patrick/zephyr
1
0
Fork 0
Code Issues Pull requests Actions 8 Packages Projects Releases Wiki Activity

Bluetooth: Fix clearing sent_cmd pointer when allocating event buffer

Browse source 
We should clear the bt_dev.sent_cmd pointer after using it to allocate a
new HCI event buffer in the bt_buf_get_cmd_complete() function.
Otherwise, there is a risk of reusing the same stored net_buf for
multiple consecutive HCI events in case the controller sents duplicate
or invalid event packets.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
This commit is contained in:
Johan Hedberg 2023-04-11 11:21:22 +03:00 committed by Carles Cufí
parent 3f78779e61
commit a6e5755da8
1 changed files with 2 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
subsys/bluetooth/host/buf.c
View file

@ -89,9 +89,8 @@ struct net_buf *bt_buf_get_cmd_complete(k_timeout_t timeout)
{
struct net_buf *buf;
if (bt_dev.sent_cmd) {
buf = net_buf_ref(bt_dev.sent_cmd);
buf = (struct net_buf *)atomic_ptr_clear((atomic_ptr_t *)&bt_dev.sent_cmd);
if (buf) {
bt_buf_set_type(buf, BT_BUF_EVT);
buf->len = 0U;
net_buf_reserve(buf, BT_BUF_RESERVE);