fix(bt/bluedroid): Fixed access fault when reading BLE controller information fails

(cherry picked from commit e4e23087ee)

Co-authored-by: chenjianhua <chenjianhua@espressif.com>

components/bt/host/bluedroid/device/controller.c

@@ -271,7 +271,7 @@ static void start_up(void)
 #endif //#if (BLE_50_FEATURE_SUPPORT == TRUE)
 
 #if (BLE_50_FEATURE_SUPPORT == TRUE && BLE_42_FEATURE_SUPPORT == FALSE)
-        if (HCI_LE_ENHANCED_PRIVACY_SUPPORTED(controller_param.features_ble.as_array)) {
+        if (HCI_LE_EXT_ADV_SUPPORTED(controller_param.features_ble.as_array)) {
             response = AWAIT_COMMAND(controller_param.packet_factory->make_read_max_adv_data_len());
             controller_param.packet_parser->parse_ble_read_adv_max_len_response(
                 response,

components/bt/host/bluedroid/hci/hci_packet_parser.c

@@ -186,7 +186,9 @@ static void parse_ble_read_resolving_list_size_response(
 {
 
     uint8_t *stream = read_command_complete_header(response, HCI_BLE_READ_RESOLVING_LIST_SIZE, 1 /* bytes after */);
-    STREAM_TO_UINT8(*resolving_list_size_ptr, stream);
+    if (stream) {
+        STREAM_TO_UINT8(*resolving_list_size_ptr, stream);
+    }
 
     osi_free(response);
 }
@@ -198,10 +200,14 @@ static void parse_ble_read_suggested_default_data_length_response(
 {
 
     uint8_t *stream = read_command_complete_header(response, HCI_BLE_READ_DEFAULT_DATA_LENGTH, 2 /* bytes after */);
-    STREAM_TO_UINT16(*ble_default_packet_length_ptr, stream);
-    STREAM_TO_UINT16(*ble_default_packet_txtime_ptr, stream);
+    if (stream) {
+        STREAM_TO_UINT16(*ble_default_packet_length_ptr, stream);
+        STREAM_TO_UINT16(*ble_default_packet_txtime_ptr, stream);
+    }
+
     osi_free(response);
 }
+
 #if (BLE_50_FEATURE_SUPPORT == TRUE)
 static void parse_ble_read_adv_max_len_response(
     BT_HDR *response,
@@ -209,8 +215,10 @@ static void parse_ble_read_adv_max_len_response(
 {
 
     uint8_t *stream = read_command_complete_header(response, HCI_BLE_RD_MAX_ADV_DATA_LEN, 1 /* bytes after */);
-    // Size: 2 Octets ; Value: 0x001F – 0x0672 ; Maximum supported advertising data length
-    STREAM_TO_UINT16(*adv_max_len_ptr, stream);
+    if (stream) {
+        // Size: 2 Octets ; Value: 0x001F – 0x0672 ; Maximum supported advertising data length
+        STREAM_TO_UINT16(*adv_max_len_ptr, stream);
+    }
 
     osi_free(response);
 }
@@ -254,6 +262,7 @@ static uint8_t *read_command_complete_header(
     STREAM_TO_UINT8(status, stream);
 
     if (status != HCI_SUCCESS) {
+        HCI_TRACE_ERROR("%s failed: opcode 0x%04x, status 0x%02x", __func__, opcode, status);
         return NULL;
     }
 

components/bt/host/bluedroid/stack/include/stack/hcidefs.h

@@ -1867,42 +1867,50 @@ typedef struct {
 #define HCI_PING_SUPPORTED(x) ((x)[HCI_EXT_FEATURE_PING_OFF] & HCI_EXT_FEATURE_PING_MASK)
 
 /*
-**   LE features encoding - page 0 (the only page for now)
+**   LE features encoding - page 0
 */
-/* LE Encryption */
+/* LE Encryption: bit 0 */
 #define HCI_LE_FEATURE_LE_ENCRYPTION_MASK       0x01
 #define HCI_LE_FEATURE_LE_ENCRYPTION_OFF        0
 #define HCI_LE_ENCRYPTION_SUPPORTED(x) ((x)[HCI_LE_FEATURE_LE_ENCRYPTION_OFF] & HCI_LE_FEATURE_LE_ENCRYPTION_MASK)
 
