Skip to content

Commit 0558335

Browse files
sjancsjanc
committed
nimble/ll: Validate LL_CONNECTION_UPDATE_IND parameters
If values are outside of spec link is disconnected with proper reason code.
1 parent c72c87f commit 0558335

1 file changed

Lines changed: 47 additions & 5 deletions

File tree

nimble/controller/src/ble_ll_ctrl.c

Lines changed: 47 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -2096,6 +2096,47 @@ ble_ll_ctrl_rx_reject_ind(struct ble_ll_conn_sm *connsm, uint8_t *dptr,
20962096
return rsp_opcode;
20972097
}
20982098

2099+
static bool
2100+
ble_ll_conn_chk_conn_update_req(const struct ble_ll_conn_upd_req *req)
2101+
{
2102+
uint32_t timeout_usecs;
2103+
uint32_t min_timeout_usecs;
2104+
2105+
if ((req->interval < BLE_HCI_CONN_ITVL_MIN) ||
2106+
(req->interval > BLE_HCI_CONN_ITVL_MAX) ||
2107+
(req->latency > BLE_HCI_CONN_LATENCY_MAX) ||
2108+
(req->timeout < BLE_HCI_CONN_SPVN_TIMEOUT_MIN) ||
2109+
(req->timeout > BLE_HCI_CONN_SPVN_TIMEOUT_MAX)) {
2110+
return false;
2111+
}
2112+
2113+
/* Supervision timeout (in msecs) must be more than:
2114+
* (1 + connLatency) * connIntervalMax * 1.25 msecs * 2.
2115+
*/
2116+
timeout_usecs = req->timeout;
2117+
timeout_usecs *= (BLE_HCI_CONN_SPVN_TMO_UNITS * 1000);
2118+
min_timeout_usecs = (uint32_t)req->interval * 2 * BLE_LL_CONN_ITVL_USECS;
2119+
min_timeout_usecs *= (1 + req->latency);
2120+
if (timeout_usecs <= min_timeout_usecs) {
2121+
return false;
2122+
}
2123+
2124+
/* The transmitWindowOffset shall be a multiple of 1.25 ms in the range
2125+
* 0 ms to connInterval.
2126+
*/
2127+
if (req->winoffset > req->interval) {
2128+
return false;
2129+
}
2130+
2131+
/* The transmitWindowSize shall be a multiple of 1.25 ms in the range
2132+
* 1.25 ms to the lesser of 10 ms and (connInterval - 1.25 ms).
2133+
*/
2134+
if ((req->winsize < 1) || (req->winsize > min(8, req->interval - 1))) {
2135+
return false;
2136+
}
2137+
2138+
return true;
2139+
}
20992140
/**
21002141
* Called when we receive a connection update event
21012142
*
@@ -2107,7 +2148,6 @@ ble_ll_ctrl_rx_reject_ind(struct ble_ll_conn_sm *connsm, uint8_t *dptr,
21072148
static int
21082149
ble_ll_ctrl_rx_conn_update(struct ble_ll_conn_sm *connsm, uint8_t *dptr)
21092150
{
2110-
uint8_t rsp_opcode;
21112151
uint16_t conn_events;
21122152
struct ble_ll_conn_upd_req *reqdata;
21132153

@@ -2127,9 +2167,11 @@ ble_ll_ctrl_rx_conn_update(struct ble_ll_conn_sm *connsm, uint8_t *dptr)
21272167
reqdata->timeout = get_le16(dptr + 7);
21282168
reqdata->instant = get_le16(dptr + 9);
21292169

2130-
/* XXX: validate them at some point. If they dont check out, we
2131-
return the unknown response */
2132-
rsp_opcode = BLE_ERR_MAX;
2170+
/* Check if parameters are valid */
2171+
if (!ble_ll_conn_chk_conn_update_req(reqdata)) {
2172+
ble_ll_conn_timeout(connsm, BLE_ERR_INV_LMP_LL_PARM);
2173+
return BLE_ERR_MAX;
2174+
}
21332175

21342176
/* If instant is in the past, we have to end the connection */
21352177
conn_events = (reqdata->instant - connsm->event_cntr) & 0xFFFF;
@@ -2154,7 +2196,7 @@ ble_ll_ctrl_rx_conn_update(struct ble_ll_conn_sm *connsm, uint8_t *dptr)
21542196
}
21552197
}
21562198

2157-
return rsp_opcode;
2199+
return BLE_ERR_MAX;
21582200
}
21592201

21602202
void

0 commit comments

Comments
 (0)