From 6576cee0e846df844eb8e1a89356b54dae0fa9b4 Mon Sep 17 00:00:00 2001 From: xiongweichao Date: Fri, 12 Nov 2021 11:10:03 +0800 Subject: [PATCH 1/6] Logically dead code --- components/bt/host/bluedroid/stack/btm/btm_ble_gap.c | 7 +++---- components/bt/host/bluedroid/stack/l2cap/l2c_api.c | 8 ++------ 2 files changed, 5 insertions(+), 10 deletions(-) diff --git a/components/bt/host/bluedroid/stack/btm/btm_ble_gap.c b/components/bt/host/bluedroid/stack/btm/btm_ble_gap.c index d3928a0132..2f0d7d3b02 100644 --- a/components/bt/host/bluedroid/stack/btm/btm_ble_gap.c +++ b/components/bt/host/bluedroid/stack/btm/btm_ble_gap.c @@ -1805,8 +1805,10 @@ tBTM_STATUS BTM_UpdateBleDuplicateExceptionalList(uint8_t subcode, uint32_t type tBTM_UPDATE_DUPLICATE_EXCEPTIONAL_LIST_CMPL_CBACK update_exceptional_list_cmp_cb) { tBTM_BLE_CB *ble_cb = &btm_cb.ble_ctr_cb; - ble_cb->update_exceptional_list_cmp_cb = update_exceptional_list_cmp_cb; tBTM_STATUS status = BTM_NO_RESOURCES; + + ble_cb->update_exceptional_list_cmp_cb = update_exceptional_list_cmp_cb; + if (!controller_get_interface()->supports_ble()) { return BTM_ILLEGAL_VALUE; } @@ -1841,9 +1843,6 @@ tBTM_STATUS BTM_UpdateBleDuplicateExceptionalList(uint8_t subcode, uint32_t type //do nothing break; } - if(status == BTM_ILLEGAL_VALUE) { - return status; - } status = BTM_VendorSpecificCommand(HCI_VENDOR_BLE_UPDATE_DUPLICATE_EXCEPTIONAL_LIST, 1 + 4 + BD_ADDR_LEN, device_info_array, NULL); if(status == BTM_CMD_STARTED) { diff --git a/components/bt/host/bluedroid/stack/l2cap/l2c_api.c b/components/bt/host/bluedroid/stack/l2cap/l2c_api.c index 7769c86eb3..f58d816709 100644 --- a/components/bt/host/bluedroid/stack/l2cap/l2c_api.c +++ b/components/bt/host/bluedroid/stack/l2cap/l2c_api.c @@ -1715,13 +1715,9 @@ BOOLEAN L2CA_ConnectFixedChnl (UINT16 fixed_cid, BD_ADDR rem_bda, tBLE_ADDR_TYPE return TRUE; } -#if BLE_INCLUDED == TRUE (*l2cb.fixed_reg[fixed_cid - L2CAP_FIRST_FIXED_CHNL].pL2CA_FixedConn_Cb) - (fixed_cid, p_lcb->remote_bd_addr, TRUE, 0, p_lcb->transport); -#else - (*l2cb.fixed_reg[fixed_cid - L2CAP_FIRST_FIXED_CHNL].pL2CA_FixedConn_Cb) - (fixed_cid, p_lcb->remote_bd_addr, TRUE, 0, BT_TRANSPORT_BR_EDR); -#endif + (fixed_cid, p_lcb->remote_bd_addr, TRUE, 0, transport); + return TRUE; } From a7f26d24d983f233202fb92d1914cb8a69e852fb Mon Sep 17 00:00:00 2001 From: xiongweichao Date: Fri, 12 Nov 2021 14:40:23 +0800 Subject: [PATCH 2/6] Dereference before null check --- .../bt/host/bluedroid/bta/gatt/bta_gattc_api.c | 2 +- .../host/bluedroid/btc/profile/std/gatt/btc_gattc.c | 2 +- components/bt/host/bluedroid/hci/hci_hal_h4.c | 3 ++- components/bt/host/bluedroid/stack/btm/btm_ble.c | 11 ++++++----- components/bt/host/bluedroid/stack/gatt/gatt_api.c | 8 ++++---- components/bt/host/bluedroid/stack/l2cap/l2c_ble.c | 13 +++++++------ 6 files changed, 21 insertions(+), 18 deletions(-) diff --git a/components/bt/host/bluedroid/bta/gatt/bta_gattc_api.c b/components/bt/host/bluedroid/bta/gatt/bta_gattc_api.c index cd581cd844..f586db4c49 100644 --- a/components/bt/host/bluedroid/bta/gatt/bta_gattc_api.c +++ b/components/bt/host/bluedroid/bta/gatt/bta_gattc_api.c @@ -758,7 +758,7 @@ void BTA_GATTC_PrepareWriteCharDescr (UINT16 conn_id, UINT16 handle, tBTA_GATT_AUTH_REQ auth_req) { tBTA_GATTC_API_WRITE *p_buf; - UINT16 len = sizeof(tBTA_GATTC_API_WRITE) + p_data->len; + UINT16 len = sizeof(tBTA_GATTC_API_WRITE); if (p_data != NULL) { len += p_data->len; diff --git a/components/bt/host/bluedroid/btc/profile/std/gatt/btc_gattc.c b/components/bt/host/bluedroid/btc/profile/std/gatt/btc_gattc.c index 4a8321d8e1..2825ac2a9a 100644 --- a/components/bt/host/bluedroid/btc/profile/std/gatt/btc_gattc.c +++ b/components/bt/host/bluedroid/btc/profile/std/gatt/btc_gattc.c @@ -121,7 +121,7 @@ static void btc_gattc_copy_req_data(btc_msg_t *msg, void *p_dest, void *p_src) tBTA_GATTC *p_dest_data = (tBTA_GATTC *) p_dest; tBTA_GATTC *p_src_data = (tBTA_GATTC *) p_src; - if (!p_src_data || !p_dest_data) { + if (!p_src_data || !p_dest_data || !msg) { return; } diff --git a/components/bt/host/bluedroid/hci/hci_hal_h4.c b/components/bt/host/bluedroid/hci/hci_hal_h4.c index 8410efb2c0..09d3e8841d 100644 --- a/components/bt/host/bluedroid/hci/hci_hal_h4.c +++ b/components/bt/host/bluedroid/hci/hci_hal_h4.c @@ -229,11 +229,12 @@ static void hci_hal_h4_hdl_rx_packet(BT_HDR *packet) { uint8_t type, hdr_size; uint16_t length; - uint8_t *stream = packet->data + packet->offset; + uint8_t *stream = NULL; if (!packet) { return; } + stream = packet->data + packet->offset; #if (C2H_FLOW_CONTROL_INCLUDED == TRUE) hci_packet_complete(packet); diff --git a/components/bt/host/bluedroid/stack/btm/btm_ble.c b/components/bt/host/bluedroid/stack/btm/btm_ble.c index 54ffcaa111..60a04154f7 100644 --- a/components/bt/host/bluedroid/stack/btm/btm_ble.c +++ b/components/bt/host/bluedroid/stack/btm/btm_ble.c @@ -867,6 +867,7 @@ BOOLEAN BTM_UseLeLink (BD_ADDR bd_addr) tBTM_STATUS BTM_SetBleDataLength(BD_ADDR bd_addr, UINT16 tx_pdu_length) { tACL_CONN *p_acl = btm_bda_to_acl(bd_addr, BT_TRANSPORT_LE); + BTM_TRACE_DEBUG("%s: tx_pdu_length =%d", __FUNCTION__, tx_pdu_length); if (!controller_get_interface()->supports_ble_packet_extension()) { @@ -874,12 +875,12 @@ tBTM_STATUS BTM_SetBleDataLength(BD_ADDR bd_addr, UINT16 tx_pdu_length) return BTM_CONTROL_LE_DATA_LEN_UNSUPPORTED; } - if (!HCI_LE_DATA_LEN_EXT_SUPPORTED(p_acl->peer_le_features)) { - BTM_TRACE_ERROR("%s failed, peer does not support request", __FUNCTION__); - return BTM_PEER_LE_DATA_LEN_UNSUPPORTED; - } - if (p_acl != NULL) { + if (!HCI_LE_DATA_LEN_EXT_SUPPORTED(p_acl->peer_le_features)) { + BTM_TRACE_ERROR("%s failed, peer does not support request", __FUNCTION__); + return BTM_PEER_LE_DATA_LEN_UNSUPPORTED; + } + if (tx_pdu_length > BTM_BLE_DATA_SIZE_MAX) { tx_pdu_length = BTM_BLE_DATA_SIZE_MAX; } else if (tx_pdu_length < BTM_BLE_DATA_SIZE_MIN) { diff --git a/components/bt/host/bluedroid/stack/gatt/gatt_api.c b/components/bt/host/bluedroid/stack/gatt/gatt_api.c index c4fb40e1b7..06e0ac4d1a 100644 --- a/components/bt/host/bluedroid/stack/gatt/gatt_api.c +++ b/components/bt/host/bluedroid/stack/gatt/gatt_api.c @@ -814,15 +814,15 @@ tGATT_STATUS GATTC_ConfigureMTU (UINT16 conn_id) GATT_TRACE_API ("GATTC_ConfigureMTU conn_id=%d mtu=%d", conn_id, mtu ); + if ( (p_tcb == NULL) || (p_reg == NULL) || (mtu < GATT_DEF_BLE_MTU_SIZE) || (mtu > GATT_MAX_MTU_SIZE)) { + return GATT_ILLEGAL_PARAMETER; + } + /* Validate that the link is BLE, not BR/EDR */ if (p_tcb->transport != BT_TRANSPORT_LE) { return GATT_ERROR; } - if ( (p_tcb == NULL) || (p_reg == NULL) || (mtu < GATT_DEF_BLE_MTU_SIZE) || (mtu > GATT_MAX_MTU_SIZE)) { - return GATT_ILLEGAL_PARAMETER; - } - if (gatt_is_clcb_allocated(conn_id)) { GATT_TRACE_ERROR("GATTC_ConfigureMTU GATT_BUSY conn_id = %d", conn_id); return GATT_BUSY; diff --git a/components/bt/host/bluedroid/stack/l2cap/l2c_ble.c b/components/bt/host/bluedroid/stack/l2cap/l2c_ble.c index 0786f45d06..e2bc1f0b0b 100644 --- a/components/bt/host/bluedroid/stack/l2cap/l2c_ble.c +++ b/components/bt/host/bluedroid/stack/l2cap/l2c_ble.c @@ -1206,6 +1206,8 @@ void l2cble_update_data_length(tL2C_LCB *p_lcb) void l2cble_process_data_length_change_event(UINT16 handle, UINT16 tx_data_len, UINT16 rx_data_len) { tL2C_LCB *p_lcb = l2cu_find_lcb_by_handle(handle); + tACL_CONN *p_acl = btm_handle_to_acl(handle); + tBTM_LE_SET_PKT_DATA_LENGTH_PARAMS data_length_params; L2CAP_TRACE_DEBUG("%s TX data len = %d", __FUNCTION__, tx_data_len); if (p_lcb == NULL) { @@ -1216,16 +1218,15 @@ void l2cble_process_data_length_change_event(UINT16 handle, UINT16 tx_data_len, p_lcb->tx_data_len = tx_data_len; } - tACL_CONN *p_acl = btm_handle_to_acl(handle); - tBTM_LE_SET_PKT_DATA_LENGTH_PARAMS data_length_params; data_length_params.rx_len = rx_data_len; data_length_params.tx_len = tx_data_len; - p_acl->data_length_params = data_length_params; - if (p_acl != NULL && p_acl->p_set_pkt_data_cback){ - (*p_acl->p_set_pkt_data_cback)(BTM_SUCCESS, &data_length_params); - } if(p_acl) { + p_acl->data_length_params = data_length_params; + if (p_acl->p_set_pkt_data_cback) { + (*p_acl->p_set_pkt_data_cback)(BTM_SUCCESS, &data_length_params); + } + p_acl->data_len_updating = false; if(p_acl->data_len_waiting) { p_acl->data_len_waiting = false; From 50f34eb5539745b778b55c420e38fb619a5fdfc1 Mon Sep 17 00:00:00 2001 From: xiongweichao Date: Fri, 12 Nov 2021 16:19:44 +0800 Subject: [PATCH 3/6] Dereference after null check --- .../host/bluedroid/bta/gatt/bta_gattc_act.c | 9 ++++++-- .../bt/host/bluedroid/stack/btm/btm_acl.c | 2 +- .../bt/host/bluedroid/stack/btm/btm_ble_gap.c | 2 ++ .../bt/host/bluedroid/stack/btm/btm_sec.c | 2 +- .../bt/host/bluedroid/stack/gatt/gatt_auth.c | 23 ++++++++++--------- .../bt/host/bluedroid/stack/l2cap/l2c_main.c | 2 +- 6 files changed, 24 insertions(+), 16 deletions(-) diff --git a/components/bt/host/bluedroid/bta/gatt/bta_gattc_act.c b/components/bt/host/bluedroid/bta/gatt/bta_gattc_act.c index 9f5417bf76..acac42e4d5 100644 --- a/components/bt/host/bluedroid/bta/gatt/bta_gattc_act.c +++ b/components/bt/host/bluedroid/bta/gatt/bta_gattc_act.c @@ -490,9 +490,14 @@ void bta_gattc_open(tBTA_GATTC_CLCB *p_clcb, tBTA_GATTC_DATA *p_data) { tBTA_GATTC_DATA gattc_data; BOOLEAN found_app = FALSE; + tGATT_TCB *p_tcb; - tGATT_TCB *p_tcb = gatt_find_tcb_by_addr(p_data->api_conn.remote_bda, BT_TRANSPORT_LE); - if(p_tcb && p_clcb && p_data) { + if (!p_clcb || !p_data) { + return; + } + + p_tcb = gatt_find_tcb_by_addr(p_data->api_conn.remote_bda, BT_TRANSPORT_LE); + if(p_tcb) { found_app = gatt_find_specific_app_in_hold_link(p_tcb, p_clcb->p_rcb->client_if); } /* open/hold a connection */ diff --git a/components/bt/host/bluedroid/stack/btm/btm_acl.c b/components/bt/host/bluedroid/stack/btm/btm_acl.c index 83e23d7b45..1dce5c3550 100644 --- a/components/bt/host/bluedroid/stack/btm/btm_acl.c +++ b/components/bt/host/bluedroid/stack/btm/btm_acl.c @@ -509,7 +509,7 @@ void btm_acl_device_down (void) BTM_TRACE_DEBUG ("btm_acl_device_down\n"); for (list_node_t *p_node = list_begin(btm_cb.p_acl_db_list); p_node; p_node = list_next(p_node)) { p = list_node(p_node); - if (!p && p->in_use) { + if (p && p->in_use) { BTM_TRACE_DEBUG ("hci_handle=%d HCI_ERR_HW_FAILURE \n", p->hci_handle ); l2c_link_hci_disc_comp (p->hci_handle, HCI_ERR_HW_FAILURE); } diff --git a/components/bt/host/bluedroid/stack/btm/btm_ble_gap.c b/components/bt/host/bluedroid/stack/btm/btm_ble_gap.c index 2f0d7d3b02..3da5317dcd 100644 --- a/components/bt/host/bluedroid/stack/btm/btm_ble_gap.c +++ b/components/bt/host/bluedroid/stack/btm/btm_ble_gap.c @@ -1527,6 +1527,8 @@ tBTM_STATUS BTM_BleSetAdvParamsAll(UINT16 adv_int_min, UINT16 adv_int_max, UINT8 if (p_dir_bda) { memcpy(&p_cb->direct_bda, p_dir_bda, sizeof(tBLE_BD_ADDR)); + } else { + return BTM_ILLEGAL_VALUE; } BTM_TRACE_EVENT ("update params for an active adv\n"); diff --git a/components/bt/host/bluedroid/stack/btm/btm_sec.c b/components/bt/host/bluedroid/stack/btm/btm_sec.c index e0ee26c05d..f459a20560 100644 --- a/components/bt/host/bluedroid/stack/btm/btm_sec.c +++ b/components/bt/host/bluedroid/stack/btm/btm_sec.c @@ -1527,8 +1527,8 @@ void BTM_ConfirmReqReply(tBTM_STATUS res, BD_ADDR bd_addr) if (res == BTM_SUCCESS) { if ((p_dev_rec = btm_find_dev (bd_addr)) != NULL) { p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_AUTHED; + p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED; } - p_dev_rec->sec_flags |= BTM_SEC_16_DIGIT_PIN_AUTHED; } btsnd_hcic_user_conf_reply (bd_addr, TRUE); diff --git a/components/bt/host/bluedroid/stack/gatt/gatt_auth.c b/components/bt/host/bluedroid/stack/gatt/gatt_auth.c index b72cb6faee..4db0a554d5 100644 --- a/components/bt/host/bluedroid/stack/gatt/gatt_auth.c +++ b/components/bt/host/bluedroid/stack/gatt/gatt_auth.c @@ -140,19 +140,20 @@ void gatt_verify_signature(tGATT_TCB *p_tcb, BT_HDR *p_buf) *******************************************************************************/ void gatt_sec_check_complete(BOOLEAN sec_check_ok, tGATT_CLCB *p_clcb, UINT8 sec_act) { - if (p_clcb && p_clcb->p_tcb && - fixed_queue_is_empty(p_clcb->p_tcb->pending_enc_clcb)) { - gatt_set_sec_act(p_clcb->p_tcb, GATT_SEC_NONE); - } + if (p_clcb && p_clcb->p_tcb) { + if (fixed_queue_is_empty(p_clcb->p_tcb->pending_enc_clcb)) { + gatt_set_sec_act(p_clcb->p_tcb, GATT_SEC_NONE); + } #if (GATTC_INCLUDED == TRUE) - if (!sec_check_ok) { - gatt_end_operation(p_clcb, GATT_AUTH_FAIL, NULL); - } else if (p_clcb->operation == GATTC_OPTYPE_WRITE) { - gatt_act_write(p_clcb, sec_act); - } else if (p_clcb->operation == GATTC_OPTYPE_READ) { - gatt_act_read(p_clcb, p_clcb->counter); - } + if (!sec_check_ok) { + gatt_end_operation(p_clcb, GATT_AUTH_FAIL, NULL); + } else if (p_clcb->operation == GATTC_OPTYPE_WRITE) { + gatt_act_write(p_clcb, sec_act); + } else if (p_clcb->operation == GATTC_OPTYPE_READ) { + gatt_act_read(p_clcb, p_clcb->counter); + } #endif ///GATTC_INCLUDED == TRUE + } } /******************************************************************************* ** diff --git a/components/bt/host/bluedroid/stack/l2cap/l2c_main.c b/components/bt/host/bluedroid/stack/l2cap/l2c_main.c index bb8c603c48..364aac8467 100644 --- a/components/bt/host/bluedroid/stack/l2cap/l2c_main.c +++ b/components/bt/host/bluedroid/stack/l2cap/l2c_main.c @@ -970,8 +970,8 @@ void l2c_process_timeout (TIMER_LIST_ENT *p_tle) if (p_lcb){ p_lcb->conn_update_mask &= ~L2C_BLE_UPDATE_PENDING; p_lcb->conn_update_mask &= ~L2C_BLE_UPDATE_PARAM_FULL; + l2c_send_update_conn_params_cb(p_lcb, status); } - l2c_send_update_conn_params_cb(p_lcb, status); #endif ///BLE_INCLUDED == TRUE break; } From a977434855ca08bd54dcde7d392c9073d8ee616a Mon Sep 17 00:00:00 2001 From: xiongweichao Date: Fri, 12 Nov 2021 16:51:08 +0800 Subject: [PATCH 4/6] already defined in bt_target.h --- components/bt/host/bluedroid/stack/include/stack/l2cdefs.h | 5 ----- 1 file changed, 5 deletions(-) diff --git a/components/bt/host/bluedroid/stack/include/stack/l2cdefs.h b/components/bt/host/bluedroid/stack/include/stack/l2cdefs.h index 56ddfb0df1..61a68f102e 100644 --- a/components/bt/host/bluedroid/stack/include/stack/l2cdefs.h +++ b/components/bt/host/bluedroid/stack/include/stack/l2cdefs.h @@ -257,11 +257,6 @@ #define L2CAP_EXTFEA_EXT_WINDOW 0x00000100 /* Extended Window Size */ #define L2CAP_EXTFEA_UCD_RECEPTION 0x00000200 /* Unicast Connectionless Data Reception */ -/* Mask for locally supported features used in Information Response (default to none) */ -#ifndef L2CAP_EXTFEA_SUPPORTED_MASK -#define L2CAP_EXTFEA_SUPPORTED_MASK 0 -#endif - /* Mask for LE supported features used in Information Response (default to none) */ #ifndef L2CAP_BLE_EXTFEA_MASK #define L2CAP_BLE_EXTFEA_MASK 0 From 97e728a9aac2c03e5d81514e0b9d2a92cbf5dd75 Mon Sep 17 00:00:00 2001 From: xiongweichao Date: Wed, 17 Nov 2021 11:02:03 +0800 Subject: [PATCH 5/6] Dereference null return value --- components/bt/host/bluedroid/stack/btm/btm_pm.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/components/bt/host/bluedroid/stack/btm/btm_pm.c b/components/bt/host/bluedroid/stack/btm/btm_pm.c index 7f7cc14ebd..77d662c442 100644 --- a/components/bt/host/bluedroid/stack/btm/btm_pm.c +++ b/components/bt/host/bluedroid/stack/btm/btm_pm.c @@ -709,6 +709,9 @@ void btm_pm_proc_cmd_status(UINT8 status) p_acl_cb = btm_handle_to_acl(btm_cb.pm_pend_link_hdl); + if (p_acl_cb == NULL) { + return; + } p_cb = p_acl_cb->p_pm_mode_db; if (status == HCI_SUCCESS) { From 92a4cdd7fd298de740cbe7a275a83335964be87f Mon Sep 17 00:00:00 2001 From: xiongweichao Date: Wed, 17 Nov 2021 11:15:15 +0800 Subject: [PATCH 6/6] Missing break in switch --- components/bt/host/bluedroid/btc/core/btc_dm.c | 1 + 1 file changed, 1 insertion(+) diff --git a/components/bt/host/bluedroid/btc/core/btc_dm.c b/components/bt/host/bluedroid/btc/core/btc_dm.c index 1f9c761959..ae020c61ab 100644 --- a/components/bt/host/bluedroid/btc/core/btc_dm.c +++ b/components/bt/host/bluedroid/btc/core/btc_dm.c @@ -395,6 +395,7 @@ static void btc_dm_auth_cmpl_evt (tBTA_DM_AUTH_CMPL *p_auth_cmpl) break; default: status = BT_STATUS_FAIL; + break; } } #if (BTC_GAP_BT_INCLUDED == TRUE)