haukepetersen opened a new issue #556: att_svr memory corruption: entry_mem is 
freed without relocating existing entries
URL: https://github.com/apache/mynewt-nimble/issues/556
 
 
   # How to reproduce
   I initialized the GATT server in the following sequence:
   - init some included services, e.g.: `ble_svc_gap_init()`, 
`ble_svc_gatt_init()`
   - start the GATT server: `ble_gatts_start()`
   - add some custom services: 'ble_gatts_count_cfg()`, `ble_gatts_add_svcs()`
   - (re)start the GATT server, to load additional services: 'ble_gatts_start()`
   
   This will lead to hard-faults on my platform (`nrf52dk`, RIOT, nimble 
controller).
   Used this RIOT branch: 
https://github.com/haukepetersen/RIOT/tree/opt_nimble_gattsinitpr
   NimBLE version: same on master and on 
997dad8c9fc549e64b6c54eafcec109d92789418
   
   # Problem
   When initializing the GATT server, and thereby implicitly the ATT server, 
the ATT server frees and (re-)allocates the internal memory it uses for storing 
the servers entries (`ble_att_svr_entry_mem`). The problem is, that if 
`ble_gatts_start()` is called multiple times, the ATT server frees 
`ble_att_svr_entry_mem` which still contains valid entries. This freed memory 
is eventually re-used by other components in the system, leading to corrupted 
entries in the ATT server, and eventually making a system hard-fault...
   
   Simple test: add `assert((void *)entry >= (void *)ble_att_svr_entry_mem);` 
into `ble_att_svr_find_by_uuid()` -> this assertion is triggered when executing 
the sequence sketched above
   
   I am not so sure about a viable fix though: simply removing the 
`ble_att_svr_free_start_mem()` call from `ble_att_svr_start()` will fix this 
issue, but it sure enough opens a memory leak :-)
   
   I guess we probably must probably do something like this in 
`ble_att_svr_start()`:
   - allocate the new entry memory
   - move all existing entries from the old entry memory into the new one
   - and only then free the old entry memory again?
   
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services

Reply via email to