nimble/controller: Fix handling incorrect LL opcode According to BT specification v5.0 Vol.6 Part B, 2.4.2
If an LL Control PDU is: * not supported * not used * invalid i.e. set to value that is Reserved for Future use or CtrlData is invalid, the Link Layer shall respond with an LL_UNKNOWN_RSP PDU. This closes #633 Project: http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/commit/f5b3bf68 Tree: http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/tree/f5b3bf68 Diff: http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/diff/f5b3bf68 Branch: refs/heads/nrf_cputime Commit: f5b3bf68445d645866366bd8c25ce2031215770f Parents: 0f10379 Author: Åukasz Rymanowski <[email protected]> Authored: Wed Mar 22 14:15:53 2017 +0100 Committer: William San Filippo <[email protected]> Committed: Wed Mar 22 09:47:56 2017 -0700 ---------------------------------------------------------------------- net/nimble/controller/src/ble_ll_ctrl.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-mynewt-core/blob/f5b3bf68/net/nimble/controller/src/ble_ll_ctrl.c ---------------------------------------------------------------------- diff --git a/net/nimble/controller/src/ble_ll_ctrl.c b/net/nimble/controller/src/ble_ll_ctrl.c index 1ba93bd..f933922 100644 --- a/net/nimble/controller/src/ble_ll_ctrl.c +++ b/net/nimble/controller/src/ble_ll_ctrl.c @@ -1522,6 +1522,7 @@ ble_ll_ctrl_rx_pdu(struct ble_ll_conn_sm *connsm, struct os_mbuf *om) #if (MYNEWT_VAL(BLE_LL_CFG_FEAT_LE_ENCRYPTION) == 1) int restart_encryption; #endif + int rc = 0; /* XXX: where do we validate length received and packet header length? * do this in LL task when received. Someplace!!! What I mean @@ -1558,10 +1559,14 @@ ble_ll_ctrl_rx_pdu(struct ble_ll_conn_sm *connsm, struct os_mbuf *om) ble_ll_log(BLE_LL_LOG_ID_LL_CTRL_RX, opcode, len, 0); - /* opcode must be good */ + /* If opcode comes from reserved value or CtrlData fields is invalid + * we shall respond with LL_UNKNOWN_RSP + */ if ((opcode >= BLE_LL_CTRL_OPCODES) || (len != g_ble_ll_ctrl_pkt_lengths[opcode])) { - goto rx_malformed_ctrl; + rc = -1; + rsp_opcode = BLE_LL_CTRL_UNKNOWN_RSP; + goto ll_ctrl_send_rsp; } #if (MYNEWT_VAL(BLE_LL_CFG_FEAT_LE_ENCRYPTION) == 1) @@ -1626,7 +1631,9 @@ ble_ll_ctrl_rx_pdu(struct ble_ll_conn_sm *connsm, struct os_mbuf *om) case BLE_LL_CTRL_LENGTH_REQ: /* Extract parameters and check if valid */ if (ble_ll_ctrl_len_proc(connsm, dptr)) { - goto rx_malformed_ctrl; + rc = -1; + rsp_opcode = BLE_LL_CTRL_UNKNOWN_RSP; + goto ll_ctrl_send_rsp; } /* @@ -1647,7 +1654,9 @@ ble_ll_ctrl_rx_pdu(struct ble_ll_conn_sm *connsm, struct os_mbuf *om) if (connsm->cur_ctrl_proc == BLE_LL_CTRL_PROC_DATA_LEN_UPD) { /* Process the received data */ if (ble_ll_ctrl_len_proc(connsm, dptr)) { - goto rx_malformed_ctrl; + rc = -1; + rsp_opcode = BLE_LL_CTRL_UNKNOWN_RSP; + goto ll_ctrl_send_rsp; } /* Stop the control procedure */ @@ -1743,11 +1752,7 @@ ll_ctrl_send_rsp: } #endif } - return 0; - -rx_malformed_ctrl: - os_mbuf_free_chain(om); - return -1; + return rc; } /**
