kopia lustrzana https://github.com/espressif/esp-idf
bt: Fixed the problem of out-of-bounds access caused by the variable-length array introduced in 3268075231
Closes https://github.com/espressif/esp-idf/issues/11264pull/12186/head
rodzic
e3263ad608
commit
074f0ad41c
|
@ -112,6 +112,14 @@ do {
|
|||
hf_local_param[idx].btc_hf_cb.num_active = 0; \
|
||||
hf_local_param[idx].btc_hf_cb.num_held = 0;
|
||||
|
||||
#define CHECK_HF_IDX(idx) \
|
||||
do { \
|
||||
if ((idx < 0) || (idx >= BTC_HF_NUM_CB)) { \
|
||||
BTC_TRACE_ERROR("%s: Invalid index %d", __FUNCTION__, idx); \
|
||||
return; \
|
||||
} \
|
||||
} while (0)
|
||||
|
||||
/************************************************************************************
|
||||
** Static Function
|
||||
************************************************************************************/
|
||||
|
@ -1201,19 +1209,9 @@ void btc_hf_cb_handler(btc_msg_t *msg)
|
|||
tBTA_AG *p_data = (tBTA_AG *)msg->arg;
|
||||
esp_hf_cb_param_t param;
|
||||
bdstr_t bdstr;
|
||||
int idx;
|
||||
|
||||
if (p_data == NULL) {
|
||||
idx = BTC_HF_INVALID_IDX;
|
||||
} else {
|
||||
idx = p_data->hdr.handle - 1;
|
||||
}
|
||||
int idx = BTC_HF_INVALID_IDX;
|
||||
|
||||
BTC_TRACE_DEBUG("%s: event = %s", __FUNCTION__, dump_hf_event(event));
|
||||
if ((idx < 0) || (idx >= BTC_HF_NUM_CB)) {
|
||||
BTC_TRACE_ERROR("%s: Invalid index %d", __FUNCTION__, idx);
|
||||
return;
|
||||
}
|
||||
|
||||
switch (event) {
|
||||
case BTA_AG_ENABLE_EVT:
|
||||
|
@ -1222,6 +1220,8 @@ void btc_hf_cb_handler(btc_msg_t *msg)
|
|||
|
||||
case BTA_AG_REGISTER_EVT:
|
||||
{
|
||||
idx = p_data->hdr.handle - 1;
|
||||
CHECK_HF_IDX(idx);
|
||||
hf_local_param[idx].btc_hf_cb.handle = p_data->reg.hdr.handle;
|
||||
BTC_TRACE_DEBUG("%s: BTA_AG_REGISTER_EVT," "hf_local_param[%d].btc_hf_cb.handle = %d",
|
||||
__FUNCTION__, idx, hf_local_param[idx].btc_hf_cb.handle);
|
||||
|
@ -1230,6 +1230,8 @@ void btc_hf_cb_handler(btc_msg_t *msg)
|
|||
|
||||
case BTA_AG_OPEN_EVT:
|
||||
{
|
||||
idx = p_data->hdr.handle - 1;
|
||||
CHECK_HF_IDX(idx);
|
||||
if (p_data->open.status == BTA_AG_SUCCESS)
|
||||
{
|
||||
bdcpy(hf_local_param[idx].btc_hf_cb.connected_bda.address, p_data->open.bd_addr);
|
||||
|
@ -1265,6 +1267,8 @@ void btc_hf_cb_handler(btc_msg_t *msg)
|
|||
|
||||
case BTA_AG_CONN_EVT:
|
||||
{
|
||||
idx = p_data->hdr.handle - 1;
|
||||
CHECK_HF_IDX(idx);
|
||||
clock_gettime(CLOCK_MONOTONIC, &(hf_local_param[idx].btc_hf_cb.connected_timestamp));
|
||||
