mirror of
https://github.com/espressif/esp-idf.git
synced 2024-09-20 20:56:01 -04:00
Merge branch 'bugfix/hfp_ag_idx_invalid_v5.1' into 'release/v5.1'
bt: Fixed out of bounds access due to variable length array(v5.1) See merge request espressif/esp-idf!23665
This commit is contained in:
commit
8b7cd4dc08
@ -94,7 +94,7 @@ static void bta_ag_cback_open(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data, tBTA_AG_
|
|||||||
/* call app callback with open event */
|
/* call app callback with open event */
|
||||||
open.hdr.handle = bta_ag_scb_to_idx(p_scb);
|
open.hdr.handle = bta_ag_scb_to_idx(p_scb);
|
||||||
open.hdr.app_id = p_scb->app_id;
|
open.hdr.app_id = p_scb->app_id;
|
||||||
open.status = status;
|
open.hdr.status = status;
|
||||||
open.service_id = bta_ag_svc_id[p_scb->conn_service];
|
open.service_id = bta_ag_svc_id[p_scb->conn_service];
|
||||||
if (p_data) {
|
if (p_data) {
|
||||||
/* if p_data is provided then we need to pick the bd address from the open api structure */
|
/* if p_data is provided then we need to pick the bd address from the open api structure */
|
||||||
@ -131,7 +131,7 @@ void bta_ag_register(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data)
|
|||||||
/* call app callback with register event */
|
/* call app callback with register event */
|
||||||
reg.hdr.handle = bta_ag_scb_to_idx(p_scb);
|
reg.hdr.handle = bta_ag_scb_to_idx(p_scb);
|
||||||
reg.hdr.app_id = p_scb->app_id;
|
reg.hdr.app_id = p_scb->app_id;
|
||||||
reg.status = BTA_AG_SUCCESS;
|
reg.hdr.status = BTA_AG_SUCCESS;
|
||||||
(*bta_ag_cb.p_cback)(BTA_AG_REGISTER_EVT, (tBTA_AG *) ®);
|
(*bta_ag_cb.p_cback)(BTA_AG_REGISTER_EVT, (tBTA_AG *) ®);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -831,7 +831,7 @@ static void bta_ag_api_register(tBTA_AG_DATA *p_data)
|
|||||||
APPL_TRACE_DEBUG("bta_ag_api_register: p_scb 0x%08x ", (unsigned int)p_scb);
|
APPL_TRACE_DEBUG("bta_ag_api_register: p_scb 0x%08x ", (unsigned int)p_scb);
|
||||||
bta_ag_sm_execute(p_scb, p_data->hdr.event, p_data);
|
bta_ag_sm_execute(p_scb, p_data->hdr.event, p_data);
|
||||||
} else {
|
} else {
|
||||||
reg.status = BTA_AG_FAIL_RESOURCES;
|
reg.hdr.status = BTA_AG_FAIL_RESOURCES;
|
||||||
(*bta_ag_cb.p_cback)(BTA_AG_REGISTER_EVT, (tBTA_AG *) ®);
|
(*bta_ag_cb.p_cback)(BTA_AG_REGISTER_EVT, (tBTA_AG *) ®);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -333,8 +333,6 @@ typedef struct
|
|||||||
typedef struct
|
typedef struct
|
||||||
{
|
{
|
||||||
tBTA_AG_HDR hdr;
|
tBTA_AG_HDR hdr;
|
||||||
UINT16 handle;
|
|
||||||
tBTA_AG_STATUS status;
|
|
||||||
} tBTA_AG_REGISTER;
