Skip to content

Commit

Permalink
Merge branch 'bugfix/hfp_ag_idx_invalid_v4.4' into 'release/v4.4'
Browse files Browse the repository at this point in the history 
bt: Fixed out of bounds access due to variable length array(v4.4)

See merge request espressif/esp-idf!23667
  • Loading branch information
@jack0c
jack0c committed Jun 9, 2023
2 parents ff4ae8d + f3b2e22 commit 4a4fea5
Show file tree
Hide file tree
Showing 4 changed files with 37 additions and 22 deletions.
4 changes: 2 additions & 2 deletions components/bt/host/bluedroid/bta/hf_ag/bta_ag_act.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ static void bta_ag_cback_open(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data, tBTA_AG_
/* call app callback with open event */
open.hdr.handle = bta_ag_scb_to_idx(p_scb);
open.hdr.app_id = p_scb->app_id;
open.status = status;
open.hdr.status = status;
open.service_id = bta_ag_svc_id[p_scb->conn_service];
if (p_data) {
/* if p_data is provided then we need to pick the bd address from the open api structure */
Expand Down Expand Up @@ -131,7 +131,7 @@ void bta_ag_register(tBTA_AG_SCB *p_scb, tBTA_AG_DATA *p_data)
/* call app callback with register event */
reg.hdr.handle = bta_ag_scb_to_idx(p_scb);
reg.hdr.app_id = p_scb->app_id;
reg.status = BTA_AG_SUCCESS;
reg.hdr.status = BTA_AG_SUCCESS;
(*bta_ag_cb.p_cback)(BTA_AG_REGISTER_EVT, (tBTA_AG *) &reg);
}

Expand Down
2 changes: 1 addition & 1 deletion components/bt/host/bluedroid/bta/hf_ag/bta_ag_main.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -831,7 +831,7 @@ static void bta_ag_api_register(tBTA_AG_DATA *p_data)
APPL_TRACE_DEBUG("bta_ag_api_register: p_scb 0x%08x ", (unsigned int)p_scb);
bta_ag_sm_execute(p_scb, p_data->hdr.event, p_data);
} else {
reg.status = BTA_AG_FAIL_RESOURCES;
reg.hdr.status = BTA_AG_FAIL_RESOURCES;
(*bta_ag_cb.p_cback)(BTA_AG_REGISTER_EVT, (tBTA_AG *) &reg);
}
}
Expand Down
3 changes: 0 additions & 3 deletions components/bt/host/bluedroid/bta/include/bta/bta_ag_api.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -333,8 +333,6 @@ typedef struct
typedef struct
{
tBTA_AG_HDR hdr;
UINT16 handle;
tBTA_AG_STATUS status;
} tBTA_AG_REGISTER;

/* data associated with BTA_AG_OPEN_EVT */
Expand All @@ -343,7 +341,6 @@ typedef struct
tBTA_AG_HDR hdr;
BD_ADDR bd_addr;
tBTA_SERVICE_ID service_id;
tBTA_AG_STATUS status;
} tBTA_AG_OPEN;

/* data associated with BTA_AG_CLOSE_EVT */
Expand Down
50 changes: 34 additions & 16 deletions components/bt/host/bluedroid/btc/profile/std/hf_ag/btc_hf_ag.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -112,6 +112,14 @@ do {
hf_local_param[idx].btc_hf_cb.num_active = 0; \
hf_local_param[idx].btc_hf_cb.num_held = 0;

#define CHECK_HF_IDX(idx) \
do { \
if ((idx < 0) || (idx >= BTC_HF_NUM_CB)) { \
BTC_TRACE_ERROR("%s: Invalid index %d", __FUNCTION__, idx); \
return; \
} \
} while (0)

