Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 25ad8706 authored by Jakub Pawlowski's avatar Jakub Pawlowski
Browse files

Fix for infinite loop in gatt_enc_cmpl_cback 

Bug: 123574849
Change-Id: Id680cc794326b5d00c28dadf0d7aad98c0e4a5f2
parent 9eaedead

system/stack/gatt/gatt_api.cc

+2 −2
Original line number Original line Diff line number Diff line
@@ -739,7 +739,7 @@ tGATT_STATUS GATTC_Read(uint16_t conn_id, tGATT_READ_TYPE type, 
  }

  }





  /* start security check */

  /* start security check */

  gatt_security_check_start(p_clcb);

  if (gatt_security_check_start(p_clcb)) p_tcb->pending_enc_clcb.push(p_clcb);

  return GATT_SUCCESS;

  return GATT_SUCCESS;

}

}
@@ -793,7 +793,7 @@ tGATT_STATUS GATTC_Write(uint16_t conn_id, tGATT_WRITE_TYPE type, 
    p->offset = 0;

    p->offset = 0;

  }

  }





  gatt_security_check_start(p_clcb);

  if (gatt_security_check_start(p_clcb)) p_tcb->pending_enc_clcb.push(p_clcb);

  return GATT_SUCCESS;

  return GATT_SUCCESS;

}

}

system/stack/gatt/gatt_auth.cc

+13 −9
Original line number Original line Diff line number Diff line
@@ -188,11 +188,13 @@ void gatt_enc_cmpl_cback(const RawAddress* bd_addr, tBT_TRANSPORT transport, 
  gatt_sec_check_complete(status, p_clcb, p_tcb->sec_act);

  gatt_sec_check_complete(status, p_clcb, p_tcb->sec_act);





  /* start all other pending operation in queue */

  /* start all other pending operation in queue */

  std::queue<tGATT_CLCB*> new_pending_clcbs;

  while (!p_tcb->pending_enc_clcb.empty()) {

  while (!p_tcb->pending_enc_clcb.empty()) {

    tGATT_CLCB* p_clcb = p_tcb->pending_enc_clcb.front();

    tGATT_CLCB* p_clcb = p_tcb->pending_enc_clcb.front();

    p_tcb->pending_enc_clcb.pop();

    p_tcb->pending_enc_clcb.pop();

    gatt_security_check_start(p_clcb);

    if (gatt_security_check_start(p_clcb)) new_pending_clcbs.push(p_clcb);

  }

  }

  p_tcb->pending_enc_clcb = new_pending_clcbs;

}

}





/*******************************************************************************

/*******************************************************************************
@@ -223,11 +225,13 @@ void gatt_notify_enc_cmpl(const RawAddress& bd_addr) { 
  if (gatt_get_sec_act(p_tcb) == GATT_SEC_ENC_PENDING) {

  if (gatt_get_sec_act(p_tcb) == GATT_SEC_ENC_PENDING) {

    gatt_set_sec_act(p_tcb, GATT_SEC_NONE);

    gatt_set_sec_act(p_tcb, GATT_SEC_NONE);





    std::queue<tGATT_CLCB*> new_pending_clcbs;

    while (!p_tcb->pending_enc_clcb.empty()) {

    while (!p_tcb->pending_enc_clcb.empty()) {

      tGATT_CLCB* p_clcb = p_tcb->pending_enc_clcb.front();

      tGATT_CLCB* p_clcb = p_tcb->pending_enc_clcb.front();

      p_tcb->pending_enc_clcb.pop();

      p_tcb->pending_enc_clcb.pop();

      gatt_security_check_start(p_clcb);

      if (gatt_security_check_start(p_clcb)) new_pending_clcbs.push(p_clcb);

    }

    }

    p_tcb->pending_enc_clcb = new_pending_clcbs;

  }

  }

}

}

/*******************************************************************************

/*******************************************************************************
@@ -397,8 +401,8 @@ static bool gatt_convert_sec_action(tGATT_SEC_ACTION gatt_sec_act, 
  return status;

  return status;

}

}





/** check link security */

/** check link security, return true if p_clcb should be added back to queue */

void gatt_security_check_start(tGATT_CLCB* p_clcb) {

bool gatt_security_check_start(tGATT_CLCB* p_clcb) {

  tGATT_TCB* p_tcb = p_clcb->p_tcb;

  tGATT_TCB* p_tcb = p_clcb->p_tcb;

  tGATT_SEC_ACTION sec_act_old = gatt_get_sec_act(p_tcb);

  tGATT_SEC_ACTION sec_act_old = gatt_get_sec_act(p_tcb);
@@ -430,17 +434,17 @@ void gatt_security_check_start(tGATT_CLCB* p_clcb) { 
          gatt_set_ch_state(p_tcb, GATT_CH_OPEN);

          gatt_set_ch_state(p_tcb, GATT_CH_OPEN);





          gatt_end_operation(p_clcb, GATT_INSUF_ENCRYPTION, NULL);

          gatt_end_operation(p_clcb, GATT_INSUF_ENCRYPTION, NULL);

          return;

          return false;

        }

        }

      }

      }

      p_tcb->pending_enc_clcb.push(p_clcb);

      return true;

      break;

    case GATT_SEC_ENC_PENDING:

    case GATT_SEC_ENC_PENDING:

      p_tcb->pending_enc_clcb.push(p_clcb);

      /* wait for link encrypotion to finish */

      /* wait for link encrypotion to finish */

      break;

      return true;

    default:

    default:

      gatt_sec_check_complete(true, p_clcb, gatt_sec_act);

      gatt_sec_check_complete(true, p_clcb, gatt_sec_act);

      break;

      break;

  }

  }



  return false;

}
 
}

system/stack/gatt/gatt_int.h

+1 −1
Original line number Original line Diff line number Diff line
@@ -536,7 +536,7 @@ extern void gatt_send_queue_write_cancel(tGATT_TCB& tcb, tGATT_CLCB* p_clcb, 
                                         tGATT_EXEC_FLAG flag);

                                         tGATT_EXEC_FLAG flag);





/* gatt_auth.cc */

/* gatt_auth.cc */

extern void gatt_security_check_start(tGATT_CLCB* p_clcb);

extern bool gatt_security_check_start(tGATT_CLCB* p_clcb);

extern void gatt_verify_signature(tGATT_TCB& tcb, BT_HDR* p_buf);

extern void gatt_verify_signature(tGATT_TCB& tcb, BT_HDR* p_buf);

extern tGATT_STATUS gatt_get_link_encrypt_status(tGATT_TCB& tcb);

extern tGATT_STATUS gatt_get_link_encrypt_status(tGATT_TCB& tcb);

extern tGATT_SEC_ACTION gatt_get_sec_act(tGATT_TCB* p_tcb);

extern tGATT_SEC_ACTION gatt_get_sec_act(tGATT_TCB* p_tcb);