|
} tBTA_AG_REGISTER;
|
||||||
|
|
||||||
/* data associated with BTA_AG_OPEN_EVT */
|
/* data associated with BTA_AG_OPEN_EVT */
|
||||||
@ -343,7 +341,6 @@ typedef struct
|
|||||||
tBTA_AG_HDR hdr;
|
tBTA_AG_HDR hdr;
|
||||||
BD_ADDR bd_addr;
|
BD_ADDR bd_addr;
|
||||||
tBTA_SERVICE_ID service_id;
|
tBTA_SERVICE_ID service_id;
|
||||||
tBTA_AG_STATUS status;
|
|
||||||
} tBTA_AG_OPEN;
|
} tBTA_AG_OPEN;
|
||||||
|
|
||||||
/* data associated with BTA_AG_CLOSE_EVT */
|
/* data associated with BTA_AG_CLOSE_EVT */
|
||||||
|
@ -134,6 +134,14 @@ do {
|
|||||||
hf_local_param[idx].btc_hf_cb.num_active = 0; \
|
hf_local_param[idx].btc_hf_cb.num_active = 0; \
|
||||||
hf_local_param[idx].btc_hf_cb.num_held = 0;
|
hf_local_param[idx].btc_hf_cb.num_held = 0;
|
||||||
|
|
||||||
|
#define CHECK_HF_IDX(idx) \
|
||||||
|
do { \
|
||||||
|
if ((idx < 0) || (idx >= BTC_HF_NUM_CB)) { \
|
||||||
|
BTC_TRACE_ERROR("%s: Invalid index %d", __FUNCTION__, idx); \
|
||||||
|
return; \
|
||||||
|
} \
|
||||||
|
} while (0)
|
||||||
|
|
||||||
/************************************************************************************
|
/************************************************************************************
|
||||||
** Static Function
|
** Static Function
|
||||||
************************************************************************************/
|
************************************************************************************/
|
||||||
@ -1213,19 +1221,9 @@ void btc_hf_cb_handler(btc_msg_t *msg)
|
|||||||
tBTA_AG *p_data = (tBTA_AG *)msg->arg;
|
tBTA_AG *p_data = (tBTA_AG *)msg->arg;
|
||||||
esp_hf_cb_param_t param;
|
esp_hf_cb_param_t param;
|
||||||
bdstr_t bdstr;
|
bdstr_t bdstr;
|
||||||
int idx;
|
int idx = BTC_HF_INVALID_IDX;
|
||||||
|
|
||||||
if (p_data == NULL) {
|
|
||||||
idx = BTC_HF_INVALID_IDX;
|
|
||||||
} else {
|
|
||||||
idx = p_data->hdr.handle - 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
BTC_TRACE_DEBUG("%s: event = %s", __FUNCTION__, dump_hf_event(event));
|
BTC_TRACE_DEBUG("%s: event = %s", __FUNCTION__, dump_hf_event(event));
|
||||||
if ((idx < 0) || (idx >= BTC_HF_NUM_CB)) {
|
|
||||||
BTC_TRACE_ERROR("%s: Invalid index %d", __FUNCTION__, idx);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
switch (event) {
|
switch (event) {
|
||||||
case BTA_AG_ENABLE_EVT:
|
case BTA_AG_ENABLE_EVT:
|
||||||
@ -1234,6 +1232,8 @@ void btc_hf_cb_handler(btc_msg_t *msg)
|
|||||||
|
|
||||||
case BTA_AG_REGISTER_EVT:
|
case BTA_AG_REGISTER_EVT:
|
||||||
{
|
{
|
||||||
|
idx = p_data->hdr.handle - 1;
|
||||||
|
CHECK_HF_IDX(idx);
|
||||||
