From b45ae2a1a0c76471a8d358ff3fae416ba884547a Mon Sep 17 00:00:00 2001 From: Marcin Kraglak Date: Fri, 30 May 2014 11:37:42 +0200 Subject: [PATCH] android/gatt: Check for invalid handle errors Check if handle or handle range is valid for server. If is invalid, reply with ATT_ECODE_INVALID_HANDLE. --- android/gatt.c | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/android/gatt.c b/android/gatt.c index c14f789b9..429181f16 100644 --- a/android/gatt.c +++ b/android/gatt.c @@ -4715,6 +4715,9 @@ static uint8_t read_by_group_type(const uint8_t *cmd, uint16_t cmd_len, if (!len) return ATT_ECODE_INVALID_PDU; + if (start > end || start == 0) + return ATT_ECODE_INVALID_HANDLE; + q = queue_new(); if (!q) return ATT_ECODE_INSUFF_RESOURCES; @@ -4768,7 +4771,7 @@ static uint8_t read_by_type(const uint8_t *cmd, uint16_t cmd_len, if (!len) return ATT_ECODE_INVALID_PDU; - if (start > end) + if (start > end || start == 0) return ATT_ECODE_INVALID_HANDLE; q = queue_new(); @@ -4831,6 +4834,9 @@ static uint8_t read_request(const uint8_t *cmd, uint16_t cmd_len, return ATT_ECODE_REQ_NOT_SUPP; } + if (handle == 0) + return ATT_ECODE_INVALID_HANDLE; + data = new0(struct pending_request, 1); if (!data) return ATT_ECODE_INSUFF_RESOURCES; @@ -4910,6 +4916,9 @@ static uint8_t find_info_handle(const uint8_t *cmd, uint16_t cmd_len, if (!len) return ATT_ECODE_INVALID_PDU; + if (start > end || start == 0) + return ATT_ECODE_INVALID_HANDLE; + q = queue_new(); if (!q) return ATT_ECODE_UNLIKELY; @@ -4979,6 +4988,9 @@ static uint8_t find_by_type_request(const uint8_t *cmd, uint16_t cmd_len, if (!len) return ATT_ECODE_INVALID_PDU; + if (start > end || start == 0) + return ATT_ECODE_INVALID_HANDLE; + q = queue_new(); if (!q) return ATT_ECODE_UNLIKELY; @@ -5032,6 +5044,9 @@ static void write_cmd_request(const uint8_t *cmd, uint16_t cmd_len, if (!len) return; + if (handle == 0) + return; + if (!gatt_db_get_attribute_permissions(gatt_db, handle, &permissions)) return; @@ -5060,6 +5075,9 @@ static void write_signed_cmd_request(const uint8_t *cmd, uint16_t cmd_len, len = dec_signed_write_cmd(cmd, cmd_len, &handle, value, &vlen, s); + if (handle == 0) + return; + if (!gatt_db_get_attribute_permissions(gatt_db, handle, &permissions)) return; @@ -5110,6 +5128,9 @@ static uint8_t write_req_request(const uint8_t *cmd, uint16_t cmd_len, if (!len) return ATT_ECODE_INVALID_PDU; + if (handle == 0) + return ATT_ECODE_INVALID_HANDLE; + if (!gatt_db_get_attribute_permissions(gatt_db, handle, &permissions)) return ATT_ECODE_ATTR_NOT_FOUND; @@ -5159,6 +5180,9 @@ static uint8_t write_prep_request(const uint8_t *cmd, uint16_t cmd_len, if (!len) return ATT_ECODE_INVALID_PDU; + if (handle == 0) + return ATT_ECODE_INVALID_HANDLE; + if (!gatt_db_get_attribute_permissions(gatt_db, handle, &permissions)) return ATT_ECODE_ATTR_NOT_FOUND; -- 2.47.3