Fixed bluedroid host memory overflow

components/bt/host/bluedroid/api/esp_gattc_api.c

@@ -352,7 +352,7 @@ esp_err_t esp_ble_gattc_read_char (esp_gatt_if_t gattc_if,
 
     ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED);
     tGATT_TCB       *p_tcb = gatt_get_tcb_by_idx(conn_id);
-    if (!p_tcb) {
+    if (!gatt_check_connection_state_by_tcb(p_tcb)) {
         LOG_WARN("%s, The connection not created.", __func__);
         return ESP_ERR_INVALID_STATE;
     }
@@ -389,7 +389,7 @@ esp_err_t esp_ble_gattc_read_by_type (esp_gatt_if_t gattc_if,
     }
 
     tGATT_TCB       *p_tcb = gatt_get_tcb_by_idx(conn_id);
-    if (!p_tcb) {
+    if (!gatt_check_connection_state_by_tcb(p_tcb)) {
         LOG_WARN("%s, The connection not created.", __func__);
         return ESP_ERR_INVALID_STATE;
     }
@@ -421,7 +421,7 @@ esp_err_t esp_ble_gattc_read_multiple(esp_gatt_if_t gattc_if,
     ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED);
 
     tGATT_TCB       *p_tcb = gatt_get_tcb_by_idx(conn_id);
-    if (!p_tcb) {
+    if (!gatt_check_connection_state_by_tcb(p_tcb)) {
         LOG_WARN("%s, The connection not created.", __func__);
         return ESP_ERR_INVALID_STATE;
     }
@@ -458,7 +458,7 @@ esp_err_t esp_ble_gattc_read_char_descr (esp_gatt_if_t gattc_if,
     ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED);
 
     tGATT_TCB       *p_tcb = gatt_get_tcb_by_idx(conn_id);
-    if (!p_tcb) {
+    if (!gatt_check_connection_state_by_tcb(p_tcb)) {
         LOG_WARN("%s, The connection not created.", __func__);
         return ESP_ERR_INVALID_STATE;
     }
@@ -491,7 +491,7 @@ esp_err_t esp_ble_gattc_write_char(esp_gatt_if_t gattc_if,
     ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED);
 
     tGATT_TCB       *p_tcb = gatt_get_tcb_by_idx(conn_id);
-    if (!p_tcb) {
+    if (!gatt_check_connection_state_by_tcb(p_tcb)) {
         LOG_WARN("%s, The connection not created.", __func__);
         return ESP_ERR_INVALID_STATE;
     }
@@ -529,7 +529,7 @@ esp_err_t esp_ble_gattc_write_char_descr (esp_gatt_if_t gattc_if,
     ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED);
 
     tGATT_TCB       *p_tcb = gatt_get_tcb_by_idx(conn_id);
-    if (!p_tcb) {
+    if (!gatt_check_connection_state_by_tcb(p_tcb)) {
         LOG_WARN("%s, The connection not created.", __func__);
         return ESP_ERR_INVALID_STATE;
     }
@@ -567,7 +567,7 @@ esp_err_t esp_ble_gattc_prepare_write(esp_gatt_if_t gattc_if,
     ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED);
 
     tGATT_TCB       *p_tcb = gatt_get_tcb_by_idx(conn_id);
-    if (!p_tcb) {
+    if (!gatt_check_connection_state_by_tcb(p_tcb)) {
         LOG_WARN("%s, The connection not created.", __func__);
         return ESP_ERR_INVALID_STATE;
     }
@@ -603,7 +603,7 @@ esp_err_t esp_ble_gattc_prepare_write_char_descr(esp_gatt_if_t gattc_if,
     ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED);
 
     tGATT_TCB       *p_tcb = gatt_get_tcb_by_idx(conn_id);
-    if (!p_tcb) {
+    if (!gatt_check_connection_state_by_tcb(p_tcb)) {
         LOG_WARN("%s, The connection not created.", __func__);
         return ESP_ERR_INVALID_STATE;
     }

components/bt/host/bluedroid/api/esp_gatts_api.c

@@ -254,7 +254,7 @@ esp_err_t esp_ble_gatts_send_indicate(esp_gatt_if_t gatts_if, uint16_t conn_id,
     ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED);
 
     tGATT_TCB       *p_tcb = gatt_get_tcb_by_idx(conn_id);
-    if (!p_tcb) {
+    if (!gatt_check_connection_state_by_tcb(p_tcb)) {
         LOG_WARN("%s, The connection not created.", __func__);
         return ESP_ERR_INVALID_STATE;
     }
@@ -287,6 +287,12 @@ esp_err_t esp_ble_gatts_send_response(esp_gatt_if_t gatts_if, uint16_t conn_id,
 
