Bluetooth: Controller: Fix failing LL/DDI/SCN/BV-88-C

Fixes failing EBQ test LL/DDI/SCN/BV-88-C Extended Scanning, Active, Properly Ignore RFU Fields Several minor modifications made to le_ext_adv_report() to properly ignore any invalid fields present in the received PDUs Signed-off-by: Troels Nilsson <trnn@demant.com>
2023-10-31 16:50:15 +01:00 · 2023-10-31 16:50:15 +01:00 · 3c9d952820
commit 3c9d952820
parent c914c512a0
1 changed files with 71 additions and 52 deletions
--- a/subsys/bluetooth/controller/hci/hci.c
+++ b/subsys/bluetooth/controller/hci/hci.c
@ -6959,6 +6959,9 @@ static void le_ext_adv_report(struct pdu_data *pdu_data,
 		ptr = h->data;

 		if (h->adv_addr) {
+			/* AdvA is RFU in AUX_CHAIN_IND */
+			if (node_rx_curr == node_rx ||
+			    node_rx_curr == node_rx->hdr.rx_ftr.extra) {
 				bt_addr_le_t addr;

 				adv_addr_type_curr = adv->tx_addr;
@ -6966,12 +6969,17 @@ static void le_ext_adv_report(struct pdu_data *pdu_data,

 				addr.type = adv->tx_addr;
 				(void)memcpy(addr.a.val, ptr, sizeof(bt_addr_t));
-			ptr += BDADDR_SIZE;

 				LOG_DBG("    AdvA: %s", bt_addr_le_str(&addr));
 			}

+			ptr += BDADDR_SIZE;
+		}
+
 		if (h->tgt_addr) {
+			/* TargetA is RFU in AUX_CHAIN_IND */
+			if (node_rx_curr == node_rx ||
+			    node_rx_curr == node_rx->hdr.rx_ftr.extra) {
 				struct lll_scan *lll;
 				bt_addr_le_t addr;

@ -6992,7 +7000,6 @@ static void le_ext_adv_report(struct pdu_data *pdu_data,
 #endif /* !CONFIG_BT_CTLR_EXT_SCAN_FP */

 				direct_addr_curr = ptr;
-			ptr += BDADDR_SIZE;

 				addr.type = adv->rx_addr;
 				(void)memcpy(addr.a.val, direct_addr_curr,
@ -7001,6 +7008,9 @@ static void le_ext_adv_report(struct pdu_data *pdu_data,
 				LOG_DBG("    TgtA: %s", bt_addr_le_str(&addr));
 			}

+			ptr += BDADDR_SIZE;
+		}
+
 		if (h->adi) {
 			adi_curr = (void *)ptr;

@ -7012,6 +7022,10 @@ static void le_ext_adv_report(struct pdu_data *pdu_data,

 		if (h->aux_ptr) {
 			struct pdu_adv_aux_ptr *aux_ptr;
+
+			/* AuxPtr is RFU for connectable or scannable AUX_ADV_IND */
+			if (node_rx_curr != node_rx->hdr.rx_ftr.extra ||
+			    evt_type_curr == 0U) {
 				uint8_t aux_phy;

 				aux_ptr = (void *)ptr;
@ -7030,16 +7044,20 @@ static void le_ext_adv_report(struct pdu_data *pdu_data,
 					return;
 				}

-			ptr += sizeof(*aux_ptr);

-			sec_phy_curr = HCI_AUX_PHY_TO_HCI_PHY(PDU_ADV_AUX_PTR_PHY_GET(aux_ptr));
+				sec_phy_curr = HCI_AUX_PHY_TO_HCI_PHY(
+					PDU_ADV_AUX_PTR_PHY_GET(aux_ptr));

 				aux_phy = BIT(PDU_ADV_AUX_PTR_PHY_GET(aux_ptr));

 				LOG_DBG("    AuxPtr chan_idx = %u, ca = %u, offs_units "
 				       "= %u offs = 0x%x, phy = 0x%x",
 				       aux_ptr->chan_idx, aux_ptr->ca,
-			       aux_ptr->offs_units, PDU_ADV_AUX_PTR_OFFSET_GET(aux_ptr), aux_phy);
+				       aux_ptr->offs_units, PDU_ADV_AUX_PTR_OFFSET_GET(aux_ptr),
+				       aux_phy);
+			}
+
+			ptr += sizeof(*aux_ptr);
 		}

 		if (h->sync_info) {
@ -7120,9 +7138,10 @@ no_ext_hdr:
 			adi = adi_curr;
 			sec_phy = sec_phy_curr;
 			node_rx_data = node_rx_curr;
-			data_len = data_len_curr;
-			data_len_total = data_len;
-			data = data_curr;
+			/* Adv data in ADV_EXT_IND is RFU */
+			data_len = 0U;
+			data_len_total = 0U;
+			data = NULL;
 			scan_data_len_total = 0U;
 			tx_pwr = tx_pwr_curr;