From ae64d9e7384596c145dde0cf0ef955af9c623801 Mon Sep 17 00:00:00 2001 From: wangcheng Date: Mon, 8 Jun 2020 19:56:55 +0800 Subject: [PATCH] blufi: When the format of the received data packet is wrong, reply with an error response --- .../host/bluedroid/api/include/api/esp_blufi_api.h | 1 + .../host/bluedroid/btc/profile/esp/blufi/blufi_prf.c | 12 ++++++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/components/bt/host/bluedroid/api/include/api/esp_blufi_api.h b/components/bt/host/bluedroid/api/include/api/esp_blufi_api.h index 690518748..f17fcbc22 100644 --- a/components/bt/host/bluedroid/api/include/api/esp_blufi_api.h +++ b/components/bt/host/bluedroid/api/include/api/esp_blufi_api.h @@ -83,6 +83,7 @@ typedef enum { ESP_BLUFI_DH_PARAM_ERROR, ESP_BLUFI_READ_PARAM_ERROR, ESP_BLUFI_MAKE_PUBLIC_ERROR, + ESP_BLUFI_DATA_FORMAT_ERROR, } esp_blufi_error_state_t; /** diff --git a/components/bt/host/bluedroid/btc/profile/esp/blufi/blufi_prf.c b/components/bt/host/bluedroid/btc/profile/esp/blufi/blufi_prf.c index 249bafa56..0dcea413e 100644 --- a/components/bt/host/bluedroid/btc/profile/esp/blufi/blufi_prf.c +++ b/components/bt/host/bluedroid/btc/profile/esp/blufi/blufi_prf.c @@ -433,11 +433,19 @@ static void btc_blufi_recv_handler(uint8_t *data, int len) blufi_env.aggr_buf = osi_malloc(blufi_env.total_len); if (blufi_env.aggr_buf == NULL) { BTC_TRACE_ERROR("%s no mem, len %d\n", __func__, blufi_env.total_len); + btc_blufi_report_error(ESP_BLUFI_DH_MALLOC_ERROR); return; } } - memcpy(blufi_env.aggr_buf + blufi_env.offset, hdr->data + 2, hdr->data_len - 2); - blufi_env.offset += (hdr->data_len - 2); + if (blufi_env.offset + hdr->data_len - 2 <= blufi_env.total_len){ + memcpy(blufi_env.aggr_buf + blufi_env.offset, hdr->data + 2, hdr->data_len - 2); + blufi_env.offset += (hdr->data_len - 2); + } else { + BTC_TRACE_ERROR("%s payload is longer than packet length, len %d \n", __func__, blufi_env.total_len); + btc_blufi_report_error(ESP_BLUFI_DATA_FORMAT_ERROR); + return; + } + } else { if (blufi_env.offset > 0) { /* if previous pkt is frag */ memcpy(blufi_env.aggr_buf + blufi_env.offset, hdr->data, hdr->data_len);