Merge branch 'fix/prov_ble_read_offset_v4.1' into 'release/v4.1'

projectgus · projectgus · commit 5ef1b3900262 · 2020-08-13T07:54:36.000+08:00
BLE provisioning: Add check for valid ble read offset (v4.1)

See merge request espressif/esp-idf!9745
diff --git a/components/protocomm/src/transports/protocomm_ble.c b/components/protocomm/src/transports/protocomm_ble.c
@@ -108,28 +108,39 @@ static void transport_simple_ble_read(esp_gatts_cb_event_t event, esp_gatt_if_t
 {
     static const uint8_t *read_buf = NULL;
     static uint16_t read_len = 0;
+    static uint16_t max_read_len = 0;
     esp_gatt_status_t status = ESP_OK;
 
     ESP_LOGD(TAG, "Inside read w/ session - %d on param %d %d",
              param->read.conn_id, param->read.handle, read_len);
     if (!read_len && !param->read.offset) {
         ESP_LOGD(TAG, "Reading attr value first time");
-        status = esp_ble_gatts_get_attr_value(param->read.handle, &read_len,  &read_buf);
+        status = esp_ble_gatts_get_attr_value(param->read.handle, &read_len, &read_buf);
+        max_read_len = read_len;
+    } else if ((read_len + param->read.offset) > max_read_len) {
+        status = ESP_GATT_INVALID_OFFSET;
     } else {
         ESP_LOGD(TAG, "Subsequent read request for attr value");
     }
 
     esp_gatt_rsp_t gatt_rsp = {0};
-    gatt_rsp.attr_value.len = MIN(read_len, (protoble_internal->gatt_mtu - 1));
     gatt_rsp.attr_value.handle = param->read.handle;
     gatt_rsp.attr_value.offset = param->read.offset;
-    gatt_rsp.attr_value.auth_req = ESP_GATT_AUTH_REQ_NONE;
-    if (gatt_rsp.attr_value.len && read_buf) {
-        memcpy(gatt_rsp.attr_value.value,
-                read_buf + param->read.offset,
-                gatt_rsp.attr_value.len);
+
+    if (status == ESP_GATT_OK) {
+        gatt_rsp.attr_value.len = MIN(read_len, (protoble_internal->gatt_mtu - 1));
+        gatt_rsp.attr_value.auth_req = ESP_GATT_AUTH_REQ_NONE;
+        if (gatt_rsp.attr_value.len && read_buf) {
+            memcpy(gatt_rsp.attr_value.value,
+                    read_buf + param->read.offset,
+                    gatt_rsp.attr_value.len);
+        }
+        read_len -= gatt_rsp.attr_value.len;
+    } else {
+        read_len = 0;
+        max_read_len = 0;
+        read_buf = NULL;
     }
-    read_len -= gatt_rsp.attr_value.len;
     esp_err_t err = esp_ble_gatts_send_response(gatts_if, param->read.conn_id,
                                                 param->read.trans_id, status, &gatt_rsp);
     if (err != ESP_OK) {
