host/ble_l2cap_coc: coc_rx.sdus index should not exceed BLE_L2CAP_SDU…

…_BUFF_CNT Multiple calls to `ble_l2cap_coc_recv_ready` with `BLE_L2CAP_SDU_BUFF_CNT == 1` will lead to assigning coc_rx.sdus outside array range - so this will (most likely) overwrite rest of stucture. This will lead to either undefined behavior or crash when structure members are accessed.
apache · Jul 25, 2023 · 875192a · 875192a
1 parent ef0fb14
commit 875192a
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/nimble/host/src/ble_l2cap_coc.c b/nimble/host/src/ble_l2cap_coc.c
@@ -341,7 +341,8 @@ ble_l2cap_coc_chan_alloc(struct ble_hs_conn *conn, uint16_t psm, uint16_t mtu,
         chan->coc_rx.sdus[i] = NULL;
     }
     chan->coc_rx.current_sdu_idx = 0;
-    chan->coc_rx.next_sdu_alloc_idx = chan->coc_rx.sdus[0] == NULL ? 0 : 1;
+    chan->coc_rx.next_sdu_alloc_idx = chan->coc_rx.sdus[0] == NULL ||
+                                      BLE_L2CAP_SDU_BUFF_CNT == 1 ? 0 : 1;
 
     /* Number of credits should allow to send full SDU with on given
      * L2CAP MTU