From 5cd26f3366c3d0c1c0bb873e49fd6ea9d0044e2a Mon Sep 17 00:00:00 2001 From: Lukasz Rymanowski Date: Thu, 19 Mar 2015 10:56:31 +0100 Subject: [PATCH] shared/gatt-helpers: Improve robustness of get descriptors This patch makes sure that we do get into infinite loop when doing get descriptors operation. It could happen if we got bogus find information response --- src/shared/gatt-helpers.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/shared/gatt-helpers.c b/src/shared/gatt-helpers.c index 744211ff0..1076a6a45 100644 --- a/src/shared/gatt-helpers.c +++ b/src/shared/gatt-helpers.c @@ -1461,10 +1461,22 @@ static void discover_descs_cb(uint8_t opcode, const void *pdu, } last_handle = get_le16(pdu + length - data_length); + + /* + * If last handle is lower from previous start handle then it is smth + * wrong. Let's stop search, otherwise we might enter infinite loop. + */ + if (last_handle < op->start_handle) { + success = false; + goto done; + } + + op->start_handle = last_handle + 1; + if (last_handle != op->end_handle) { uint8_t pdu[4]; - put_le16(last_handle + 1, pdu); + put_le16(op->start_handle, pdu); put_le16(op->end_handle, pdu + 2); op->id = bt_att_send(op->att, BT_ATT_OP_FIND_INFO_REQ, @@ -1504,6 +1516,7 @@ struct bt_gatt_request *bt_gatt_discover_descriptors(struct bt_att *att, op->callback = callback; op->user_data = user_data; op->destroy = destroy; + op->start_handle = start; op->end_handle = end; put_le16(start, pdu); -- 2.47.3