kkamikakoi / btstack

Automatically exported from code.google.com/p/btstack
0 stars 0 forks source link

buffer overrun in event_handler() in r2012 #360

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
1. Use source code from r2012
2. Try to pair with SSP turned on - pairing doesn't work
3. Try to pair with SSP turned off (hci_ssp_set_enable(0);) - pairing works
4. However, data transmission in spp_counter doesn't work

We found a buffer overrun bug in event_handler() which causes this issue:

--- file: hci_transport_h4_ehcill_dma.c

static int h4_process(struct data_source *ds) {

    // notify about packet sent
    if (tx_state == TX_DONE){
        // reset state
        tx_state = TX_IDLE;
        uint8_t event = DAEMON_EVENT_HCI_PACKET_SENT;
        packet_handler(HCI_EVENT_PACKET, &event, 1);
    }

--- file: hci.c

static void event_handler(uint8_t *packet, int size){

    uint16_t event_length = packet[1];

    // assert packet is complete    
    if (size != event_length + 2){
        log_error("hci.c: event_handler called with event packet of wrong size %u, expected %u => dropping packet", size, event_length + 2);
        return;
    }

As you can see, event_handler() is trying to access packet[1] whereas 
h4_process() passed it a 1-byte packet.

Suggested fix:

static void event_handler(uint8_t *packet, int size){

    if(size > 1 && packet[0] != DAEMON_EVENT_HCI_PACKET_SENT)   // added check for DAEMON_EVENT_HCI_PACKET_SENT
    {
        uint16_t event_length = packet[1];
        // assert packet is complete    
        if (size != event_length + 2){
            log_error("hci.c: event_handler called with event packet of wrong size %u, expected %u => dropping packet", size, event_length + 2);
            return;
        }
    }

We have not checked yet if the suggested fix also makes SSP work. I'll on this 
later.

Original issue reported on code.google.com by muzaf...@mahkamov.com on 20 Dec 2013 at 1:29

GoogleCodeExporter commented 8 years ago
Thanks for reporting. I’ve fixed this in r2013 by sending valid HCI Event 
packets. 

Please try SSP again as it does work for me.

Original comment by matthias.ringwald@gmail.com on 20 Dec 2013 at 7:28