From 0d1979bf6eeea21c9df076517751a158673530ac Mon Sep 17 00:00:00 2001 From: Lukasz Rymanowski Date: Thu, 19 Mar 2015 10:56:28 +0100 Subject: [PATCH] shared/gatt-helpers: Improve robustness of get characteristics This patch makes sure that we do get into infinite loop when doing search for characteristics It could happen if we got bogus read by type response --- src/shared/gatt-helpers.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/shared/gatt-helpers.c b/src/shared/gatt-helpers.c index b8aa65c1e..7d3ad215b 100644 --- a/src/shared/gatt-helpers.c +++ b/src/shared/gatt-helpers.c @@ -1216,10 +1216,22 @@ static void discover_chrcs_cb(uint8_t opcode, const void *pdu, goto done; } last_handle = get_le16(pdu + length - data_length); + + /* + * If last handle is lower from previous start handle then it is smth + * wrong. Let's stop search, otherwise we might enter infinite loop. + */ + if (last_handle < op->start_handle) { + success = false; + goto done; + } + + op->start_handle = last_handle + 1; + if (last_handle != op->end_handle) { uint8_t pdu[6]; - put_le16(last_handle + 1, pdu); + put_le16(op->start_handle, pdu); put_le16(op->end_handle, pdu + 2); put_le16(GATT_CHARAC_UUID, pdu + 4); @@ -1259,6 +1271,7 @@ struct bt_gatt_request *bt_gatt_discover_characteristics(struct bt_att *att, op->callback = callback; op->user_data = user_data; op->destroy = destroy; + op->start_handle = start; op->end_handle = end; put_le16(start, pdu); -- 2.47.3