Code
- Use source code from r2012
- Try to pair with SSP turned on - pairing doesn't work
- Try to pair with SSP turned off (hci_ssp_set_enable(0);) - pairing works
- However, data transmission in spp_counter doesn't work
We found a buffer overrun bug in event_handler() which causes this issue:
--- file: hci_transport_h4_ehcill_dma.c
static int h4_process(struct data_source *ds) {
// notify about packet sent
if (tx_state == TX_DONE){
// reset state
tx_state = TX_IDLE;
uint8_t event = DAEMON_EVENT_HCI_PACKET_SENT;
packet_handler(HCI_EVENT_PACKET, &event, 1);
}
--- file: hci.c
static void event_handler(uint8_t *packet, int size){
uint16_t event_length = packet[1];
// assert packet is complete
if (size != event_length + 2){
log_error("hci.c: event_handler called with event packet of wrong size %u, expected %u => dropping packet", size, event_length + 2);
return;
}
As you can see, event_handler() is trying to access packet[1] whereas h4_process() passed it a 1-byte packet.
Suggested fix:
static void event_handler(uint8_t *packet, int size){
if(size > 1 && packet[0] != DAEMON_EVENT_HCI_PACKET_SENT) // added check for DAEMON_EVENT_HCI_PACKET_SENT
{
uint16_t event_length = packet[1];
// assert packet is complete
if (size != event_length + 2){
log_error("hci.c: event_handler called with event packet of wrong size %u, expected %u => dropping packet", size, event_length + 2);
return;
}
}
We have not checked yet if the suggested fix also makes SSP work. I'll on this later.
Comment #1
Posted on Dec 20, 2013 by Swift OxThanks for reporting. I’ve fixed this in r2013 by sending valid HCI Event packets.
Please try SSP again as it does work for me.
Status: Fixed
Labels:
Type-Defect
Priority-Medium