michaelh/zephyr
1
0
Fork 0
Code Releases Activity

Bluetooth: controller: Fix HCI ISO header RFU bit masking

Browse source 
Mask out RFU bits in HCI ISO header to prevent set RFU bits leaking into
length values.

Signed-off-by: Morten Priess <mtpr@oticon.com>
This commit is contained in:
Morten Priess 2023-07-06 16:14:31 +02:00 committed by Carles Cufí
commit 856e555b51
2 changed files with 6 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

5
subsys/bluetooth/controller/hci/hci.c
View file

@ -5666,7 +5666,7 @@ int hci_iso_handle(struct net_buf *buf, struct net_buf **evt)
iso_hdr = net_buf_pull_mem(buf, sizeof(*iso_hdr));
handle = sys_le16_to_cpu(iso_hdr->handle);
len = sys_le16_to_cpu(iso_hdr->len);
len = bt_iso_hdr_len(sys_le16_to_cpu(iso_hdr->len));
if (buf->len < len) {
LOG_ERR("Invalid HCI ISO packet length");
@ -5706,7 +5706,8 @@ int hci_iso_handle(struct net_buf *buf, struct net_buf **evt)
iso_data_hdr = net_buf_pull_mem(buf, sizeof(*iso_data_hdr));
len -= sizeof(*iso_data_hdr);
sdu_frag_tx.packet_sn = sys_le16_to_cpu(iso_data_hdr->sn);
sdu_frag_tx.iso_sdu_length = sys_le16_to_cpu(iso_data_hdr->slen);
sdu_frag_tx.iso_sdu_length =
sys_le16_to_cpu(bt_iso_pkt_len(iso_data_hdr->slen));
} else {
sdu_frag_tx.packet_sn = 0;
sdu_frag_tx.iso_sdu_length = 0;