Bluetooth: controller: Fix HCI ISO header RFU bit masking

Mask out RFU bits in HCI ISO header to prevent set RFU bits leaking into
length values.

Signed-off-by: Morten Priess <mtpr@oticon.com>
This commit is contained in:
Morten Priess 2023-07-06 16:14:31 +02:00 committed by Carles Cufí
commit 856e555b51
2 changed files with 6 additions and 5 deletions

View file

@ -84,13 +84,13 @@ struct bt_hci_acl_hdr {
#define BT_ISO_DATA_INVALID 0x01
#define BT_ISO_DATA_NOP 0x02
#define bt_iso_pkt_len(h) ((h) & 0x3fff)
#define bt_iso_pkt_len(h) ((h) & BIT_MASK(12))
#define bt_iso_pkt_flags(h) ((h) >> 14)
#define bt_iso_pkt_len_pack(h, f) ((h) | ((f) << 14))
#define bt_iso_pkt_len_pack(h, f) (((h) & BIT_MASK(12)) | ((f) << 14))
struct bt_hci_iso_data_hdr {
uint16_t sn;
uint16_t slen;
uint16_t slen; /* 12 bit len, 2 bit RFU, 2 bit packet status */
} __packed;
#define BT_HCI_ISO_DATA_HDR_SIZE 4

View file

@ -5666,7 +5666,7 @@ int hci_iso_handle(struct net_buf *buf, struct net_buf **evt)
iso_hdr = net_buf_pull_mem(buf, sizeof(*iso_hdr));
handle = sys_le16_to_cpu(iso_hdr->handle);
len = sys_le16_to_cpu(iso_hdr->len);
len = bt_iso_hdr_len(sys_le16_to_cpu(iso_hdr->len));
if (buf->len < len) {
LOG_ERR("Invalid HCI ISO packet length");
@ -5706,7 +5706,8 @@ int hci_iso_handle(struct net_buf *buf, struct net_buf **evt)
iso_data_hdr = net_buf_pull_mem(buf, sizeof(*iso_data_hdr));
len -= sizeof(*iso_data_hdr);
sdu_frag_tx.packet_sn = sys_le16_to_cpu(iso_data_hdr->sn);
sdu_frag_tx.iso_sdu_length = sys_le16_to_cpu(iso_data_hdr->slen);
sdu_frag_tx.iso_sdu_length =
sys_le16_to_cpu(bt_iso_pkt_len(iso_data_hdr->slen));
} else {
sdu_frag_tx.packet_sn = 0;
sdu_frag_tx.iso_sdu_length = 0;