/************************************************************************************
** Static Function
************************************************************************************/
Expand Down Expand Up @@ -1201,19 +1209,9 @@ void btc_hf_cb_handler(btc_msg_t *msg)
tBTA_AG *p_data = (tBTA_AG *)msg->arg;
esp_hf_cb_param_t param;
bdstr_t bdstr;
int idx;

if (p_data == NULL) {
idx = BTC_HF_INVALID_IDX;
} else {
idx = p_data->hdr.handle - 1;
}
int idx = BTC_HF_INVALID_IDX;

BTC_TRACE_DEBUG("%s: event = %s", __FUNCTION__, dump_hf_event(event));
if ((idx < 0) || (idx >= BTC_HF_NUM_CB)) {
BTC_TRACE_ERROR("%s: Invalid index %d", __FUNCTION__, idx);
return;
}

switch (event) {
case BTA_AG_ENABLE_EVT:
Expand All @@ -1222,6 +1220,8 @@ void btc_hf_cb_handler(btc_msg_t *msg)

case BTA_AG_REGISTER_EVT:
{
idx = p_data->hdr.handle - 1;
CHECK_HF_IDX(idx);
hf_local_param[idx].btc_hf_cb.handle = p_data->reg.hdr.handle;
BTC_TRACE_DEBUG("%s: BTA_AG_REGISTER_EVT," "hf_local_param[%d].btc_hf_cb.handle = %d",
__FUNCTION__, idx, hf_local_param[idx].btc_hf_cb.handle);
Expand All @@ -1230,7 +1230,9 @@ void btc_hf_cb_handler(btc_msg_t *msg)

case BTA_AG_OPEN_EVT:
{
if (p_data->open.status == BTA_AG_SUCCESS)
idx = p_data->hdr.handle - 1;
CHECK_HF_IDX(idx);
if (p_data->open.hdr.status == BTA_AG_SUCCESS)
{
bdcpy(hf_local_param[idx].btc_hf_cb.connected_bda.address, p_data->open.bd_addr);
hf_local_param[idx].btc_hf_cb.connection_state = ESP_HF_CONNECTION_STATE_CONNECTED;
Expand All @@ -1241,7 +1243,7 @@ void btc_hf_cb_handler(btc_msg_t *msg)
hf_local_param[idx].btc_hf_cb.connection_state = ESP_HF_CONNECTION_STATE_DISCONNECTED;
} else {
BTC_TRACE_WARNING("%s: AG open failed, but another device connected. status=%d state=%d connected device=%s", __FUNCTION__,
p_data->open.status, hf_local_param[idx].btc_hf_cb.connection_state,
p_data->open.hdr.status, hf_local_param[idx].btc_hf_cb.connection_state,
bdaddr_to_string(&hf_local_param[idx].btc_hf_cb.connected_bda, bdstr, sizeof(bdstr)));
break;
}
Expand All @@ -1258,13 +1260,15 @@ void btc_hf_cb_handler(btc_msg_t *msg)
if (hf_local_param[idx].btc_hf_cb.connection_state == ESP_HF_CONNECTION_STATE_DISCONNECTED)
bdsetany(hf_local_param[idx].btc_hf_cb.connected_bda.address);

if (p_data->open.status != BTA_AG_SUCCESS)
if (p_data->open.hdr.status != BTA_AG_SUCCESS)
btc_queue_advance();
break;
}

case BTA_AG_CONN_EVT:
{
idx = p_data->hdr.handle - 1;
CHECK_HF_IDX(idx);
clock_gettime(CLOCK_MONOTONIC, &(hf_local_param[idx].btc_hf_cb.connected_timestamp));
BTC_TRACE_DEBUG("%s: BTA_AG_CONN_EVT, idx = %d ", __FUNCTION__, idx);
hf_local_param[idx].btc_hf_cb.peer_feat = p_data->conn.peer_feat;
Expand All @@ -1286,6 +1290,8 @@ void btc_hf_cb_handler(btc_msg_t *msg)