     ESP_BLUEDROID_STATUS_CHECK(ESP_BLUEDROID_STATUS_ENABLED);
 
+    tGATT_TCB       *p_tcb = gatt_get_tcb_by_idx(conn_id);
+    if (!gatt_check_connection_state_by_tcb(p_tcb)) {
+        LOG_WARN("%s, The connection not created.", __func__);
+        return ESP_ERR_INVALID_STATE;
+    }
+
     msg.sig = BTC_SIG_API_CALL;
     msg.pid = BTC_PID_GATTS;
     msg.act = BTC_GATTS_ACT_SEND_RESPONSE;

components/bt/host/bluedroid/stack/gatt/att_protocol.c

@@ -312,6 +312,12 @@ BT_HDR *attp_build_value_cmd (UINT16 payload_size, UINT8 op_code, UINT16 handle,
             p_buf->len += 2;
         }
 
+        if(payload_size < GATT_DEF_BLE_MTU_SIZE || payload_size > GATT_MAX_MTU_SIZE) {
+            GATT_TRACE_ERROR("invalid payload_size %d", payload_size);
+            osi_free(p_buf);
+            return NULL;
+        }
+
         if (len > 0 && p_data != NULL) {
             /* ensure data not exceed MTU size */
             if (payload_size - p_buf->len < len) {

components/bt/host/bluedroid/stack/gatt/gatt_api.c

@@ -583,7 +583,7 @@ tGATT_STATUS GATTS_HandleValueIndication (UINT16 conn_id,  UINT16 attr_handle, U
         return (tGATT_STATUS) GATT_INVALID_CONN_ID;
     }
 
-    if ((GATT_CH_OPEN != gatt_get_ch_state(p_tcb)) || (p_tcb->payload_size == 0)) {
+    if (!gatt_check_connection_state_by_tcb(p_tcb)) {
         GATT_TRACE_ERROR("connection not established\n");
         return GATT_WRONG_STATE;
     }
@@ -655,7 +655,7 @@ tGATT_STATUS GATTS_HandleValueNotification (UINT16 conn_id, UINT16 attr_handle,
         return (tGATT_STATUS) GATT_INVALID_CONN_ID;
     }
 
-    if ((GATT_CH_OPEN != gatt_get_ch_state(p_tcb)) || (p_tcb->payload_size == 0)) {
+    if (!gatt_check_connection_state_by_tcb(p_tcb)) {
         GATT_TRACE_ERROR("connection not established\n");
         return GATT_WRONG_STATE;
     }
@@ -707,6 +707,11 @@ tGATT_STATUS GATTS_SendRsp (UINT16 conn_id,  UINT32 trans_id,
         return (tGATT_STATUS) GATT_INVALID_CONN_ID;
     }
 
+    if (!gatt_check_connection_state_by_tcb(p_tcb)) {
+        GATT_TRACE_ERROR("connection not established\n");
+        return GATT_WRONG_STATE;
+    }
+
     if (p_tcb->sr_cmd.trans_id != trans_id) {
         GATT_TRACE_ERROR ("GATTS_SendRsp conn_id: %u  waiting for op_code = %02x\n",
                           conn_id, p_tcb->sr_cmd.op_code);
@@ -828,6 +833,11 @@ tGATT_STATUS GATTC_ConfigureMTU (UINT16 conn_id)
         return GATT_ILLEGAL_PARAMETER;
     }
 
+    if (!gatt_check_connection_state_by_tcb(p_tcb)) {
+        GATT_TRACE_ERROR("connection not established\n");
+        return GATT_ERROR;
+    }
+
     /* Validate that the link is BLE, not BR/EDR */
     if (p_tcb->transport != BT_TRANSPORT_LE) {
         return GATT_ERROR;
@@ -880,6 +890,10 @@ tGATT_STATUS GATTC_Discover (UINT16 conn_id, tGATT_DISC_TYPE disc_type,
         return GATT_ILLEGAL_PARAMETER;
     }
 
