From 5a8b143028c7e2fad03827e8ac4458a5a8661e3b Mon Sep 17 00:00:00 2001 From: Johan Hedberg Date: Tue, 26 Nov 2019 15:15:51 +0200 Subject: [PATCH] Bluetooth: host: Fix command buffer corruption A recent patch increased struct cmd_data from 8 to 12 bytes, which is more than the default user data for Bluetooth. We generally don't want the core stack to require more than 8, so instead of increasing the requirement, move the data out from the buffer into its own array with the help of the net_buf_id() API. Signed-off-by: Johan Hedberg --- subsys/bluetooth/host/hci_core.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/subsys/bluetooth/host/hci_core.c b/subsys/bluetooth/host/hci_core.c index 1af882d04f2..f99f4af8e99 100644 --- a/subsys/bluetooth/host/hci_core.c +++ b/subsys/bluetooth/host/hci_core.c @@ -115,9 +115,6 @@ void cmd_state_set_init(struct cmd_state_set *state, atomic_t *target, int bit, } struct cmd_data { - /** BT_BUF_CMD */ - u8_t type; - /** HCI status of the command completion */ u8_t status; @@ -142,7 +139,9 @@ struct acl_data { u16_t handle; }; -#define cmd(buf) ((struct cmd_data *)net_buf_user_data(buf)) +static struct cmd_data cmd_data[CONFIG_BT_HCI_CMD_COUNT]; + +#define cmd(buf) (&cmd_data[net_buf_id(buf)]) #define acl(buf) ((struct acl_data *)net_buf_user_data(buf)) /* HCI command buffers. Derive the needed size from BT_BUF_RX_SIZE since @@ -288,7 +287,8 @@ struct net_buf *bt_hci_cmd_create(u16_t opcode, u8_t param_len) net_buf_reserve(buf, BT_BUF_RESERVE); - cmd(buf)->type = BT_BUF_CMD; + bt_buf_set_type(buf, BT_BUF_CMD); + cmd(buf)->opcode = opcode; cmd(buf)->sync = NULL; cmd(buf)->state = NULL;