Skip to content

Commit

Permalink
host/ble_l2cap_coc: coc_rx.sdus index should not exceed BLE_L2CAP_SDU…
Browse files Browse the repository at this point in the history 
…_BUFF_CNT

Multiple calls to `ble_l2cap_coc_recv_ready` with
`BLE_L2CAP_SDU_BUFF_CNT == 1` will lead to assigning coc_rx.sdus outside
array range - so this will (most likely) overwrite rest of stucture.
This will lead to either undefined behavior or crash when structure
members are accessed.
  • Loading branch information
@KKopyscinski @rymanluk
KKopyscinski authored and rymanluk committed Jul 25, 2023
1 parent ef0fb14 commit dc60f90
Showing 1 changed file with 6 additions and 1 deletion.
7 changes: 6 additions & 1 deletion nimble/host/src/ble_l2cap_coc.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -341,7 +341,12 @@ ble_l2cap_coc_chan_alloc(struct ble_hs_conn *conn, uint16_t psm, uint16_t mtu,
chan->coc_rx.sdus[i] = NULL;
}
chan->coc_rx.current_sdu_idx = 0;
chan->coc_rx.next_sdu_alloc_idx = chan->coc_rx.sdus[0] == NULL ? 0 : 1;

if (BLE_L2CAP_SDU_BUFF_CNT == 1) {
chan->coc_rx.next_sdu_alloc_idx = 0;
} else {
chan->coc_rx.next_sdu_alloc_idx = chan->coc_rx.sdus[0] == NULL ? 0 : 1;
}

/* Number of credits should allow to send full SDU with on given
* L2CAP MTU
Expand Down

0 comments on commit dc60f90

Please sign in to comment.