+    if (!gatt_check_connection_state_by_tcb(p_tcb)) {
+        GATT_TRACE_ERROR("connection not established\n");
+        return GATT_ERROR;
+    }
 
     if (gatt_is_clcb_allocated(conn_id)) {
         GATT_TRACE_ERROR("GATTC_Discover GATT_BUSY conn_id = %d", conn_id);
@@ -942,6 +956,11 @@ tGATT_STATUS GATTC_Read (UINT16 conn_id, tGATT_READ_TYPE type, tGATT_READ_PARAM
         return GATT_ILLEGAL_PARAMETER;
     }
 
+    if (!gatt_check_connection_state_by_tcb(p_tcb)) {
+        GATT_TRACE_ERROR("connection not established\n");
+        return GATT_ERROR;
+    }
+
     if (gatt_is_clcb_allocated(conn_id)) {
         GATT_TRACE_ERROR("GATTC_Read GATT_BUSY conn_id = %d", conn_id);
         return GATT_BUSY;
@@ -1020,6 +1039,11 @@ tGATT_STATUS GATTC_Write (UINT16 conn_id, tGATT_WRITE_TYPE type, tGATT_VALUE *p_
         return GATT_ILLEGAL_PARAMETER;
     }
 
+    if (!gatt_check_connection_state_by_tcb(p_tcb)) {
+        GATT_TRACE_ERROR("connection not established\n");
+        return GATT_ERROR;
+    }
+
     if (gatt_is_clcb_allocated(conn_id)) {
         GATT_TRACE_ERROR("GATTC_Write GATT_BUSY conn_id = %d", conn_id);
         return GATT_BUSY;
@@ -1086,6 +1110,11 @@ tGATT_STATUS GATTC_ExecuteWrite (UINT16 conn_id, BOOLEAN is_execute)
         return GATT_ILLEGAL_PARAMETER;
     }
 
+    if (!gatt_check_connection_state_by_tcb(p_tcb)) {
+        GATT_TRACE_ERROR("connection not established\n");
+        return GATT_ERROR;
+    }
+
     if (gatt_is_clcb_allocated(conn_id)) {
         GATT_TRACE_ERROR("GATTC_Write GATT_BUSY conn_id = %d", conn_id);
         return GATT_BUSY;

components/bt/host/bluedroid/stack/gatt/gatt_utils.c

@@ -900,6 +900,27 @@ BOOLEAN gatt_is_bda_connected(BD_ADDR bda)
     }
     return connected;
 }
+
+/*******************************************************************************
+**
+** Function         gatt_check_connection_state_by_tcb
+**
+** Description
+**
+** Returns           TRUE if connected. Otherwise connection not established.
+**
+*******************************************************************************/
+BOOLEAN gatt_check_connection_state_by_tcb(tGATT_TCB *p_tcb)
+{
+    BOOLEAN connected = FALSE;
+
+    if(p_tcb && gatt_get_ch_state(p_tcb) == GATT_CH_OPEN) {
+        connected = TRUE;
+    }
+
+    return connected;
+}
+
 /*******************************************************************************
 **
 ** Function         gatt_find_i_tcb_by_addr

components/bt/host/bluedroid/stack/gatt/include/gatt_int.h

@@ -754,6 +754,8 @@ extern tGATT_STATUS gatts_read_attr_perm_check(tGATT_SVC_DB *p_db, BOOLEAN is_lo
 extern void gatts_update_srv_list_elem(UINT8 i_sreg, UINT16 handle, BOOLEAN is_primary);
 extern tBT_UUID *gatts_get_service_uuid (tGATT_SVC_DB *p_db);
 
+extern BOOLEAN gatt_check_connection_state_by_tcb(tGATT_TCB *p_tcb);
+
 extern void gatt_reset_bgdev_list(void);
 extern uint16_t gatt_get_local_mtu(void);
 extern void gatt_set_local_mtu(uint16_t mtu);

components/bt/host/bluedroid/stack/l2cap/l2c_api.c

@@ -2330,7 +2330,7 @@ void l2ble_update_att_acl_pkt_num(UINT8 type, tl2c_buff_param_t *param)
             break;
         }
 
-        if ((GATT_CH_OPEN != gatt_get_ch_state(p_tcb)) || (p_tcb->payload_size == 0)) {
+        if (!gatt_check_connection_state_by_tcb(p_tcb)) {
             L2CAP_TRACE_ERROR("connection not established\n");
             xSemaphoreGive(buff_semaphore);
             break;