From 896619ad40753126a8cb029954f95ffa6940f6b4 Mon Sep 17 00:00:00 2001
From: Joakim Andersson <joerchan@gmail.com>
Date: Thu, 19 Dec 2019 15:46:26 +0100
Subject: [PATCH] Bluetooth: controller: Fix controller address check

Fix controllers address check in cases of controller-based privacy.
When controller has been instructed by the host to use privacy
the controller should look up the peer identity address and generate
an address based on the local IRK. In the case where no match
is found or the local IRK is all zeroes the controller shall use
the fallback address. If the fallback address is not valid the
controller shall return invalid params.

This commit fixes these issues:
 - Starting a private advertiser without valid random address set
   but a valid local IRK exists. In this case the advertiser should
   be able to advertise using the RPA regardless of a valid random
   or public address.
 - Starting a private advertiser with a fallback to the public
   address type or an adveriser using public address  does not
   check if a valid public address exists. The host cannot
   advertise with an all-zero public address.

Signed-off-by: Joakim Andersson <joerchan@gmail.com>
---
 subsys/bluetooth/controller/ll_sw/ull_adv.c | 33 +++++++++++++--------
 1 file changed, 21 insertions(+), 12 deletions(-)

diff --git a/subsys/bluetooth/controller/ll_sw/ull_adv.c b/subsys/bluetooth/controller/ll_sw/ull_adv.c
index ad99b6c772d..cfa5de5e6d0 100644
--- a/subsys/bluetooth/controller/ll_sw/ull_adv.c
+++ b/subsys/bluetooth/controller/ll_sw/ull_adv.c
@@ -452,12 +452,6 @@ u8_t ll_adv_enable(u8_t enable)
 #endif /* CONFIG_BT_CTLR_TX_PWR_DYNAMIC_CONTROL */
 
 	pdu_adv = lll_adv_data_peek(lll);
-	if (pdu_adv->tx_addr) {
-		if (!mem_nz(ll_addr_get(1, NULL), BDADDR_SIZE)) {
-			return BT_HCI_ERR_INVALID_PARAM;
-		}
-	}
-
 	pdu_scan = lll_adv_scan_rsp_peek(lll);
 
 	if (0) {
@@ -474,8 +468,14 @@ u8_t ll_adv_enable(u8_t enable)
 
 		/* AdvA, fill here at enable */
 		if (h->adv_addr) {
-			memcpy(ptr, ll_addr_get(pdu_adv->tx_addr, NULL),
-			       BDADDR_SIZE);
+			/* TODO: Privacy */
+			u8_t *tx_addr = ll_addr_get(pdu_adv->tx_addr, NULL);
+
+			if (!mem_nz(tx_addr, BDADDR_SIZE)) {
+				return BT_HCI_ERR_INVALID_PARAM;
+			}
+
+			memcpy(ptr, tx_addr, BDADDR_SIZE);
 		}
 
 		/* TODO: TargetA, fill here at enable */
@@ -500,18 +500,27 @@ u8_t ll_adv_enable(u8_t enable)
 
 			ull_filter_adv_pdu_update(adv, rl_idx, pdu_adv);
 			ull_filter_adv_pdu_update(adv, rl_idx, pdu_scan);
+
 			priv = true;
 		}
 #endif /* !CONFIG_BT_CTLR_PRIVACY */
 
 		if (!priv) {
-			memcpy(&pdu_adv->adv_ind.addr[0],
-			       ll_addr_get(pdu_adv->tx_addr, NULL),
+			u8_t *tx_addr = ll_addr_get(pdu_adv->tx_addr, NULL);
+
+			memcpy(&pdu_adv->adv_ind.addr[0], tx_addr,
 			       BDADDR_SIZE);
-			memcpy(&pdu_scan->scan_rsp.addr[0],
-			       ll_addr_get(pdu_adv->tx_addr, NULL),
+			memcpy(&pdu_scan->scan_rsp.addr[0], tx_addr,
 			       BDADDR_SIZE);
 		}
+
+		/* In case the local IRK was not set or no match was
+		 * found the fallback address was used instead, check
+		 * that a valid address has been set.
+		 */
+		if (!mem_nz(&pdu_adv->adv_ind.addr[0], BDADDR_SIZE)) {
+			return BT_HCI_ERR_INVALID_PARAM;
+		}
 	}
 
 #if defined(CONFIG_BT_HCI_MESH_EXT)