From 9055f578507a617ea8968a0c8d20030f6efad374 Mon Sep 17 00:00:00 2001 From: Louis Caron Date: Wed, 28 Dec 2016 10:28:50 +0100 Subject: [PATCH] Bluetooth: fix write cmd handling The data pointer and length was not updated before invoking the write_rsp function therefore providing pointer to the handle. Change-Id: I5c27ab7a793979dffb8f1f2c68def027c45f2376 Signed-off-by: Louis Caron --- subsys/bluetooth/host/att.c | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/subsys/bluetooth/host/att.c b/subsys/bluetooth/host/att.c index 51e3e200946..efa693b24e1 100644 --- a/subsys/bluetooth/host/att.c +++ b/subsys/bluetooth/host/att.c @@ -1181,13 +1181,9 @@ static uint8_t att_write_rsp(struct bt_conn *conn, uint8_t op, uint8_t rsp, static uint8_t att_write_req(struct bt_att *att, struct net_buf *buf) { struct bt_conn *conn = att->chan.chan.conn; - struct bt_att_write_req *req; uint16_t handle; - req = (void *)buf->data; - - handle = sys_le16_to_cpu(req->handle); - net_buf_pull(buf, sizeof(*req)); + handle = net_buf_pull_le16(buf); BT_DBG("handle 0x%04x", handle); @@ -1380,17 +1376,9 @@ static uint8_t att_exec_write_req(struct bt_att *att, struct net_buf *buf) static uint8_t att_write_cmd(struct bt_att *att, struct net_buf *buf) { struct bt_conn *conn = att->chan.chan.conn; - struct bt_att_write_cmd *req; uint16_t handle; - if (buf->len < sizeof(*req)) { - /* Commands don't have any response */ - return 0; - } - - req = (void *)buf->data; - - handle = sys_le16_to_cpu(req->handle); + handle = net_buf_pull_le16(buf); BT_DBG("handle 0x%04x", handle);