Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Null pointer dereference in ll_adv_aux_ad_data_set #28544

Closed
jcyrax opened this issue Sep 20, 2020 · 3 comments · Fixed by #28831
Closed

Null pointer dereference in ll_adv_aux_ad_data_set #28544

jcyrax opened this issue Sep 20, 2020 · 3 comments · Fixed by #28831
Assignees
@cvinayak
Labels
area: Bluetooth bug The issue is a bug, or the PR is fixing a bug priority: medium Medium impact/importance bug

Comments

@jcyrax
Copy link

jcyrax commented Sep 20, 2020

Describe the bug
When updating advertising data with bt_le_adv_update_data I get error and warning message in log: "bt_hci_core: opcode 0x2037 status 0x0d". I'm not using extended advertising.

I debugged the problem to be in ll_adv_aux_ad_data_set where controller updates advertising data and after that tries to start extended advertising even if it is not used, however it doesn't check adv->lll.aux for NULL.

To Reproduce
I'm running on custom board with modifications to zephyr, but I think the problem should be reproducible with any BT board as long as CONFIG_BT_EXT_ADV=y or even by looking at the source.

Expected behavior
bt_le_adv_update_data should return 0.

Impact
Fixed in my fork so no problem for me.

Environment (please complete the following information):

  • OS: Linux
  • Toolchain: gcc-arm-none-eabi-8-2018-q4-major
  • Commit 122bc38 + custom modifications
@jcyrax jcyrax added the bug The issue is a bug, or the PR is fixing a bug label Sep 20, 2020
@cvinayak
Copy link
Contributor

@jcyrax Could you please share a simple sample to reproduce this issue, so that I am able to provide a fix... since you fixed in your fork, you could send a PR too.

Thank you for reporting,

-Vinayak

@MaureenHelm MaureenHelm added the priority: low Low impact/importance bug label Sep 22, 2020
@jcyrax
Copy link
Author

jcyrax commented Sep 22, 2020

I'll try to do that, but it will take at least couple of days.

@J-Montgomery J-Montgomery mentioned this issue Oct 1, 2020
Merged
@cvinayak
Copy link
Contributor

cvinayak commented Oct 1, 2020

Updating legacy advertising data using extended advertising commands (experimental in controller) causes BUS fault. Hence, increasing the issue priority to medium. A PR has been submitted by the reporter.

image

@cvinayak cvinayak added has-pr priority: medium Medium impact/importance bug and removed priority: low Low impact/importance bug labels Oct 1, 2020
J-Montgomery added a commit to J-Montgomery/zephyr that referenced this issue Oct 1, 2020
@J-Montgomery
Bluetooth: controller: Fix Null deref during adv data update
5ebdc2f 
Added a check for adv->lll.aux before starting extended advertising to
fix observed NULL pointer dereference when updating AD data of legacy
advertising.

Fixes zephyrproject-rtos#28544.

Signed-off-by: Jordan Montgomery <[email protected]>
carlescufi pushed a commit that referenced this issue Oct 5, 2020
@J-Montgomery @carlescufi
Bluetooth: controller: Fix Null deref during adv data update
ec9080a 
Added a check for adv->lll.aux before starting extended advertising to
fix observed NULL pointer dereference when updating AD data of legacy
advertising.

Fixes #28544.

Signed-off-by: Jordan Montgomery <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cvinayak cvinayak

Labels
area: Bluetooth bug The issue is a bug, or the PR is fixing a bug priority: medium Medium impact/importance bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bluetooth: controller: Fix null pointer deference during adv data update J-Montgomery/zephyr
3 participants
@MaureenHelm @cvinayak @jcyrax