espressif/esp-nimble
1
0
Fork 0
mirror of https://github.com/espressif/esp-nimble.git synced 2026-06-05 21:04:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(nimble): fix null dereference of ble_gatts_conn_aware_states after gatts stop

Browse Source
This commit is contained in:
Astha Verma
2026-03-10 12:48:29 +05:30
committed by Rahul Tank
parent 2d0d4de008
commit b683865655
3 changed files with 52 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nimble/host/src/ble_att_svr.c
+18
View File
@@ -1405,6 +1405,9 @@ static void ble_att_svr_make_conn_aware(uint16_t conn_handle) {
conn->bhc_gatt_svr.half_aware = 1;
ble_hs_conn_addrs(conn, &addrs);
#if MYNEWT_VAL(BLE_STATIC_TO_DYNAMIC)
if (ble_gatts_conn_aware_states != NULL) {
#endif
for(i = 0; i < MYNEWT_VAL(BLE_STORE_MAX_BONDS); i++) {
if(memcmp(ble_gatts_conn_aware_states[i].peer_id_addr,
addrs.peer_id_addr.val, sizeof addrs.peer_id_addr.val) == 0) {
@@ -1412,6 +1415,9 @@ static void ble_att_svr_make_conn_aware(uint16_t conn_handle) {
ble_gatts_conn_aware_states[i].half_aware = 1;
}
}
#if MYNEWT_VAL(BLE_STATIC_TO_DYNAMIC)
}
#endif
BLE_HS_DBG_ASSERT(ble_hs_locked_by_cur_task());
}
@@ -1427,6 +1433,9 @@ static bool ble_att_svr_check_conn_aware(uint16_t conn_handle) {
conn->bhc_gatt_svr.aware_state = true;
ble_hs_conn_addrs(conn, &addrs);
#if MYNEWT_VAL(BLE_STATIC_TO_DYNAMIC)
if (ble_gatts_conn_aware_states != NULL) {
#endif
for(int i = 0; i < MYNEWT_VAL(BLE_STORE_MAX_BONDS); i++) {
if(memcmp(ble_gatts_conn_aware_states[i].peer_id_addr,
addrs.peer_id_addr.val, sizeof addrs.peer_id_addr.val) == 0) {
@@ -1434,6 +1443,9 @@ static bool ble_att_svr_check_conn_aware(uint16_t conn_handle) {
ble_gatts_conn_aware_states[i].aware = true;
}
}
#if MYNEWT_VAL(BLE_STATIC_TO_DYNAMIC)
}
#endif
}
return conn->bhc_gatt_svr.aware_state;
}
@@ -1631,6 +1643,9 @@ ble_att_svr_rx_read_type(uint16_t conn_handle, uint16_t cid, struct os_mbuf **rx
conn->bhc_gatt_svr.half_aware = 0;
ble_hs_conn_addrs(conn, &addrs);
#if MYNEWT_VAL(BLE_STATIC_TO_DYNAMIC)
if (ble_gatts_conn_aware_states != NULL) {
#endif
for(i = 0; i < MYNEWT_VAL(BLE_STORE_MAX_BONDS); i++) {
if(memcmp(ble_gatts_conn_aware_states[i].peer_id_addr,
addrs.peer_id_addr.val, sizeof addrs.peer_id_addr.val) == 0) {
@@ -1638,6 +1653,9 @@ ble_att_svr_rx_read_type(uint16_t conn_handle, uint16_t cid, struct os_mbuf **rx
ble_gatts_conn_aware_states[i].half_aware = 0;
}
}
#if MYNEWT_VAL(BLE_STATIC_TO_DYNAMIC)
}
#endif
} else {
if((ble_att_svr_get_csfs(conn_handle)[0] & 1)
&& ble_svc_gatt_csf_handle() != err_handle ) {
nimble/host/src/ble_gap.c
+10
View File
@@ -3429,6 +3429,13 @@ ble_gap_rx_conn_complete(struct ble_gap_conn_complete *evt, uint8_t instance)
conn->bhc_gatt_svr.half_aware = 0;
/* This is also done when bonding is restored, so `conn` and `ble_gatts_conn_aware_states` need to be kept in sync */
ble_hs_conn_addrs(conn, &addrs);
#if MYNEWT_VAL(BLE_STATIC_TO_DYNAMIC)
if (ble_gatts_conn_aware_states == NULL) {
/* GATTS was stopped; GATT database may have changed,
