Merge branch 'fix/prov_ble_read_offset_v3.3' into 'release/v3.3'

BLE provisioning: Add check for valid ble read offset (v3.3) See merge request espressif/esp-idf!9747
2020-08-13 16:29:02 +08:00 · 2020-08-13 16:29:02 +08:00 · 9ff108dcd0
parent 0a75f2d5f8 fbdcfc8e4a
commit 9ff108dcd0
1 changed files with 19 additions and 8 deletions
--- a/components/protocomm/src/transports/protocomm_ble.c
+++ b/components/protocomm/src/transports/protocomm_ble.c
@ -108,28 +108,39 @@ static void transport_simple_ble_read(esp_gatts_cb_event_t event, esp_gatt_if_t
 {
    static const uint8_t *read_buf = NULL;
    static uint16_t read_len = 0;
+    static uint16_t max_read_len = 0;
    esp_gatt_status_t status = ESP_OK;

    ESP_LOGD(TAG, "Inside read w/ session - %d on param %d %d",
             param->read.conn_id, param->read.handle, read_len);
    if (!read_len && !param->read.offset) {
        ESP_LOGD(TAG, "Reading attr value first time");
-        status = esp_ble_gatts_get_attr_value(param->read.handle, &read_len,  &read_buf);
+        status = esp_ble_gatts_get_attr_value(param->read.handle, &read_len, &read_buf);
+        max_read_len = read_len;
+    } else if ((read_len + param->read.offset) > max_read_len) {
+        status = ESP_GATT_INVALID_OFFSET;
    } else {
        ESP_LOGD(TAG, "Subsequent read request for attr value");
    }

    esp_gatt_rsp_t gatt_rsp = {0};
-    gatt_rsp.attr_value.len = MIN(read_len, (protoble_internal->gatt_mtu - 1));
    gatt_rsp.attr_value.handle = param->read.handle;
    gatt_rsp.attr_value.offset = param->read.offset;
-    gatt_rsp.attr_value.auth_req = ESP_GATT_AUTH_REQ_NONE;
-    if (gatt_rsp.attr_value.len && read_buf) {
-        memcpy(gatt_rsp.attr_value.value,
-                read_buf + param->read.offset,
-                gatt_rsp.attr_value.len);
+
+    if (status == ESP_GATT_OK) {
+        gatt_rsp.attr_value.len = MIN(read_len, (protoble_internal->gatt_mtu - 1));
+        gatt_rsp.attr_value.auth_req = ESP_GATT_AUTH_REQ_NONE;
+        if (gatt_rsp.attr_value.len && read_buf) {
+            memcpy(gatt_rsp.attr_value.value,
+                    read_buf + param->read.offset,
+                    gatt_rsp.attr_value.len);
+        }
+        read_len -= gatt_rsp.attr_value.len;
+    } else {
+        read_len = 0;
+        max_read_len = 0;
+        read_buf = NULL;
    }
-    read_len -= gatt_rsp.attr_value.len;
    esp_err_t err = esp_ble_gatts_send_response(gatts_if, param->read.conn_id,
                                                param->read.trans_id, status, &gatt_rsp);
    if (err != ESP_OK) {