From 6e2dea3e41b71e4f3cd841f5d0db05eb3776214f Mon Sep 17 00:00:00 2001 From: Morten Priess Date: Fri, 1 Apr 2022 15:29:51 +0200 Subject: [PATCH] Bluetooth: controller: Reject CIS_REQ with invalid PHY Send LL_REJECT_EXT_IND if a LL_CIS_REQ was recevied with invalid PHY specification. Fixes EBQ tests: /LL/CIS/PER/BI-02-C /LL/CIS/PER/BI-03-C /LL/CIS/PER/BI-05-C /LL/CIS/PER/BI-06-C Signed-off-by: Morten Priess --- subsys/bluetooth/controller/ll_sw/ull_conn.c | 35 ++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/subsys/bluetooth/controller/ll_sw/ull_conn.c b/subsys/bluetooth/controller/ll_sw/ull_conn.c index e3b747405e0..cdbe59514bb 100644 --- a/subsys/bluetooth/controller/ll_sw/ull_conn.c +++ b/subsys/bluetooth/controller/ll_sw/ull_conn.c @@ -6445,8 +6445,43 @@ static uint8_t cis_req_recv(struct ll_conn *conn, memq_link_t *link, struct node_rx_conn_iso_req *conn_iso_req; uint16_t cis_handle; uint8_t err; + uint8_t phy; void *node; + phy = req->c_phy; + + /* Check reqested PHYs. Returning BT_HCI_ERR_INVALID_LL_PARAM shall invoke + * sending of LL_REJECT_EXT_IND. + */ + for (uint8_t i = 0; i < 2; i++) { + /* Fail on multiple PHY specified */ + if (util_ones_count_get(&phy, sizeof(phy)) > 1U) { + return BT_HCI_ERR_INVALID_LL_PARAM; + } + + /* Fail on no PHY specified */ + if (util_ones_count_get(&phy, sizeof(phy)) == 0U) { + return BT_HCI_ERR_INVALID_LL_PARAM; + } + + /* Fail on unsupported PHY specified */ + if (((phy & PHY_2M) && + !(conn->llcp_feature.features_conn & BIT64(BT_LE_FEAT_BIT_PHY_2M))) || + ((phy & PHY_CODED) && + !(conn->llcp_feature.features_conn & BIT64(BT_LE_FEAT_BIT_PHY_CODED)))) { + return BT_HCI_ERR_INVALID_LL_PARAM; + } + + phy &= ~(PHY_1M|PHY_2M|PHY_CODED); + + /* Fail on RFU bits specified */ + if (util_ones_count_get(&phy, sizeof(phy))) { + return BT_HCI_ERR_INVALID_LL_PARAM; + } + + phy = req->p_phy; + } + conn->llcp_cis.cig_id = req->cig_id; conn->llcp_cis.cis_offset_min = sys_get_le24(req->cis_offset_min); conn->llcp_cis.cis_offset_max = sys_get_le24(req->cis_offset_max);