[bug] Wrong sizeof in SimpleBlueNRG_HCI

nicolas b · ‎2017-12-07

Posted on December 07, 2017 at 15:43

In the files STM32CubeExpansion_BLE1_V3.2.0\Middlewares\ST\STM32_BlueNRG\SimpleBlueNRG_HCI\hci\controller\

bluenrg_hal_aci.c

bluenrg_gap_aci.c

We can see some Osal_MemCpy with wrong sizeof. Ex in bluenrg_gap_aci.c:

tBleStatus aci_gap_resolve_private_address_IDB05A1(const tBDAddr private_address, tBDAddr actual_address)

{

struct hci_request rq;

gap_resolve_private_address_cp cp;

gap_resolve_private_address_rp rp;

Osal_MemCpy(cp.address, private_address, 6);

Osal_MemSet(&rq, 0, sizeof(rq));

rq.ogf = OGF_VENDOR_CMD;

rq.ocf = OCF_GAP_RESOLVE_PRIVATE_ADDRESS;

rq.cparam = &cp;

rq.clen = sizeof(cp);

rq.rparam = &rp;

rq.rlen = sizeof(rp);

if (hci_send_req(&rq, FALSE) < 0)

return BLE_STATUS_TIMEOUT;

if(rp.status)

return rp.status;

Osal_MemCpy(actual_address, rp.address, sizeof(actual_address));

return 0;

}

It will return the size of a pointer to uint8_t.

It should be sizeof(tBDAddr) or 6.

Same in bluenrg_hal_aci.c:

tBleStatus aci_hal_get_link_status(uint8_t link_status[8], uint16_t conn_handle[8])

{

struct hci_request rq;

hal_get_link_status_rp rp;

Osal_MemSet(&rq, 0, sizeof(rq));

rq.ogf = OGF_VENDOR_CMD;

rq.ocf = OCF_HAL_GET_LINK_STATUS;

rq.rparam = &rp;

rq.rlen = sizeof(rp);

if (hci_send_req(&rq, FALSE) < 0)

return BLE_STATUS_TIMEOUT;

if(rp.status)

return rp.status;

Osal_MemCpy(link_status,rp.link_status,sizeof(link_status));

for(int i = 0; i < 8; i++)

conn_handle[i] = btohs(rp.conn_handle[i]);

return 0;

}

Should be 8 instead of sizeof(link_status).

#bluenrg-ms #hci #aci #ble #bluengr #spbtle-rf

Antonio Vilei · ‎2017-12-19

Posted on December 19, 2017 at 12:29

Thanks for reporting this. It will be fixed in the next release of the package.