Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

host/ble_l2cap_coc: coc_rx.sdus index should not exceed BLE_L2CAP_SDU_BUFF_CNT #1567

Merged
merged 1 commit into from
Jul 25, 2023
Merged

host/ble_l2cap_coc: coc_rx.sdus index should not exceed BLE_L2CAP_SDU_BUFF_CNT #1567

merged 1 commit into from
Jul 25, 2023

Conversation

KKopyscinski
Copy link
Contributor

Multiple calls to ble_l2cap_coc_recv_ready with
BLE_L2CAP_SDU_BUFF_CNT == 1 will lead to assigning coc_rx.sdus outside array range - so this will (most likely) overwrite rest of stucture. This will lead to either undefined behavior or crash when structure members are accessed.

@KKopyscinski
Copy link
Contributor Author

@jrotkiewicz PTAL. AFAIK if BLE_L2CAP_SDU_BUFF_CNT == 1 next and current indices should be equal (0) as in

mynewt-nimble/nimble/host/src/ble_l2cap_coc.c

Lines 606 to 610 in ef0fb14

if (chan->coc_rx.sdus[0] != NULL &&
chan->coc_rx.next_sdu_alloc_idx == chan->coc_rx.current_sdu_idx &&
BLE_L2CAP_SDU_BUFF_CNT != 1) {
return BLE_HS_EBUSY;
}

But maybe I'm missing something :) I'm sure of a crash though

@KKopyscinski
Copy link
Contributor Author

KKopyscinski commented Jul 25, 2023
edited
Loading

This was caught while testing #845

@KKopyscinski
Copy link
Contributor Author

As discussed offline, *sdu_rx might be NULL. In that case this is wrong, because it'll give index 1, also out of range

rymanluk
rymanluk reviewed Jul 25, 2023
View reviewed changes
nimble/host/src/ble_l2cap_coc.c Outdated
@@ -341,7 +341,8 @@ ble_l2cap_coc_chan_alloc(struct ble_hs_conn *conn, uint16_t psm, uint16_t mtu,
chan->coc_rx.sdus[i] = NULL;
}
chan->coc_rx.current_sdu_idx = 0;
chan->coc_rx.next_sdu_alloc_idx = chan->coc_rx.sdus[0] == NULL ? 0 : 1;
chan->coc_rx.next_sdu_alloc_idx = chan->coc_rx.sdus[0] == NULL ||
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks.

technically it is ok, but lets try to make it look nicer using if () Ok ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ble_l2cap_coc_chan_alloc can be called with *sdu_rx = NULL - in that case, with previous fix, we would set next_sdu_alloc_idx = 1 where it should be 0. Fixed this with simple if case for BLE_L2CAP_SDU_BUFF_CNT == 1

@KKopyscinski
host/ble_l2cap_coc: coc_rx.sdus index should not exceed BLE_L2CAP_SDU…
e563f14 
…_BUFF_CNT

Multiple calls to `ble_l2cap_coc_recv_ready` with
`BLE_L2CAP_SDU_BUFF_CNT == 1` will lead to assigning coc_rx.sdus outside
array range - so this will (most likely) overwrite rest of stucture.
This will lead to either undefined behavior or crash when structure
members are accessed.
@jrotkiewicz
Copy link
Contributor

LGTM

rymanluk
rymanluk approved these changes Jul 25, 2023
View reviewed changes
Copy link
Contributor

@rymanluk rymanluk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@rymanluk rymanluk merged commit dc60f90 into apache:master Jul 25, 2023
@KKopyscinski KKopyscinski deleted the l2cap_single_sdu_crash_fix branch February 13, 2024 07:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rymanluk rymanluk rymanluk approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@KKopyscinski @jrotkiewicz @rymanluk