From 7a3e29af06e152b3e96da374aaa36fd5daa151ed Mon Sep 17 00:00:00 2001 From: Vinayak Kariappa Chettimada Date: Thu, 20 Feb 2020 14:27:06 +0530 Subject: [PATCH] Bluetooth: controller: legacy: Fix Tx pool corruption Fix Tx pool from being corrupted when rough central device uses invalid packet sequence numbers, causing NULL pointer to be released into free data Tx pool. Fixes #22968. Signed-off-by: Vinayak Kariappa Chettimada --- subsys/bluetooth/controller/ll_sw/ctrl.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/subsys/bluetooth/controller/ll_sw/ctrl.c b/subsys/bluetooth/controller/ll_sw/ctrl.c index 62a0a4fdde1..6a7796a1868 100644 --- a/subsys/bluetooth/controller/ll_sw/ctrl.c +++ b/subsys/bluetooth/controller/ll_sw/ctrl.c @@ -3663,6 +3663,7 @@ isr_rx_conn_pkt(struct radio_pdu_node_rx *node_rx, /* Ack for transmitted data */ pdu_data_rx = (void *)node_rx->pdu_data; if (pdu_data_rx->nesn != _radio.conn_curr->sn) { + struct radio_pdu_node_tx *node_tx; /* Increment serial number */ _radio.conn_curr->sn++; @@ -3674,11 +3675,16 @@ isr_rx_conn_pkt(struct radio_pdu_node_rx *node_rx, _radio.conn_curr->slave.latency_enabled = 1U; } - if (_radio.conn_curr->empty == 0) { - struct radio_pdu_node_tx *node_tx; + if (!_radio.conn_curr->empty) { + node_tx = _radio.conn_curr->pkt_tx_head; + } else { + _radio.conn_curr->empty = 0U; + node_tx = NULL; + } + + if (node_tx) { u8_t pdu_data_tx_len; - node_tx = _radio.conn_curr->pkt_tx_head; pdu_data_tx = (void *)(node_tx->pdu_data + _radio.conn_curr->packet_tx_head_offset); @@ -3696,13 +3702,12 @@ isr_rx_conn_pkt(struct radio_pdu_node_rx *node_rx, } } - _radio.conn_curr->packet_tx_head_offset += pdu_data_tx_len; + _radio.conn_curr->packet_tx_head_offset += + pdu_data_tx_len; if (_radio.conn_curr->packet_tx_head_offset == _radio.conn_curr->packet_tx_head_len) { *tx_release = isr_rx_conn_pkt_release(node_tx); } - } else { - _radio.conn_curr->empty = 0U; } #if defined(CONFIG_BT_CTLR_TX_RETRY_DISABLE) } else if (_radio.packet_counter != 1) {