From be135133787fb90bc8e310118d12cdcfe30b20ca Mon Sep 17 00:00:00 2001 From: Prasad Alatkar Date: Tue, 9 Jun 2020 23:16:11 +0530 Subject: [PATCH] BLE provisioning: Add check for valid ble read offset --- .../protocomm/src/transports/protocomm_ble.c | 27 +++++++++++++------ 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/components/protocomm/src/transports/protocomm_ble.c b/components/protocomm/src/transports/protocomm_ble.c index 6c5933405..053b37f1d 100644 --- a/components/protocomm/src/transports/protocomm_ble.c +++ b/components/protocomm/src/transports/protocomm_ble.c @@ -108,28 +108,39 @@ static void transport_simple_ble_read(esp_gatts_cb_event_t event, esp_gatt_if_t { static const uint8_t *read_buf = NULL; static uint16_t read_len = 0; + static uint16_t max_read_len = 0; esp_gatt_status_t status = ESP_OK; ESP_LOGD(TAG, "Inside read w/ session - %d on param %d %d", param->read.conn_id, param->read.handle, read_len); if (!read_len && !param->read.offset) { ESP_LOGD(TAG, "Reading attr value first time"); - status = esp_ble_gatts_get_attr_value(param->read.handle, &read_len, &read_buf); + status = esp_ble_gatts_get_attr_value(param->read.handle, &read_len, &read_buf); + max_read_len = read_len; + } else if ((read_len + param->read.offset) > max_read_len) { + status = ESP_GATT_INVALID_OFFSET; } else { ESP_LOGD(TAG, "Subsequent read request for attr value"); } esp_gatt_rsp_t gatt_rsp = {0}; - gatt_rsp.attr_value.len = MIN(read_len, (protoble_internal->gatt_mtu - 1)); gatt_rsp.attr_value.handle = param->read.handle; gatt_rsp.attr_value.offset = param->read.offset; - gatt_rsp.attr_value.auth_req = ESP_GATT_AUTH_REQ_NONE; - if (gatt_rsp.attr_value.len && read_buf) { - memcpy(gatt_rsp.attr_value.value, - read_buf + param->read.offset, - gatt_rsp.attr_value.len); + + if (status == ESP_GATT_OK) { + gatt_rsp.attr_value.len = MIN(read_len, (protoble_internal->gatt_mtu - 1)); + gatt_rsp.attr_value.auth_req = ESP_GATT_AUTH_REQ_NONE; + if (gatt_rsp.attr_value.len && read_buf) { + memcpy(gatt_rsp.attr_value.value, + read_buf + param->read.offset, + gatt_rsp.attr_value.len); + } + read_len -= gatt_rsp.attr_value.len; + } else { + read_len = 0; + max_read_len = 0; + read_buf = NULL; } - read_len -= gatt_rsp.attr_value.len; esp_err_t err = esp_ble_gatts_send_response(gatts_if, param->read.conn_id, param->read.trans_id, status, &gatt_rsp); if (err != ESP_OK) {