIOD_MS); diff --git a/examples/bluetooth/bluedroid/ble_50/ble_periodic_sync_with_cte/main/periodic_sync_with_cte_demo.c b/examples/bluetooth/bluedroid/ble_50/ble_periodic_sync_with_cte/main/periodic_sync_with_cte_demo.c index baab89302d..edd441c190 100644 --- a/examples/bluetooth/bluedroid/ble_50/ble_periodic_sync_with_cte/main/periodic_sync_with_cte_demo.c +++ b/examples/bluetooth/bluedroid/ble_50/ble_periodic_sync_with_cte/main/periodic_sync_with_cte_demo.c @@ -99,18 +99,28 @@ static void gap_event_handler(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param break; case ESP_GAP_BLE_PERIODIC_ADV_CREATE_SYNC_COMPLETE_EVT: ESP_LOGI(LOG_TAG, "Periodic advertising create sync, status %d", param->period_adv_create_sync.status); + if (param->period_adv_create_sync.status != ESP_BT_STATUS_SUCCESS) { + periodic_sync = false; + } break; case ESP_GAP_BLE_PERIODIC_ADV_SYNC_CANCEL_COMPLETE_EVT: ESP_LOGI(LOG_TAG, "Periodic advertising sync cancel, status %d", param->period_adv_sync_cancel.status); + periodic_sync = false; break; case ESP_GAP_BLE_PERIODIC_ADV_SYNC_TERMINATE_COMPLETE_EVT: ESP_LOGI(LOG_TAG, "Periodic advertising sync terminate, status %d", param->period_adv_sync_term.status); + periodic_sync = false; break; case ESP_GAP_BLE_PERIODIC_ADV_SYNC_LOST_EVT: ESP_LOGI(LOG_TAG, "Periodic advertising sync lost, sync handle %d", param->periodic_adv_sync_lost.sync_handle); + periodic_sync = false; break; case ESP_GAP_BLE_PERIODIC_ADV_SYNC_ESTAB_EVT: ESP_LOGI(LOG_TAG, "Periodic advertising sync establish, status %d", param->periodic_adv_sync_estab.status); + if (param->periodic_adv_sync_estab.status != ESP_BT_STATUS_SUCCESS) { + periodic_sync = false; + break; + } ESP_LOGI(LOG_TAG, "address "ESP_BD_ADDR_STR"", ESP_BD_ADDR_HEX(param->periodic_adv_sync_estab.adv_addr)); ESP_LOGI(LOG_TAG, "sync handle %d sid %d perioic adv interval %d adv phy %d", param->periodic_adv_sync_estab.sync_handle, param->periodic_adv_sync_estab.sid, @@ -136,7 +146,9 @@ static void gap_event_handler(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param periodic_adv_sync_params.sid = param->ext_adv_report.params.sid; periodic_adv_sync_params.addr_type = param->ext_adv_report.params.addr_type; memcpy(periodic_adv_sync_params.addr, param->ext_adv_report.params.addr, sizeof(esp_bd_addr_t)); - esp_ble_gap_periodic_adv_create_sync(&periodic_adv_sync_params); + if (esp_ble_gap_periodic_adv_create_sync(&periodic_adv_sync_params) != ESP_OK) { + periodic_sync = false; + } } } break; diff --git a/examples/bluetooth/bluedroid/ble_50/ble_power_control_central/main/main.c b/examples/bluetooth/bluedroid/ble_50/ble_power_control_central/main/main.c index 806276f82e..b571c24917 100644 --- a/examples/bluetooth/bluedroid/ble_50/ble_power_control_central/main/main.c +++ b/examples/bluetooth/bluedroid/ble_50/ble_power_control_central/main/main.c @@ -249,7 +249,11 @@ static void gap_event_handler(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_param creat_conn_params.phy_1m_conn_params = &phy_1m_conn_params; creat_conn_params.phy_2m_conn_params = &phy_2m_conn_params; creat_conn_params.phy_coded_conn_params = &phy_coded_conn_params; - esp_ble_gattc_enh_open(gl_profile_tab[PROFILE_A_APP_ID].gattc_if, &creat_conn_params); + if (esp_ble_gattc_enh_open(gl_profile_tab[PROFILE_A_APP_ID].gattc_if, &creat_conn_params) != ESP_OK) { + ESP_LOGE(TAG, "open failed, restart scan"); + connect = false; + esp_ble_gap_start_ext_scan(0, 0); + } } } } diff --git a/examples/bluetooth/bluedroid/ble_50/ble_power_control_peripheral/main/main.c b/examples/bluetooth/bluedroid/ble_50/ble_power_control_peripheral/main/main.c index 63d9dcee2c..36ae08e997 100644 --- a/examples/bluetooth/bluedroid/ble_50/ble_power_control_peripheral/main/main.c +++ b/examples/bluetooth/bluedroid/ble_50/ble_power_control_peripheral/main/main.c @@ -63,7 +63,7 @@ static const uint16_t character_declaration_uuid = ESP_GATT_UUID_CHAR_DECLARE; /* Service UUID - must be a variable, not a macro, to take address */ static const uint16_t power_control_service_uuid = BLE_UUID_POWER_CONTROL_SERVICE_VAL; -static const uint16_t power_level_char_uuid = BLE_UUID_POWER_CONTROL_SERVICE_VAL; +static const uint16_t power_level_char_uuid = BLE_UUID_POWER_LEVEL_CHAR_UUID; /* Characteristic properties */ static const uint8_t char_prop_read = ESP_GATT_CHAR_PROP_BIT_READ; @@ -280,7 +280,7 @@ static void gatts_profile_event_handler(esp_gatts_cb_event_t event, esp_gatt_if_ ESP_LOGI(TAG, "Connected, conn_id %u, remote "ESP_BD_ADDR_STR"", param->connect.conn_id, ESP_BD_ADDR_HEX(param->connect.remote_bda)); gl_profile_tab[PROFILE_A_APP_ID].conn_id = param->connect.conn_id; - conn_handle = param->connect.conn_id; + conn_handle = param->connect.conn_handle; esp_ble_conn_update_params_t conn_params = {0}; memcpy(conn_params.bda, param->connect.remote_bda, sizeof(esp_bd_addr_t)); @@ -302,7 +302,10 @@ static void gatts_profile_event_handler(esp_gatts_cb_event_t event, esp_gatt_if_ ESP_BD_ADDR_HEX(param->disconnect.remote_bda), param->disconnect.reason); conn_handle = 0xFFFF; // Restart extended advertising - FUNC_SEND_WAIT_SEM(esp_ble_gap_ext_adv_start(NUM_EXT_ADV, ext_adv), test_sem); + esp_err_t ret = esp_ble_gap_ext_adv_start(NUM_EXT_ADV, ext_adv); + if (ret != ESP_OK) { + ESP_LOGE(TAG, "Failed to restart advertising, error = %d", ret); + } break; case ESP_GATTS_READ_EVT: ESP_LOGI(TAG, "Read event, handle %d", param->read.handle); @@ -408,11 +411,6 @@ void app_main(void) // Create semaphore for extended advertising test_sem = xSemaphoreCreateBinary(); - // Start extended advertising - esp_bd_addr_t addr; - esp_ble_gap_addr_create_static(addr); - ESP_LOGI(TAG, "Device Address: "ESP_BD_ADDR_STR"", ESP_BD_ADDR_HEX(addr)); - // Set extended advertising parameters FUNC_SEND_WAIT_SEM(esp_ble_gap_ext_adv_set_params(EXT_ADV_HANDLE, &ext_adv_params), test_sem); diff --git a/examples/bluetooth/bluedroid/ble_50/ble_power_control_peripheral/main/power_control_service.h b/examples/bluetooth/bluedroid/ble_50/ble_power_control_peripheral/main/power_control_service.h index 78139b35e9..ebcdb8f8c0 100644 --- a/examples/bluetooth/bluedroid/ble_50/ble_power_control_peripheral/main/power_control_service.h +++ b/examples/bluetooth/bluedroid/ble_50/ble_power_control_peripheral/main/power_control_service.h @@ -11,6 +11,8 @@ /* Power Control Service UUIDs */ #define BLE_UUID_POWER_CONTROL_SERVICE_VAL 0xFF01 +#define BLE_UUID_POWER_LEVEL_CHAR_UUID 0xFF02 + /* Attributes State Machine */ enum { IDX_POWER_CONTROL_SVC,