BTC_TRACE_DEBUG("%s: BTA_AG_CONN_EVT, idx = %d ", __FUNCTION__, idx);
|
||||
hf_local_param[idx].btc_hf_cb.peer_feat = p_data->conn.peer_feat;
|
||||
|
@ -1286,6 +1290,8 @@ void btc_hf_cb_handler(btc_msg_t *msg)
|
|||
|
||||
case BTA_AG_CLOSE_EVT:
|
||||
{
|
||||
idx = p_data->hdr.handle - 1;
|
||||
CHECK_HF_IDX(idx);
|
||||
hf_local_param[idx].btc_hf_cb.connected_timestamp.tv_sec = 0;
|
||||
hf_local_param[idx].btc_hf_cb.connection_state = ESP_HF_CONNECTION_STATE_DISCONNECTED;
|
||||
BTC_TRACE_DEBUG("%s: BTA_AG_CLOSE_EVT," "hf_local_param[%d].btc_hf_cb.handle = %d", __FUNCTION__,
|
||||
|
@ -1307,6 +1313,8 @@ void btc_hf_cb_handler(btc_msg_t *msg)
|
|||
|
||||
case BTA_AG_AUDIO_OPEN_EVT:
|
||||
{
|
||||
idx = p_data->hdr.handle - 1;
|
||||
CHECK_HF_IDX(idx);
|
||||
do {
|
||||
memset(¶m, 0, sizeof(esp_hf_cb_param_t));
|
||||
param.audio_stat.state = ESP_HF_AUDIO_STATE_CONNECTED;
|
||||
|
@ -1318,6 +1326,8 @@ void btc_hf_cb_handler(btc_msg_t *msg)
|
|||
|
||||
case BTA_AG_AUDIO_MSBC_OPEN_EVT:
|
||||
{
|
||||
idx = p_data->hdr.handle - 1;
|
||||
CHECK_HF_IDX(idx);
|
||||
do {
|
||||
memset(¶m, 0, sizeof(esp_hf_cb_param_t));
|
||||
param.audio_stat.state = ESP_HF_AUDIO_STATE_CONNECTED_MSBC;
|
||||
|
@ -1328,6 +1338,8 @@ void btc_hf_cb_handler(btc_msg_t *msg)
|
|||
}
|
||||
case BTA_AG_AUDIO_CLOSE_EVT:
|
||||
{
|
||||
idx = p_data->hdr.handle - 1;
|
||||
CHECK_HF_IDX(idx);
|
||||
do {
|
||||
memset(¶m, 0, sizeof(esp_hf_cb_param_t));
|
||||
param.audio_stat.state = ESP_HF_AUDIO_STATE_DISCONNECTED;
|
||||
|
@ -1339,6 +1351,8 @@ void btc_hf_cb_handler(btc_msg_t *msg)
|
|||
|
||||
case BTA_AG_AT_BVRA_EVT:
|
||||
{
|
||||
idx = p_data->hdr.handle - 1;
|
||||
CHECK_HF_IDX(idx);
|
||||
do {
|
||||
memset(¶m, 0, sizeof(esp_hf_cb_param_t));
|
||||
param.vra_rep.value = p_data->val.num;
|
||||
|
@ -1456,6 +1470,8 @@ void btc_hf_cb_handler(btc_msg_t *msg)
|
|||
case BTA_AG_AT_BINP_EVT:
|
||||
case BTA_AG_AT_BTRH_EVT:
|
||||
{
|
||||
idx = p_data->hdr.handle - 1;
|
||||
CHECK_HF_IDX(idx);
|
||||
tBTA_AG_RES_DATA ag_res;
|
||||
memset(&ag_res, 0, sizeof(ag_res));
|
||||
ag_res.ok_flag = BTA_AG_OK_ERROR;
|
||||
|
@ -1466,6 +1482,8 @@ void btc_hf_cb_handler(btc_msg_t *msg)
|
|||
|
||||
case BTA_AG_AT_BAC_EVT:
|
||||
{
|
||||
idx = p_data->hdr.handle - 1;
|
||||
CHECK_HF_IDX(idx);
|
||||
BTC_TRACE_DEBUG("AG Bitmap of peer-codecs %d", p_data->val.num);
|
||||
#if (BTM_WBS_INCLUDED == TRUE)
|
||||
/* If the peer supports mSBC and the BTC prefferred codec is also mSBC, then
|
||||
|
|
Ładowanie…
Reference in New Issue