patrick/zephyr
1
0
Fork 0
Code Issues Pull requests Actions 8 Packages Projects Releases Wiki Activity

Bluetooth: Fixing UBSAN warning in CTE field parsing in adv.c/scan.c

Browse source 
during local testling, UBSAN reported the following warnings:
- bluetooth/host/adv.c:2067:19: runtime error: shift exponent
255 is too large for 32-bit type 'long unsigned int'
- bluetooth/host/scan.c:828:18: runtime error: shift exponent
255 is too large for 32-bit type 'long unsigned int'

It turned out that we can't use BIT() macro directly on
bt_hci_evt_le_per_advertising_report::cte_type field.
According to Core Spec, `cte_type = 0xFF` corresponds
to `No contstant tone extension`.

Added separate function to convert CTE bit field from
HCI format to bt_df_cte_type

Signed-off-by: Ivan Iushkov <ivan.iushkov@nordicsemi.no>
This commit is contained in:
Ivan Iushkov 2024-02-06 13:08:30 +01:00 committed by Fabio Baltieri
parent b30d088d37
commit b1e9f86378
4 changed files with 26 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
subsys/bluetooth/host/adv.c
View file

@ -2064,7 +2064,7 @@ void bt_hci_le_per_adv_response_report(struct net_buf *buf)
response = net_buf_pull_mem(buf, sizeof(struct bt_hci_evt_le_per_adv_response));
info.tx_power = response->tx_power;
info.rssi = response->rssi;
info.cte_type = BIT(response->cte_type);
info.cte_type = bt_get_df_cte_type(response->cte_type);
info.response_slot = response->response_slot;
if (buf->len < response->data_length) {

16
subsys/bluetooth/host/hci_core.c
View file

@ -424,6 +424,22 @@ uint8_t bt_get_phy(uint8_t hci_phy)
}
}
int bt_get_df_cte_type(uint8_t hci_cte_type)
{
switch (hci_cte_type) {
case BT_HCI_LE_AOA_CTE:
return BT_DF_CTE_TYPE_AOA;
case BT_HCI_LE_AOD_CTE_1US:
return BT_DF_CTE_TYPE_AOD_1US;
case BT_HCI_LE_AOD_CTE_2US:
return BT_DF_CTE_TYPE_AOD_2US;
case BT_HCI_LE_NO_CTE:
return BT_DF_CTE_TYPE_NONE;
default:
return BT_DF_CTE_TYPE_NONE;
}
}
#if defined(CONFIG_BT_CONN_TX)
static void hci_num_completed_packets(struct net_buf *buf)
{

9
subsys/bluetooth/host/hci_core.h
View file

@ -434,7 +434,14 @@ int bt_le_set_data_len(struct bt_conn *conn, uint16_t tx_octets, uint16_t tx_tim
int bt_le_set_phy(struct bt_conn *conn, uint8_t all_phys,
uint8_t pref_tx_phy, uint8_t pref_rx_phy, uint8_t phy_opts);
uint8_t bt_get_phy(uint8_t hci_phy);
/**
* @brief Convert CTE type value from HCI format to @ref bt_df_cte_type format.
*
* @param hci_cte_type CTE type in an HCI format.
*
* @return CTE type (@ref bt_df_cte_type).
*/
int bt_get_df_cte_type(uint8_t hci_cte_type);
int bt_le_scan_update(bool fast_scan);
int bt_le_create_conn(const struct bt_conn *conn);

2
subsys/bluetooth/host/scan.c
View file

@ -825,7 +825,7 @@ static void bt_hci_le_per_adv_report_common(struct net_buf *buf)
info.tx_power = evt->tx_power;
info.rssi = evt->rssi;
info.cte_type = BIT(evt->cte_type);
info.cte_type = bt_get_df_cte_type(evt->cte_type);
info.addr = &per_adv_sync->addr;
info.sid = per_adv_sync->sid;