Skip to content

Bluetooth: GATT: Fix assuming writes to CCC will always contain 2 bytes #16731

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jhedberg merged 1 commit into from
Jun 11, 2019
Merged

Bluetooth: GATT: Fix assuming writes to CCC will always contain 2 bytes #16731

jhedberg merged 1 commit into from
Jun 11, 2019

Conversation

@Vudentz
Copy link
Contributor

@Vudentz Vudentz commented Jun 11, 2019
edited
Loading

Although unlikely it is possible that a remote may attempt to send just
1 byte as the write request allows to do that:

BLUETOOTH CORE SPECIFICATION Version 5.1 | Vol 3, Part F
page 2320:

'If the attribute value has a fixed length and the Attribute Value
parameter length is less than or equal to the length of the attribute
value, the octets of the attribute value parameter length shall be
written; all other octets in this attribute value shall be
unchanged.'

Fixes #16734

Signed-off-by: Luiz Augusto von Dentz luiz.von.dentz@intel.com

@Vudentz Vudentz added bug The issue is a bug, or the PR is fixing a bug area: Bluetooth labels Jun 11, 2019
@Vudentz Vudentz requested a review from asbjornsabo June 11, 2019 08:00
joerchan
joerchan suggested changes Jun 11, 2019
View reviewed changes
@Vudentz Vudentz force-pushed the bluetooth branch 2 times, most recently from 72794a2 to fe4b1fb Compare June 11, 2019 08:57
joerchan
joerchan reviewed Jun 11, 2019
View reviewed changes
@Vudentz
Bluetooth: GATT: Fix assuming writes to CCC will always contain 2 bytes
6372203 
Although unlikely it is possible that a remote may attempt to send just
1 byte as the write request allows to do that:

BLUETOOTH CORE SPECIFICATION Version 5.1 | Vol 3, Part F
page 2320:

  'If the attribute value has a fixed length and the Attribute Value
  parameter length is less than or equal to the length of the attribute
  value, the octets of the attribute value parameter length shall be
  written; all other octets in this attribute value shall be
  unchanged.'

Fixes zephyrproject-rtos#16734

Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
@jhedberg jhedberg merged commit 8ba5b73 into zephyrproject-rtos:master Jun 11, 2019
@backporting backporting bot mentioned this pull request Jun 11, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jhedberg jhedberg jhedberg approved these changes

@asbjornsabo asbjornsabo Awaiting requested review from asbjornsabo

+1 more reviewer

@joerchan joerchan joerchan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area: Bluetooth bug The issue is a bug, or the PR is fixing a bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bluetooth: GATT: Writing 1 byte to a CCC access invalid memory

3 participants

@Vudentz @jhedberg @joerchan