hf_local_param[idx].btc_hf_cb.handle = p_data->reg.hdr.handle;
|
hf_local_param[idx].btc_hf_cb.handle = p_data->reg.hdr.handle;
|
||||||
BTC_TRACE_DEBUG("%s: BTA_AG_REGISTER_EVT," "hf_local_param[%d].btc_hf_cb.handle = %d",
|
BTC_TRACE_DEBUG("%s: BTA_AG_REGISTER_EVT," "hf_local_param[%d].btc_hf_cb.handle = %d",
|
||||||
__FUNCTION__, idx, hf_local_param[idx].btc_hf_cb.handle);
|
__FUNCTION__, idx, hf_local_param[idx].btc_hf_cb.handle);
|
||||||
@ -1242,7 +1242,9 @@ void btc_hf_cb_handler(btc_msg_t *msg)
|
|||||||
|
|
||||||
case BTA_AG_OPEN_EVT:
|
case BTA_AG_OPEN_EVT:
|
||||||
{
|
{
|
||||||
if (p_data->open.status == BTA_AG_SUCCESS)
|
idx = p_data->hdr.handle - 1;
|
||||||
|
CHECK_HF_IDX(idx);
|
||||||
|
if (p_data->open.hdr.status == BTA_AG_SUCCESS)
|
||||||
{
|
{
|
||||||
bdcpy(hf_local_param[idx].btc_hf_cb.connected_bda.address, p_data->open.bd_addr);
|
bdcpy(hf_local_param[idx].btc_hf_cb.connected_bda.address, p_data->open.bd_addr);
|
||||||
hf_local_param[idx].btc_hf_cb.connection_state = ESP_HF_CONNECTION_STATE_CONNECTED;
|
hf_local_param[idx].btc_hf_cb.connection_state = ESP_HF_CONNECTION_STATE_CONNECTED;
|
||||||
@ -1253,7 +1255,7 @@ void btc_hf_cb_handler(btc_msg_t *msg)
|
|||||||
hf_local_param[idx].btc_hf_cb.connection_state = ESP_HF_CONNECTION_STATE_DISCONNECTED;
|
hf_local_param[idx].btc_hf_cb.connection_state = ESP_HF_CONNECTION_STATE_DISCONNECTED;
|
||||||
} else {
|
} else {
|
||||||
BTC_TRACE_WARNING("%s: AG open failed, but another device connected. status=%d state=%d connected device=%s", __FUNCTION__,
|
BTC_TRACE_WARNING("%s: AG open failed, but another device connected. status=%d state=%d connected device=%s", __FUNCTION__,
|
||||||
p_data->open.status, hf_local_param[idx].btc_hf_cb.connection_state,
|
p_data->open.hdr.status, hf_local_param[idx].btc_hf_cb.connection_state,
|
||||||
bdaddr_to_string(&hf_local_param[idx].btc_hf_cb.connected_bda, bdstr, sizeof(bdstr)));
|
bdaddr_to_string(&hf_local_param[idx].btc_hf_cb.connected_bda, bdstr, sizeof(bdstr)));
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@ -1270,13 +1272,15 @@ void btc_hf_cb_handler(btc_msg_t *msg)
|
|||||||
if (hf_local_param[idx].btc_hf_cb.connection_state == ESP_HF_CONNECTION_STATE_DISCONNECTED)
|
if (hf_local_param[idx].btc_hf_cb.connection_state == ESP_HF_CONNECTION_STATE_DISCONNECTED)
|
||||||
bdsetany(hf_local_param[idx].btc_hf_cb.connected_bda.address);
|
bdsetany(hf_local_param[idx].btc_hf_cb.connected_bda.address);
|
||||||
|
|
||||||
if (p_data->open.status != BTA_AG_SUCCESS)
|
if (p_data->open.hdr.status != BTA_AG_SUCCESS)
|
||||||
btc_queue_advance();