* so treat all reconnecting bonded peers as unaware */
conn->bhc_gatt_svr.aware_state = false;
} else {
#endif
for (int i = 0; i < MYNEWT_VAL(BLE_STORE_MAX_BONDS); i++) {
if (memcmp(ble_gatts_conn_aware_states[i].peer_id_addr,
addrs.peer_id_addr.val, sizeof addrs.peer_id_addr.val) == 0) {
@@ -3436,6 +3443,9 @@ ble_gap_rx_conn_complete(struct ble_gap_conn_complete *evt, uint8_t instance)
conn->bhc_gatt_svr.aware_state = ble_gatts_conn_aware_states[i].aware;
}
}
#if MYNEWT_VAL(BLE_STATIC_TO_DYNAMIC)
}
#endif
}
#endif
#if MYNEWT_VAL(BLE_PERIODIC_ADV_WITH_RESPONSES)
nimble/host/src/ble_gatts.c
+24
View File
@@ -1647,6 +1647,9 @@ ble_gatts_connection_broken(uint16_t conn_handle)
/* update bonded peer aware state */
if(conn->bhc_sec_state.bonded) {
ble_hs_conn_addrs(conn, &addrs);
#if MYNEWT_VAL(BLE_STATIC_TO_DYNAMIC)
if (ble_gatts_conn_aware_states != NULL) {
#endif
for(i = 0; i < MYNEWT_VAL(BLE_STORE_MAX_BONDS); i++) {
if(memcmp(ble_gatts_conn_aware_states[i].peer_id_addr,
addrs.peer_id_addr.val, sizeof addrs.peer_id_addr.val) == 0) { //Check Thoroughly
@@ -1659,6 +1662,9 @@ ble_gatts_connection_broken(uint16_t conn_handle)
}
}
}
#if MYNEWT_VAL(BLE_STATIC_TO_DYNAMIC)
}
#endif
}
#endif
}
@@ -2758,6 +2764,9 @@ ble_gatts_bonding_restored(uint16_t conn_handle)
#if MYNEWT_VAL(BLE_GATT_CACHING)
/* update the aware state of the client */
ble_hs_conn_addrs(conn, &addrs);
#if MYNEWT_VAL(BLE_STATIC_TO_DYNAMIC)
if (ble_gatts_conn_aware_states != NULL) {
#endif
for(i = 0; i < MYNEWT_VAL(BLE_STORE_MAX_BONDS); i++) {
if(memcmp(ble_gatts_conn_aware_states[i].peer_id_addr,
addrs.peer_id_addr.val, sizeof addrs.peer_id_addr.val) == 0) { // Check Thoroughly
@@ -2765,6 +2774,9 @@ ble_gatts_bonding_restored(uint16_t conn_handle)
conn->bhc_gatt_svr.aware_state = ble_gatts_conn_aware_states[i].aware;
}
}
#if MYNEWT_VAL(BLE_STATIC_TO_DYNAMIC)
}
#endif
#endif
ble_hs_unlock();
@@ -3182,11 +3194,17 @@ int ble_gatts_add_dynamic_svcs(const struct ble_gatt_svc_def *svcs) {
end_handle = entry->end_group_handle;
#if MYNEWT_VAL(BLE_GATT_CACHING)
/* make all bonded connections unaware */
#if MYNEWT_VAL(BLE_STATIC_TO_DYNAMIC)
if (ble_gatts_conn_aware_states != NULL) {
#endif
for(i = 0; i < MYNEWT_VAL(BLE_STORE_MAX_BONDS); i++) {
ble_gatts_conn_aware_states[i].half_aware = 0;
ble_gatts_conn_aware_states[i].aware = false;
}
ble_hs_conn_foreach(ble_gatts_conn_unaware, NULL);
#if MYNEWT_VAL(BLE_STATIC_TO_DYNAMIC)
}
#endif
#endif
/* send service change indication */
@@ -3283,11 +3301,17 @@ done:
rc = ble_gatts_remove_svc_entry(uuid);
#if MYNEWT_VAL(BLE_GATT_CACHING)
/* make all bonded connections them unaware */
#if MYNEWT_VAL(BLE_STATIC_TO_DYNAMIC)
if (ble_gatts_conn_aware_states != NULL) {
#endif
for(i = 0; i < MYNEWT_VAL(BLE_STORE_MAX_BONDS); i++) {
ble_gatts_conn_aware_states[i].aware = false;
ble_gatts_conn_aware_states[i].half_aware = 0;
}
ble_hs_conn_foreach(ble_gatts_conn_unaware, NULL);
#if MYNEWT_VAL(BLE_STATIC_TO_DYNAMIC)
}
#endif
#endif
/* send service change indication */