Bluetooth: controller: Fix AD data size overflow check

pdu->len is only 8 bits and CONFIG_BT_CTLR_ADV_DATA_LEN_MAX can be upto 1650 bytes. Fix the implementation to use 16 bit auto variable to check AD data length overflow. Signed-off-by: Vinayak Kariappa Chettimada <vich@nordicsemi.no>
2020-11-09 10:05:21 +05:30 · 2020-11-09 10:05:21 +05:30 · 59888103d2
commit 59888103d2
parent c4cb838964
2 changed files with 14 additions and 8 deletions
--- a/subsys/bluetooth/controller/ll_sw/ull_adv_aux.c
+++ b/subsys/bluetooth/controller/ll_sw/ull_adv_aux.c
@ -421,9 +421,9 @@ uint8_t ull_adv_aux_hdr_set_clear(struct ll_adv_set *adv,
 	struct pdu_adv_com_ext_adv *sec_com_hdr, *sec_com_hdr_prev;
 	struct pdu_adv_hdr *pri_hdr, pri_hdr_prev;
 	struct pdu_adv_hdr *sec_hdr, sec_hdr_prev;
+	uint16_t pri_len, sec_len, sec_len_prev;
 	struct pdu_adv *pri_pdu, *pri_pdu_prev;
 	struct pdu_adv *sec_pdu_prev, *sec_pdu;
-	uint8_t pri_len, sec_len, sec_len_prev;
 	uint8_t *pri_dptr, *pri_dptr_prev;
 	uint8_t *sec_dptr, *sec_dptr_prev;
 	struct lll_adv_aux *lll_aux;
@ -663,15 +663,18 @@ uint8_t ull_adv_aux_hdr_set_clear(struct ll_adv_set *adv,
 		ad_data = sec_dptr_prev;
 	}

-	/* set the secondary PDU len */
-	sec_pdu->len = sec_len + ad_len;
+	/* Add AD len to secondary PDU length */
+	sec_len += ad_len;

 	/* Check AdvData overflow */
-	if (sec_pdu->len > PDU_AC_PAYLOAD_SIZE_MAX) {
+	if (sec_len > PDU_AC_PAYLOAD_SIZE_MAX) {
 		/* FIXME: release allocations */
 		return BT_HCI_ERR_PACKET_TOO_LONG;
 	}

+	/* set the secondary PDU len */
+	sec_pdu->len = sec_len;
+
 	/* Start filling pri and sec PDU payload based on flags from here
 	 * ==============================================================
 	 */
--- a/subsys/bluetooth/controller/ll_sw/ull_adv_sync.c
+++ b/subsys/bluetooth/controller/ll_sw/ull_adv_sync.c
@ -170,8 +170,8 @@ uint8_t ll_adv_sync_ad_data_set(uint8_t handle, uint8_t op, uint8_t len,
 	struct pdu_adv_com_ext_adv *ter_com_hdr, *ter_com_hdr_prev;
 	struct pdu_adv_hdr *ter_hdr, ter_hdr_prev;
 	struct pdu_adv *ter_pdu, *ter_pdu_prev;
-	uint8_t ter_len, ter_len_prev;
 	uint8_t *ter_dptr, *ter_dptr_prev;
+	uint16_t ter_len, ter_len_prev;
 	struct lll_adv_sync *lll_sync;
 	struct ll_adv_set *adv;
 	uint8_t ter_idx;
@ -246,14 +246,17 @@ uint8_t ll_adv_sync_ad_data_set(uint8_t handle, uint8_t op, uint8_t len,
 	ter_len = ull_adv_aux_hdr_len_calc(ter_com_hdr, &ter_dptr);
 	ull_adv_aux_hdr_len_fill(ter_com_hdr, ter_len);

-	/* Set the tertiary PDU len */
-	ter_pdu->len = ter_len + len;
+	/* Add AD len to secondary PDU length */
+	ter_len += len;

 	/* Check AdvData overflow */
-	if (ter_pdu->len > CONFIG_BT_CTLR_ADV_DATA_LEN_MAX) {
+	if (ter_len > PDU_AC_PAYLOAD_SIZE_MAX) {
 		return BT_HCI_ERR_PACKET_TOO_LONG;
 	}

+	/* set the secondary PDU len */
+	ter_pdu->len = ter_len;
+
 	/* Start filling tertiary PDU payload based on flags from here
 	 * ==============================================================
 	 */