|
btc_queue_advance();
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
case BTA_AG_CONN_EVT:
|
case BTA_AG_CONN_EVT:
|
||||||
{
|
{
|
||||||
|
idx = p_data->hdr.handle - 1;
|
||||||
|
CHECK_HF_IDX(idx);
|
||||||
clock_gettime(CLOCK_MONOTONIC, &(hf_local_param[idx].btc_hf_cb.connected_timestamp));
|
clock_gettime(CLOCK_MONOTONIC, &(hf_local_param[idx].btc_hf_cb.connected_timestamp));
|
||||||
BTC_TRACE_DEBUG("%s: BTA_AG_CONN_EVT, idx = %d ", __FUNCTION__, idx);
|
BTC_TRACE_DEBUG("%s: BTA_AG_CONN_EVT, idx = %d ", __FUNCTION__, idx);
|
||||||
hf_local_param[idx].btc_hf_cb.peer_feat = p_data->conn.peer_feat;
|
hf_local_param[idx].btc_hf_cb.peer_feat = p_data->conn.peer_feat;
|
||||||
@ -1298,6 +1302,8 @@ void btc_hf_cb_handler(btc_msg_t *msg)
|
|||||||
|
|
||||||
case BTA_AG_CLOSE_EVT:
|
case BTA_AG_CLOSE_EVT:
|
||||||
{
|
{
|
||||||
|
idx = p_data->hdr.handle - 1;
|
||||||
|
CHECK_HF_IDX(idx);
|
||||||
hf_local_param[idx].btc_hf_cb.connected_timestamp.tv_sec = 0;
|
hf_local_param[idx].btc_hf_cb.connected_timestamp.tv_sec = 0;
|
||||||
hf_local_param[idx].btc_hf_cb.connection_state = ESP_HF_CONNECTION_STATE_DISCONNECTED;
|
hf_local_param[idx].btc_hf_cb.connection_state = ESP_HF_CONNECTION_STATE_DISCONNECTED;
|
||||||
BTC_TRACE_DEBUG("%s: BTA_AG_CLOSE_EVT," "hf_local_param[%d].btc_hf_cb.handle = %d", __FUNCTION__,
|
BTC_TRACE_DEBUG("%s: BTA_AG_CLOSE_EVT," "hf_local_param[%d].btc_hf_cb.handle = %d", __FUNCTION__,
|
||||||
@ -1319,6 +1325,8 @@ void btc_hf_cb_handler(btc_msg_t *msg)
|
|||||||
|
|
||||||
case BTA_AG_AUDIO_OPEN_EVT:
|
case BTA_AG_AUDIO_OPEN_EVT:
|
||||||
{
|
{
|
||||||
|
idx = p_data->hdr.handle - 1;
|
||||||
|
CHECK_HF_IDX(idx);
|
||||||
do {
|
do {
|
||||||
memset(¶m, 0, sizeof(esp_hf_cb_param_t));
|
memset(¶m, 0, sizeof(esp_hf_cb_param_t));
|
||||||
param.audio_stat.state = ESP_HF_AUDIO_STATE_CONNECTED;
|
param.audio_stat.state = ESP_HF_AUDIO_STATE_CONNECTED;
|
||||||
@ -1330,6 +1338,8 @@ void btc_hf_cb_handler(btc_msg_t *msg)
|
|||||||
|
|
||||||
case BTA_AG_AUDIO_MSBC_OPEN_EVT:
|
case BTA_AG_AUDIO_MSBC_OPEN_EVT:
|
||||||
{
|
{
|
||||||
|
idx = p_data->hdr.handle - 1;
|
||||||
|
CHECK_HF_IDX(idx);
|
||||||
do {
|
do {
|
||||||
memset(¶m, 0, sizeof(esp_hf_cb_param_t));
|
memset(¶m, 0, sizeof(esp_hf_cb_param_t));
|
||||||
param.audio_stat.state = ESP_HF_AUDIO_STATE_CONNECTED_MSBC;
|
param.audio_stat.state = ESP_HF_AUDIO_STATE_CONNECTED_MSBC;
|
||||||
@ -1340,6 +1350,8 @@ void btc_hf_cb_handler(btc_msg_t *msg)
|
|||||||
}
|
}
|
||||||
case BTA_AG_AUDIO_CLOSE_EVT:
|
case BTA_AG_AUDIO_CLOSE_EVT:
|
||||||
{
|
{
|
||||||
|
idx = p_data->hdr.handle - 1;
