From e563f14970d54c2c2e319d68b2651436616e5cba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kopy=C5=9Bci=C5=84ski?= Date: Tue, 25 Jul 2023 08:39:41 +0200 Subject: [PATCH] host/ble_l2cap_coc: coc_rx.sdus index should not exceed BLE_L2CAP_SDU_BUFF_CNT Multiple calls to `ble_l2cap_coc_recv_ready` with `BLE_L2CAP_SDU_BUFF_CNT == 1` will lead to assigning coc_rx.sdus outside array range - so this will (most likely) overwrite rest of stucture. This will lead to either undefined behavior or crash when structure members are accessed. --- nimble/host/src/ble_l2cap_coc.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/nimble/host/src/ble_l2cap_coc.c b/nimble/host/src/ble_l2cap_coc.c index ae5624ce98..25727ee19c 100644 --- a/nimble/host/src/ble_l2cap_coc.c +++ b/nimble/host/src/ble_l2cap_coc.c @@ -341,7 +341,12 @@ ble_l2cap_coc_chan_alloc(struct ble_hs_conn *conn, uint16_t psm, uint16_t mtu, chan->coc_rx.sdus[i] = NULL; } chan->coc_rx.current_sdu_idx = 0; - chan->coc_rx.next_sdu_alloc_idx = chan->coc_rx.sdus[0] == NULL ? 0 : 1; + + if (BLE_L2CAP_SDU_BUFF_CNT == 1) { + chan->coc_rx.next_sdu_alloc_idx = 0; + } else { + chan->coc_rx.next_sdu_alloc_idx = chan->coc_rx.sdus[0] == NULL ? 0 : 1; + } /* Number of credits should allow to send full SDU with on given * L2CAP MTU