nuttx/nuttx-update
1
2
Fork 1
Code Issues 1 Pull requests 1 Projects Releases Packages Wiki Activity Actions

bluetooth: fix packet pointer may refer to null

Browse source 
rootcasue: when packet is null, packet var in for loop would
refer to null memory.

Signed-off-by: chengkai <chengkai@xiaomi.com>
This commit is contained in:
chengkai 2024-03-25 15:28:45 +08:00 committed by Xiang Xiao
parent a55d62f477
commit 3fb63c20d4
1 changed files with 10 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
drivers/wireless/bluetooth/bt_slip.c
View file

@ -777,6 +777,7 @@ static int bt_slip_receive(FAR struct bt_driver_s *drv,
FAR uint8_t *packet;
FAR uint8_t *cursor;
FAR uint8_t *header;
FAR uint8_t *pointer;
uint8_t byte = 0;
uint16_t checksum;
size_t remaining;
@ -818,13 +819,14 @@ static int bt_slip_receive(FAR struct bt_driver_s *drv,
break;
}
packet = bt_slip_unslip_byte(packet, &byte);
if (!packet)
pointer = bt_slip_unslip_byte(packet, &byte);
if (!pointer)
{
state = PACKET_START;
break;
}
packet = pointer;
*cursor++ = byte;
remaining--;
@ -898,13 +900,14 @@ static int bt_slip_receive(FAR struct bt_driver_s *drv,
break;
case PACKET_PAYLOAD:
{
packet = bt_slip_unslip_byte(packet, &byte);
if (!packet)
pointer = bt_slip_unslip_byte(packet, &byte);
if (!pointer)
{
state = PACKET_START;
break;
}
packet = pointer;
*cursor++ = byte;
remaining--;
@ -926,13 +929,14 @@ static int bt_slip_receive(FAR struct bt_driver_s *drv,
break;
case PACKET_DICHECK:
{
packet = bt_slip_unslip_byte(packet, &byte);
if (!packet)
pointer = bt_slip_unslip_byte(packet, &byte);
if (!pointer)
{
state = PACKET_START;
break;
}
packet = pointer;
*cursor++ = byte;
remaining--;