From d5af19f22cb525b4b2a00cb149064270e2943a35 Mon Sep 17 00:00:00 2001 From: Lukasz Rymanowski Date: Thu, 19 Mar 2015 10:56:30 +0100 Subject: [PATCH] shared/gatt-helpers: Improve robustness read by type request This patch makes sure that we do get into infinite loop when doing read by type request. It could happen if we got bogus read by type response --- src/shared/gatt-helpers.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/shared/gatt-helpers.c b/src/shared/gatt-helpers.c index a11f4c111..744211ff0 100644 --- a/src/shared/gatt-helpers.c +++ b/src/shared/gatt-helpers.c @@ -1336,10 +1336,22 @@ static void read_by_type_cb(uint8_t opcode, const void *pdu, } last_handle = get_le16(pdu + length - data_length); + + /* + * If last handle is lower from previous start handle then it is smth + * wrong. Let's stop search, otherwise we might enter infinite loop. + */ + if (last_handle < op->start_handle) { + success = false; + goto done; + } + + op->start_handle = last_handle + 1; + if (last_handle != op->end_handle) { uint8_t pdu[4 + get_uuid_len(&op->uuid)]; - put_le16(last_handle + 1, pdu); + put_le16(op->start_handle, pdu); put_le16(op->end_handle, pdu + 2); bt_uuid_to_le(&op->uuid, pdu + 4); @@ -1381,6 +1393,7 @@ bool bt_gatt_read_by_type(struct bt_att *att, uint16_t start, uint16_t end, op->callback = callback; op->user_data = user_data; op->destroy = destroy; + op->start_handle = start; op->end_handle = end; op->uuid = *uuid; -- 2.47.3