-/* Connection Parameters Request Procedure */
+/* Connection Parameters Request Procedure: bit 1 */
 #define HCI_LE_FEATURE_CONN_PARAM_REQ_MASK       0x02
 #define HCI_LE_FEATURE_CONN_PARAM_REQ_OFF        0
 #define HCI_LE_CONN_PARAM_REQ_SUPPORTED(x) ((x)[HCI_LE_FEATURE_CONN_PARAM_REQ_OFF] & HCI_LE_FEATURE_CONN_PARAM_REQ_MASK)
 
-/* Extended Reject Indication */
+/* Extended Reject Indication: bit 2 */
 #define HCI_LE_FEATURE_EXT_REJ_IND_MASK       0x04
 #define HCI_LE_FEATURE_EXT_REJ_IND_OFF        0
 #define HCI_LE_EXT_REJ_IND_SUPPORTED(x) ((x)[HCI_LE_FEATURE_EXT_REJ_IND_OFF] & HCI_LE_FEATURE_EXT_REJ_IND_MASK)
 
-/* Slave-initiated Features Exchange */
+/* Slave-initiated Features Exchange: bit 3 */
 #define HCI_LE_FEATURE_SLAVE_INIT_FEAT_EXC_MASK       0x08
 #define HCI_LE_FEATURE_SLAVE_INIT_FEAT_EXC_OFF        0
 #define HCI_LE_SLAVE_INIT_FEAT_EXC_SUPPORTED(x) ((x)[HCI_LE_FEATURE_SLAVE_INIT_FEAT_EXC_OFF] & HCI_LE_FEATURE_SLAVE_INIT_FEAT_EXC_MASK)
 
+/* LE Data Packet Length Extension: bit 5 */
+#define HCI_LE_FEATURE_DATA_LEN_EXT_MASK       0x20
+#define HCI_LE_FEATURE_DATA_LEN_EXT_OFF        0
+#define HCI_LE_DATA_LEN_EXT_SUPPORTED(x) ((x)[HCI_LE_FEATURE_DATA_LEN_EXT_OFF] & HCI_LE_FEATURE_DATA_LEN_EXT_MASK)
+
 /* Enhanced privacy Feature: bit 6 */
 #define HCI_LE_FEATURE_ENHANCED_PRIVACY_MASK       0x40
 #define HCI_LE_FEATURE_ENHANCED_PRIVACY_OFF        0
 #define HCI_LE_ENHANCED_PRIVACY_SUPPORTED(x) ((x)[HCI_LE_FEATURE_ENHANCED_PRIVACY_OFF] & HCI_LE_FEATURE_ENHANCED_PRIVACY_MASK)
 
-/* Extended scanner filter policy : 7 */
+/* Extended scanner filter policy: bit 7 */
 #define HCI_LE_FEATURE_EXT_SCAN_FILTER_POLICY_MASK       0x80
 #define HCI_LE_FEATURE_EXT_SCAN_FILTER_POLICY_OFF        0
 #define HCI_LE_EXT_SCAN_FILTER_POLICY_SUPPORTED(x) ((x)[HCI_LE_FEATURE_EXT_SCAN_FILTER_POLICY_OFF] & HCI_LE_FEATURE_EXT_SCAN_FILTER_POLICY_MASK)
 
-/* Slave-initiated Features Exchange */
-#define HCI_LE_FEATURE_DATA_LEN_EXT_MASK       0x20
-#define HCI_LE_FEATURE_DATA_LEN_EXT_OFF        0
-#define HCI_LE_DATA_LEN_EXT_SUPPORTED(x) ((x)[HCI_LE_FEATURE_DATA_LEN_EXT_OFF] & HCI_LE_FEATURE_DATA_LEN_EXT_MASK)
+/*
+**   LE features encoding - page 1
+*/
+/* LE Extended Advertising: bit 12 */
+#define HCI_LE_FEATURE_EXT_ADV_MASK       0x10
+#define HCI_LE_FEATURE_EXT_ADV_OFF        1
+#define HCI_LE_EXT_ADV_SUPPORTED(x) ((x)[HCI_LE_FEATURE_EXT_ADV_OFF] & HCI_LE_FEATURE_EXT_ADV_MASK)
 
 /*
 **   Local Supported Commands encoding