espressif/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2026-04-27 19:13:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(bt/bluedroid): fixed an OOB bug in btm_read_rssi_complete

Browse Source
This commit is contained in:
Jin Cheng
2025-10-13 09:24:08 +08:00
parent 3ab391c7ae
commit d36cb2a2ce
3 changed files with 14 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
components/bt/host/bluedroid/stack/btm/btm_acl.c
+12 -1
View File
@@ -2318,7 +2318,7 @@ err_out:
** Returns void
**
*******************************************************************************/
void btm_read_rssi_complete (UINT8 *p)
void btm_read_rssi_complete (UINT8 *p, UINT16 evt_len)
{
tBTM_CMPL_CB *p_cb = btm_cb.devcb.p_rssi_cmpl_cb;
tBTM_RSSI_RESULTS results;
@@ -2331,11 +2331,21 @@ void btm_read_rssi_complete (UINT8 *p)
btm_cb.devcb.p_rssi_cmpl_cb = NULL;
if (p_cb) {
if (evt_len < 1) {
BTM_TRACE_ERROR("Bogus event packet, too short");
results.status = BTM_ERR_PROCESSING;
goto err_out;
}
STREAM_TO_UINT8 (results.hci_status, p);
if (results.hci_status == HCI_SUCCESS) {
results.status = BTM_SUCCESS;
if (evt_len < 1 + 3) {
BTM_TRACE_ERROR("Bogus event packet, too short");
results.status = BTM_ERR_PROCESSING;
goto err_out;
}
STREAM_TO_UINT16 (handle, p);
STREAM_TO_UINT8 (results.rssi, p);
@@ -2351,6 +2361,7 @@ void btm_read_rssi_complete (UINT8 *p)
results.status = BTM_ERR_PROCESSING;
}
err_out:
(*p_cb)(&results);
}
}
components/bt/host/bluedroid/stack/btm/include/btm_int.h
+1 -1
View File
@@ -1051,7 +1051,7 @@ void btm_cont_rswitch (tACL_CONN *p,
tACL_CONN *btm_handle_to_acl (UINT16 hci_handle);
void btm_read_link_policy_complete (UINT8 *p);
void btm_read_rssi_complete (UINT8 *p);
void btm_read_rssi_complete (UINT8 *p, UINT16 evt_len);
void btm_read_tx_power_complete (UINT8 *p, UINT16 evt_len, BOOLEAN is_ble);
void btm_acl_pkt_types_changed(UINT8 status, UINT16 handle, UINT16 pkt_types);
void btm_read_link_quality_complete (UINT8 *p);
components/bt/host/bluedroid/stack/btu/btu_hcif.c
+1 -1
View File
@@ -977,7 +977,7 @@ static void btu_hcif_hdl_command_complete (UINT16 opcode, UINT8 *p, UINT16 evt_l
break;
case HCI_READ_RSSI:
btm_read_rssi_complete (p);
btm_read_rssi_complete (p, evt_len);
break;
case HCI_READ_TRANSMIT_POWER_LEVEL: