michaelh/zephyr
1
0
Fork 0
Code Releases Activity

Bluetooth: fix write cmd handling

Browse source 
The data pointer and length was not updated before invoking the
write_rsp function therefore providing pointer to the handle.

Change-Id: I5c27ab7a793979dffb8f1f2c68def027c45f2376
Signed-off-by: Louis Caron <louis.caron@intel.com>
This commit is contained in:
Louis Caron 2016-12-28 10:28:50 +01:00 committed by Johan Hedberg
commit 9055f57850
1 changed files with 2 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

16
subsys/bluetooth/host/att.c
View file

@ -1181,13 +1181,9 @@ static uint8_t att_write_rsp(struct bt_conn *conn, uint8_t op, uint8_t rsp,
static uint8_t att_write_req(struct bt_att *att, struct net_buf *buf)
{
struct bt_conn *conn = att->chan.chan.conn;
struct bt_att_write_req *req;
uint16_t handle;
req = (void *)buf->data;
handle = sys_le16_to_cpu(req->handle);
net_buf_pull(buf, sizeof(*req));
handle = net_buf_pull_le16(buf);
BT_DBG("handle 0x%04x", handle);
@ -1380,17 +1376,9 @@ static uint8_t att_exec_write_req(struct bt_att *att, struct net_buf *buf)
static uint8_t att_write_cmd(struct bt_att *att, struct net_buf *buf)
{
struct bt_conn *conn = att->chan.chan.conn;
struct bt_att_write_cmd *req;
uint16_t handle;
if (buf->len < sizeof(*req)) {
/* Commands don't have any response */
return 0;
}
req = (void *)buf->data;
handle = sys_le16_to_cpu(req->handle);
handle = net_buf_pull_le16(buf);
BT_DBG("handle 0x%04x", handle);