case BTA_AG_CLOSE_EVT:
{
idx = p_data->hdr.handle - 1;
CHECK_HF_IDX(idx);
hf_local_param[idx].btc_hf_cb.connected_timestamp.tv_sec = 0;
hf_local_param[idx].btc_hf_cb.connection_state = ESP_HF_CONNECTION_STATE_DISCONNECTED;
BTC_TRACE_DEBUG("%s: BTA_AG_CLOSE_EVT," "hf_local_param[%d].btc_hf_cb.handle = %d", __FUNCTION__,
Expand All @@ -1307,6 +1313,8 @@ void btc_hf_cb_handler(btc_msg_t *msg)

case BTA_AG_AUDIO_OPEN_EVT:
{
idx = p_data->hdr.handle - 1;
CHECK_HF_IDX(idx);
do {
memset(&param, 0, sizeof(esp_hf_cb_param_t));
param.audio_stat.state = ESP_HF_AUDIO_STATE_CONNECTED;
Expand All @@ -1318,6 +1326,8 @@ void btc_hf_cb_handler(btc_msg_t *msg)

case BTA_AG_AUDIO_MSBC_OPEN_EVT:
{
idx = p_data->hdr.handle - 1;
CHECK_HF_IDX(idx);
do {
memset(&param, 0, sizeof(esp_hf_cb_param_t));
param.audio_stat.state = ESP_HF_AUDIO_STATE_CONNECTED_MSBC;
Expand All @@ -1328,6 +1338,8 @@ void btc_hf_cb_handler(btc_msg_t *msg)
}
case BTA_AG_AUDIO_CLOSE_EVT:
{
idx = p_data->hdr.handle - 1;
CHECK_HF_IDX(idx);
do {
memset(&param, 0, sizeof(esp_hf_cb_param_t));
param.audio_stat.state = ESP_HF_AUDIO_STATE_DISCONNECTED;
Expand All @@ -1339,6 +1351,8 @@ void btc_hf_cb_handler(btc_msg_t *msg)

case BTA_AG_AT_BVRA_EVT:
{
idx = p_data->hdr.handle - 1;
CHECK_HF_IDX(idx);
do {
memset(&param, 0, sizeof(esp_hf_cb_param_t));
param.vra_rep.value = p_data->val.num;
Expand Down Expand Up @@ -1456,6 +1470,8 @@ void btc_hf_cb_handler(btc_msg_t *msg)
case BTA_AG_AT_BINP_EVT:
case BTA_AG_AT_BTRH_EVT:
{
idx = p_data->hdr.handle - 1;
CHECK_HF_IDX(idx);
tBTA_AG_RES_DATA ag_res;
memset(&ag_res, 0, sizeof(ag_res));
ag_res.ok_flag = BTA_AG_OK_ERROR;
Expand All @@ -1466,6 +1482,8 @@ void btc_hf_cb_handler(btc_msg_t *msg)

case BTA_AG_AT_BAC_EVT:
{
idx = p_data->hdr.handle - 1;
CHECK_HF_IDX(idx);
BTC_TRACE_DEBUG("AG Bitmap of peer-codecs %d", p_data->val.num);
#if (BTM_WBS_INCLUDED == TRUE)
/* If the peer supports mSBC and the BTC prefferred codec is also mSBC, then
Expand All @@ -1485,9 +1503,9 @@ void btc_hf_cb_handler(btc_msg_t *msg)
#if (BTM_WBS_INCLUDED == TRUE)
case BTA_AG_WBS_EVT:
{
BTC_TRACE_DEBUG("Set codec status %d codec %d 1=CVSD 2=MSBC", p_data->val.hdr.status, p_data->val.value);
BTC_TRACE_DEBUG("Set codec status %d codec %d 1=CVSD 2=MSBC", p_data->val.hdr.status, p_data->val.num);
memset(&param, 0, sizeof(esp_hf_cb_param_t));
param.wbs_rep.codec = p_data->val.value;
param.wbs_rep.codec = p_data->val.num;
btc_hf_cb_to_app(ESP_HF_WBS_RESPONSE_EVT, &param);
break;
}
Expand Down

0 comments on commit 4a4fea5

Please sign in to comment.