Bluetooth: HCI: Handle invalid ACL flags.

Handle invalid ACL flags in HCI transport. Only Point to Point is supported over HCI in both directions. Fix flushable start HCI ACL packets not allowed on LE-U connections from Host to controller. Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
2019-11-19 17:06:12 +01:00 · 2019-11-19 17:06:12 +01:00 · a1d73acfcd
commit a1d73acfcd
parent 363c4d197c
2 changed files with 21 additions and 4 deletions
--- a/subsys/bluetooth/controller/hci/hci.c
+++ b/subsys/bluetooth/controller/hci/hci.c
@ -2336,11 +2336,24 @@ int hci_acl_handle(struct net_buf *buf, struct net_buf **evt)

 	pdu_data = (void *)node_tx->pdu;

-	if (flags == BT_ACL_START_NO_FLUSH || flags == BT_ACL_START) {
-		pdu_data->ll_id = PDU_DATA_LLID_DATA_START;
-	} else {
-		pdu_data->ll_id = PDU_DATA_LLID_DATA_CONTINUE;
+	if (bt_acl_flags_bc(flags) != BT_ACL_POINT_TO_POINT) {
+		return -EINVAL;
 	}
+
+	switch (bt_acl_flags_pb(flags)) {
+	case BT_ACL_START_NO_FLUSH:
+		pdu_data->ll_id = PDU_DATA_LLID_DATA_START;
+		break;
+	case BT_ACL_CONT:
+		pdu_data->ll_id = PDU_DATA_LLID_DATA_CONTINUE;
+		break;
+	default:
+		/* BT_ACL_START and BT_ACL_COMPLETE not allowed on LE-U
+		 * from Host to Controller
+		 */
+		return -EINVAL;
+	}
+
 	pdu_data->len = len;
 	memcpy(&pdu_data->lldata[0], buf->data, len);

--- a/subsys/bluetooth/host/conn.c
+++ b/subsys/bluetooth/host/conn.c
@ -1206,6 +1206,10 @@ void bt_conn_recv(struct bt_conn *conn, struct net_buf *buf, u8_t flags)

 		break;
 	default:
+		/* BT_ACL_START_NO_FLUSH and BT_ACL_COMPLETE are not allowed on
+		 * LE-U from Controller to Host.
+		 * Only BT_ACL_POINT_TO_POINT is supported.
+		 */
 		BT_ERR("Unexpected ACL flags (0x%02x)", flags);
 		bt_conn_reset_rx_state(conn);
 		net_buf_unref(buf);