From 5c0c5362b4d5feed8e0e8f161c19ff3c9bc35338 Mon Sep 17 00:00:00 2001 From: Vinayak Kariappa Chettimada Date: Thu, 20 Feb 2020 14:27:06 +0530 Subject: [PATCH] Bluetooth: controller: legacy: Fix Tx pool corruption Fix Tx pool from being corrupted when rough central device uses invalid packet sequence numbers, causing NULL pointer to be released into free data Tx pool. Fixes #22968. Signed-off-by: Vinayak Kariappa Chettimada --- subsys/bluetooth/controller/ll_sw/ctrl.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/subsys/bluetooth/controller/ll_sw/ctrl.c b/subsys/bluetooth/controller/ll_sw/ctrl.c index e7f91909e7f979..6dd41e0597d9de 100644 --- a/subsys/bluetooth/controller/ll_sw/ctrl.c +++ b/subsys/bluetooth/controller/ll_sw/ctrl.c @@ -3648,6 +3648,7 @@ isr_rx_conn_pkt(struct radio_pdu_node_rx *node_rx, /* Ack for transmitted data */ pdu_data_rx = (void *)node_rx->pdu_data; if (pdu_data_rx->nesn != _radio.conn_curr->sn) { + struct radio_pdu_node_tx *node_tx; /* Increment serial number */ _radio.conn_curr->sn++; @@ -3659,11 +3660,16 @@ isr_rx_conn_pkt(struct radio_pdu_node_rx *node_rx, _radio.conn_curr->slave.latency_enabled = 1U; } - if (_radio.conn_curr->empty == 0) { - struct radio_pdu_node_tx *node_tx; + if (!_radio.conn_curr->empty) { + node_tx = _radio.conn_curr->pkt_tx_head; + } else { + _radio.conn_curr->empty = 0U; + node_tx = NULL; + } + + if (node_tx) { u8_t pdu_data_tx_len; - node_tx = _radio.conn_curr->pkt_tx_head; pdu_data_tx = (void *)(node_tx->pdu_data + _radio.conn_curr->packet_tx_head_offset); @@ -3681,13 +3687,12 @@ isr_rx_conn_pkt(struct radio_pdu_node_rx *node_rx, } } - _radio.conn_curr->packet_tx_head_offset += pdu_data_tx_len; + _radio.conn_curr->packet_tx_head_offset += + pdu_data_tx_len; if (_radio.conn_curr->packet_tx_head_offset == _radio.conn_curr->packet_tx_head_len) { *tx_release = isr_rx_conn_pkt_release(node_tx); } - } else { - _radio.conn_curr->empty = 0U; } #if defined(CONFIG_BT_CTLR_TX_RETRY_DISABLE) } else if (_radio.packet_counter != 1) {