|
||||||
|
CHECK_HF_IDX(idx);
|
||||||
do {
|
do {
|
||||||
memset(¶m, 0, sizeof(esp_hf_cb_param_t));
|
memset(¶m, 0, sizeof(esp_hf_cb_param_t));
|
||||||
param.audio_stat.state = ESP_HF_AUDIO_STATE_DISCONNECTED;
|
param.audio_stat.state = ESP_HF_AUDIO_STATE_DISCONNECTED;
|
||||||
@ -1351,6 +1363,8 @@ void btc_hf_cb_handler(btc_msg_t *msg)
|
|||||||
|
|
||||||
case BTA_AG_AT_BVRA_EVT:
|
case BTA_AG_AT_BVRA_EVT:
|
||||||
{
|
{
|
||||||
|
idx = p_data->hdr.handle - 1;
|
||||||
|
CHECK_HF_IDX(idx);
|
||||||
do {
|
do {
|
||||||
memset(¶m, 0, sizeof(esp_hf_cb_param_t));
|
memset(¶m, 0, sizeof(esp_hf_cb_param_t));
|
||||||
param.vra_rep.value = p_data->val.num;
|
param.vra_rep.value = p_data->val.num;
|
||||||
@ -1468,6 +1482,8 @@ void btc_hf_cb_handler(btc_msg_t *msg)
|
|||||||
case BTA_AG_AT_BINP_EVT:
|
case BTA_AG_AT_BINP_EVT:
|
||||||
case BTA_AG_AT_BTRH_EVT:
|
case BTA_AG_AT_BTRH_EVT:
|
||||||
{
|
{
|
||||||
|
idx = p_data->hdr.handle - 1;
|
||||||
|
CHECK_HF_IDX(idx);
|
||||||
tBTA_AG_RES_DATA ag_res;
|
tBTA_AG_RES_DATA ag_res;
|
||||||
memset(&ag_res, 0, sizeof(ag_res));
|
memset(&ag_res, 0, sizeof(ag_res));
|
||||||
ag_res.ok_flag = BTA_AG_OK_ERROR;
|
ag_res.ok_flag = BTA_AG_OK_ERROR;
|
||||||
@ -1478,6 +1494,8 @@ void btc_hf_cb_handler(btc_msg_t *msg)
|
|||||||
|
|
||||||
case BTA_AG_AT_BAC_EVT:
|
case BTA_AG_AT_BAC_EVT:
|
||||||
{
|
{
|
||||||
|
idx = p_data->hdr.handle - 1;
|
||||||
|
CHECK_HF_IDX(idx);
|
||||||
BTC_TRACE_DEBUG("AG Bitmap of peer-codecs %d", p_data->val.num);
|
BTC_TRACE_DEBUG("AG Bitmap of peer-codecs %d", p_data->val.num);
|
||||||
#if (BTM_WBS_INCLUDED == TRUE)
|
#if (BTM_WBS_INCLUDED == TRUE)
|
||||||
/* If the peer supports mSBC and the BTC prefferred codec is also mSBC, then
|
/* If the peer supports mSBC and the BTC prefferred codec is also mSBC, then
|
||||||
@ -1497,9 +1515,9 @@ void btc_hf_cb_handler(btc_msg_t *msg)
|
|||||||
#if (BTM_WBS_INCLUDED == TRUE)
|
#if (BTM_WBS_INCLUDED == TRUE)
|
||||||
case BTA_AG_WBS_EVT:
|
case BTA_AG_WBS_EVT:
|
||||||
{
|
{
|
||||||
BTC_TRACE_DEBUG("Set codec status %d codec %d 1=CVSD 2=MSBC", p_data->val.hdr.status, p_data->val.value);
|
BTC_TRACE_DEBUG("Set codec status %d codec %d 1=CVSD 2=MSBC", p_data->val.hdr.status, p_data->val.num);
|
||||||
memset(¶m, 0, sizeof(esp_hf_cb_param_t));
|
memset(¶m, 0, sizeof(esp_hf_cb_param_t));
|
||||||
param.wbs_rep.codec = p_data->val.value;
|
param.wbs_rep.codec = p_data->val.num;
|
||||||
btc_hf_cb_to_app(ESP_HF_WBS_RESPONSE_EVT, ¶m);
|
btc_hf_cb_to_app(ESP_HF_WBS_RESPONSE_EVT, ¶m);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user