diff mbox series

[BlueZ] btdev: Check parameter for CIG related commands

Message ID 20220331223207.3243206-1-luiz.dentz@gmail.com
State New
Headers show
Series [BlueZ] btdev: Check parameter for CIG related commands | expand

Commit Message

Luiz Augusto von Dentz March 31, 2022, 10:32 p.m. UTC 
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

This checks if the parameters given to Set CIG Parameters and Remove CIG
are in the valid range.
---
 emulator/btdev.c | 60 +++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 59 insertions(+), 1 deletion(-)

Comments

bluez.test.bot@gmail.com March 31, 2022, 11:49 p.m. UTC | #1 
This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=628004

---Test result---

Test Summary:
CheckPatch                    PASS      1.57 seconds
GitLint                       PASS      1.06 seconds
Prep - Setup ELL              PASS      52.87 seconds
Build - Prep                  PASS      0.80 seconds
Build - Configure             PASS      10.62 seconds
Build - Make                  PASS      1517.65 seconds
Make Check                    PASS      12.83 seconds
Make Check w/Valgrind         PASS      530.48 seconds
Make Distcheck                PASS      279.36 seconds
Build w/ext ELL - Configure   PASS      10.79 seconds
Build w/ext ELL - Make        PASS      1470.20 seconds
Incremental Build with patchesPASS      0.00 seconds



---
Regards,
Linux Bluetooth
diff mbox series

Patch

diff --git a/emulator/btdev.c b/emulator/btdev.c
index 7fc848ff9..6f44103a7 100644
--- a/emulator/btdev.c
+++ b/emulator/btdev.c
@@ -5718,6 +5718,8 @@  static int cmd_set_cig_params(struct btdev *dev, const void *data,
 		uint16_t handle[CIS_SIZE];
 	} __attribute__ ((packed)) rsp;
 	int i = 0;
+	uint32_t interval;
+	uint16_t latency;
 
 	memset(&rsp, 0, sizeof(rsp));
 
@@ -5726,6 +5728,56 @@  static int cmd_set_cig_params(struct btdev *dev, const void *data,
 		goto done;
 	}
 
+	if (cmd->cig_id > 0xef) {
+		rsp.params.status = BT_HCI_ERR_INVALID_PARAMETERS;
+		goto done;
+	}
+
+	interval = get_le24(cmd->c_interval);
+	if (interval < 0x0000ff || interval > 0x0fffff) {
+		rsp.params.status = BT_HCI_ERR_INVALID_PARAMETERS;
+		goto done;
+	}
+
+	interval = get_le24(cmd->p_interval);
+	if (interval < 0x0000ff || interval > 0x0fffff) {
+		rsp.params.status = BT_HCI_ERR_INVALID_PARAMETERS;
+		goto done;
+	}
+
+	if (cmd->sca > 0x07) {
+		rsp.params.status = BT_HCI_ERR_INVALID_PARAMETERS;
+		goto done;
+	}
+
+	if (cmd->packing > 0x01) {
+		rsp.params.status = BT_HCI_ERR_INVALID_PARAMETERS;
+		goto done;
+	}
+
+	if (cmd->framing > 0x01) {
+		rsp.params.status = BT_HCI_ERR_INVALID_PARAMETERS;
+		goto done;
+	}
+
+	latency = cpu_to_le16(cmd->c_latency);
+	if (latency < 0x0005 || latency > 0x0fa0) {
+		rsp.params.status = BT_HCI_ERR_INVALID_PARAMETERS;
+		goto done;
+	}
+
+	latency = cpu_to_le16(cmd->p_latency);
+	if (latency < 0x0005 || latency > 0x0fa0) {
+		rsp.params.status = BT_HCI_ERR_INVALID_PARAMETERS;
+		goto done;
+	}
+
+	if (dev->le_cig.params.cig_id != 0xff &&
+				dev->le_cig.params.cig_id != cmd->cig_id) {
+		rsp.params.status = BT_HCI_ERR_INVALID_PARAMETERS;
+		goto done;
+	}
+
 	memcpy(&dev->le_cig, data, len);
 
 	rsp.params.status = BT_HCI_ERR_SUCCESS;
@@ -5849,8 +5901,13 @@  static int cmd_remove_cig(struct btdev *dev, const void *data, uint8_t len)
 	memset(&dev->le_cig, 0, sizeof(dev->le_cig));
 	memset(&rsp, 0, sizeof(rsp));
 
-	rsp.status = BT_HCI_ERR_SUCCESS;
 	rsp.cig_id = cmd->cig_id;
+
+	if (dev->le_cig.params.cig_id == cmd->cig_id)
+		rsp.status = BT_HCI_ERR_SUCCESS;
+	else
+		rsp.status = BT_HCI_ERR_UNKNOWN_CONN_ID;
+
 	cmd_complete(dev, BT_HCI_CMD_LE_REMOVE_CIG, &rsp, sizeof(rsp));
 
 	return 0;
@@ -6777,6 +6834,7 @@  struct btdev *btdev_create(enum btdev_type type, uint16_t id)
 
 	btdev->iso_mtu = 251;
 	btdev->iso_max_pkt = 1;
+	btdev->le_cig.params.cig_id = 0xff;
 
 	btdev->country_code = 0x00;