AnsweredAssumed Answered

[bug] Wrong sizeof in SimpleBlueNRG_HCI

Question asked by nicolas b on Dec 7, 2017
Latest reply on Dec 19, 2017 by Antonio Vilei

In the files STM32CubeExpansion_BLE1_V3.2.0\Middlewares\ST\STM32_BlueNRG\SimpleBlueNRG_HCI\hci\controller\

bluenrg_hal_aci.c

bluenrg_gap_aci.c

 

We can see some Osal_MemCpy with wrong sizeof. Ex in bluenrg_gap_aci.c:

tBleStatus aci_gap_resolve_private_address_IDB05A1(const tBDAddr private_address, tBDAddr actual_address)
{
  struct hci_request rq;
  gap_resolve_private_address_cp cp;
  gap_resolve_private_address_rp rp;

  Osal_MemCpy(cp.address, private_address, 6);

  Osal_MemSet(&rq, 0, sizeof(rq));
  rq.ogf = OGF_VENDOR_CMD;
  rq.ocf = OCF_GAP_RESOLVE_PRIVATE_ADDRESS;
  rq.cparam = &cp;
  rq.clen = sizeof(cp);
  rq.rparam = &rp;
  rq.rlen = sizeof(rp);
 
  if (hci_send_req(&rq, FALSE) < 0)
    return BLE_STATUS_TIMEOUT;
 
  if(rp.status)
    return rp.status;
 
  Osal_MemCpy(actual_address, rp.address, sizeof(actual_address));  

  return 0;
}

It will return the size of a pointer to uint8_t.

 

It should be sizeof(tBDAddr) or 6.

 

Same in bluenrg_hal_aci.c:

tBleStatus aci_hal_get_link_status(uint8_t link_status[8], uint16_t conn_handle[8])
{
  struct hci_request rq;
  hal_get_link_status_rp rp;
 
  Osal_MemSet(&rq, 0, sizeof(rq));
  rq.ogf = OGF_VENDOR_CMD;
  rq.ocf = OCF_HAL_GET_LINK_STATUS;
  rq.rparam = &rp;
  rq.rlen = sizeof(rp);
 
  if (hci_send_req(&rq, FALSE) < 0)
    return BLE_STATUS_TIMEOUT;
 
  if(rp.status)
    return rp.status;
 
  Osal_MemCpy(link_status,rp.link_status,sizeof(link_status));
  for(int i = 0; i < 8; i++)  
    conn_handle[i] = btohs(rp.conn_handle[i]);
 
  return 0;
}

Should be 8 instead of sizeof(link_status).

Outcomes