Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bluetooth: Controller: df: Possible memory overwrite if requested number of CTE is greater than allowed by configuration #45839

Closed
ppryga-nordic opened this issue May 20, 2022 · 0 comments · Fixed by #45838
Closed

Bluetooth: Controller: df: Possible memory overwrite if requested number of CTE is greater than allowed by configuration #45839

ppryga-nordic opened this issue May 20, 2022 · 0 comments · Fixed by #45838
Assignees
@ppryga-nordic
Labels
area: Bluetooth Controller area: Bluetooth bug The issue is a bug, or the PR is fixing a bug priority: low Low impact/importance bug
Milestone
v3.1.0

Comments

@ppryga-nordic
Copy link
Collaborator

Describe the bug

Maximum number of CTE to be send in a periodic advertising chain is
limited by BT 5.3 Vol 4 Part E, section 7.8.80 and is 16.
Maximum number of samples CTE in a periodic advertising chain is
limited by BT 5.3 Vol 4 Part E, section 7.8.82 and is also 16.
Both values are limited by amount of memory reserved in Controller
by Kcofigs, respectfully: CONFIG_BT_CTLR_DF_PER_ADV_CTE_NUM_MAX and
CONFIG_BT_CTLR_DF_PER_SCAN_CTE_NUM_MAX.

Functions ll_df_set_cl_cte_tx_params and ll_df_set_cl_iq_sampling_enable
check limits against Bluetooth specification provided values.
That can end with memory overwrite if number of requested CTEs is
greater that number provided in configuration.

To Reproduce
Steps to reproduce the behavior:

  1. Use direction_finging_connectionless_tx sample.
  2. Set CONFIG_BT_CTLR_DF_PER_ADV_CTE_NUM_MAX to value smaller than 16.
  3. Change code of the sample to request more than CONFIG_BT_CTLR_DF_PER_ADV_CTE_NUM_MAX CTEs.
  4. The bt_df_set_adv_cte_tx_param returns with success.

Expected behavior
No memory overwrite.
If Host requests more CTE than allowed by configuration, Controller responses with invalid parameter status.

Impact
Medium, related to code that uses direction finding only.
@ppryga-nordic ppryga-nordic added bug The issue is a bug, or the PR is fixing a bug has-pr labels May 20, 2022
@ppryga-nordic ppryga-nordic added this to the v3.1.0 milestone May 20, 2022
@ppryga-nordic ppryga-nordic self-assigned this May 20, 2022
@ppryga-nordic ppryga-nordic changed the title Bluetooth: Controller: df: Fix possible memory overwrite if requested number of CTE is greater than allowed by configuration Bluetooth: Controller: df: Possible memory overwrite if requested number of CTE is greater than allowed by configuration May 20, 2022
@ppryga-nordic ppryga-nordic linked a pull request May 20, 2022 that will close this issue
Bluetooth: Controller: df: Fix possible memory overwrite if requested number of CTE is greater than allowed by configuration #45838
Merged
@carlescufi carlescufi removed the has-pr label May 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ppryga-nordic ppryga-nordic

Labels
area: Bluetooth Controller area: Bluetooth bug The issue is a bug, or the PR is fixing a bug priority: low Low impact/importance bug
Projects
None yet
Milestone
v3.1.0
3 participants
@carlescufi @ppryga-nordic @mbolivar-nordic