From 4d7cd8f23b13d6094413bb3c682d9cc1c9a98380 Mon Sep 17 00:00:00 2001 From: Zhang Hai Peng Date: Mon, 6 Jan 2025 11:14:02 +0800 Subject: [PATCH 1/4] fix(ble/blufi): Fixed blufi example security issue (cherry picked from commit 3cb2d9c3c639216afb17f12f3fca4675b0bde30c) Co-authored-by: zhanghaipeng --- .../common/btc/profile/esp/blufi/blufi_prf.c | 24 ++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/components/bt/common/btc/profile/esp/blufi/blufi_prf.c b/components/bt/common/btc/profile/esp/blufi/blufi_prf.c index 2c7be2127f..81bb030829 100644 --- a/components/bt/common/btc/profile/esp/blufi/blufi_prf.c +++ b/components/bt/common/btc/profile/esp/blufi/blufi_prf.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2021 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -95,7 +95,29 @@ void btc_blufi_report_error(esp_blufi_error_state_t state) void btc_blufi_recv_handler(uint8_t *data, int len) { + if (len < sizeof(struct blufi_hdr)) { + BTC_TRACE_ERROR("%s invalid data length: %d", __func__, len); + btc_blufi_report_error(ESP_BLUFI_DATA_FORMAT_ERROR); + return; + } + struct blufi_hdr *hdr = (struct blufi_hdr *)data; + + // Verify if the received data length matches the expected length based on the BLUFI protocol + int target_data_len; + + if (BLUFI_FC_IS_CHECK(hdr->fc)) { + target_data_len = hdr->data_len + 4 + 2; // Data + (Type + Frame Control + Sequence Number + Data Length) + Checksum + } else { + target_data_len = hdr->data_len + 4; // Data + (Type + Frame Control + Sequence Number + Data Length) + } + + if (len != target_data_len) { + BTC_TRACE_ERROR("%s: Invalid data length: %d, expected: %d", __func__, len, target_data_len); + btc_blufi_report_error(ESP_BLUFI_DATA_FORMAT_ERROR); + return; + } + uint16_t checksum, checksum_pkt; int ret; From 41e7f893aa93725cc5b0eb114977ad6de22256f4 Mon Sep 17 00:00:00 2001 From: Zhang Hai Peng Date: Mon, 6 Jan 2025 11:14:04 +0800 Subject: [PATCH 2/4] docs(ble/bluedroid): Optimize doc for registering BLE callback functions (cherry picked from commit d84ccadf905bcaadcfbdee0b61e8875775ff716f) Co-authored-by: zhanghaipeng --- .../bt/host/bluedroid/api/include/api/esp_gap_ble_api.h | 2 ++ .../bt/host/bluedroid/api/include/api/esp_gattc_api.h | 2 ++ .../bt/host/bluedroid/api/include/api/esp_gatts_api.h | 2 ++ .../bluetooth/bluedroid/ble/gatt_client/main/gattc_demo.c | 6 +++--- .../bluetooth/bluedroid/ble/gatt_server/main/gatts_demo.c | 2 +- 5 files changed, 10 insertions(+), 4 deletions(-) diff --git a/components/bt/host/bluedroid/api/include/api/esp_gap_ble_api.h b/components/bt/host/bluedroid/api/include/api/esp_gap_ble_api.h index 83fea16a99..bc096abef7 100644 --- a/components/bt/host/bluedroid/api/include/api/esp_gap_ble_api.h +++ b/components/bt/host/bluedroid/api/include/api/esp_gap_ble_api.h @@ -1593,6 +1593,8 @@ typedef void (* esp_gap_ble_cb_t)(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_p * * @param[in] callback: callback function * + * @note Avoid performing time-consuming operations within the callback functions. + * * @return * - ESP_OK : success * - other : failed diff --git a/components/bt/host/bluedroid/api/include/api/esp_gattc_api.h b/components/bt/host/bluedroid/api/include/api/esp_gattc_api.h index a4fd3c9574..fe6f2e3cd3 100644 --- a/components/bt/host/bluedroid/api/include/api/esp_gattc_api.h +++ b/components/bt/host/bluedroid/api/include/api/esp_gattc_api.h @@ -266,6 +266,8 @@ typedef void (* esp_gattc_cb_t)(esp_gattc_cb_event_t event, esp_gatt_if_t gattc_ * * @param[in] callback : pointer to the application callback function. * + * @note Avoid performing time-consuming operations within the callback functions. + * * @return * - ESP_OK: success * - other: failed diff --git a/components/bt/host/bluedroid/api/include/api/esp_gatts_api.h b/components/bt/host/bluedroid/api/include/api/esp_gatts_api.h index 72ff694e4b..5793270afd 100644 --- a/components/bt/host/bluedroid/api/include/api/esp_gatts_api.h +++ b/components/bt/host/bluedroid/api/include/api/esp_gatts_api.h @@ -289,6 +289,8 @@ typedef void (* esp_gatts_cb_t)(esp_gatts_cb_event_t event, esp_gatt_if_t gatts_ * @brief This function is called to register application callbacks * with BTA GATTS module. * + * @note Avoid performing time-consuming operations within the callback functions. + * * @return * - ESP_OK : success * - other : failed diff --git a/examples/bluetooth/bluedroid/ble/gatt_client/main/gattc_demo.c b/examples/bluetooth/bluedroid/ble/gatt_client/main/gattc_demo.c index 9aca6ad1ab..6a8773aa07 100644 --- a/examples/bluetooth/bluedroid/ble/gatt_client/main/gattc_demo.c +++ b/examples/bluetooth/bluedroid/ble/gatt_client/main/gattc_demo.c @@ -493,15 +493,15 @@ void app_main(void) ESP_LOGE(GATTC_TAG, "%s enable bluetooth failed: %s", __func__, esp_err_to_name(ret)); return; } - - //register the callback function to the gap module + // Note: Avoid performing time-consuming operations within callback functions. + // Register the callback function to the gap module ret = esp_ble_gap_register_callback(esp_gap_cb); if (ret){ ESP_LOGE(GATTC_TAG, "%s gap register failed, error code = %x", __func__, ret); return; } - //register the callback function to the gattc module + // Register the callback function to the gattc module ret = esp_ble_gattc_register_callback(esp_gattc_cb); if(ret){ ESP_LOGE(GATTC_TAG, "%s gattc register failed, error code = %x", __func__, ret); diff --git a/examples/bluetooth/bluedroid/ble/gatt_server/main/gatts_demo.c b/examples/bluetooth/bluedroid/ble/gatt_server/main/gatts_demo.c index 3b4febab21..eb88a8886b 100644 --- a/examples/bluetooth/bluedroid/ble/gatt_server/main/gatts_demo.c +++ b/examples/bluetooth/bluedroid/ble/gatt_server/main/gatts_demo.c @@ -725,7 +725,7 @@ void app_main(void) ESP_LOGE(GATTS_TAG, "%s enable bluetooth failed: %s", __func__, esp_err_to_name(ret)); return; } - + // Note: Avoid performing time-consuming operations within callback functions. ret = esp_ble_gatts_register_callback(gatts_event_handler); if (ret){ ESP_LOGE(GATTS_TAG, "gatts register error, error code = %x", ret); From b592934f0a2d2fec441eab29c7ff7ffc7ec51ffa Mon Sep 17 00:00:00 2001 From: Zhang Hai Peng Date: Mon, 6 Jan 2025 11:14:06 +0800 Subject: [PATCH 3/4] docs(ble/bluedroid): Added BLE log when bond info was deleted (cherry picked from commit c9cdf51b059abb42f621242efb40234ee536f2ad) Co-authored-by: zhanghaipeng --- components/bt/host/bluedroid/bta/dm/bta_dm_act.c | 4 +++- components/bt/host/bluedroid/btc/core/btc_dm.c | 3 +++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/components/bt/host/bluedroid/bta/dm/bta_dm_act.c b/components/bt/host/bluedroid/bta/dm/bta_dm_act.c index 3940dc308b..d33696e319 100644 --- a/components/bt/host/bluedroid/bta/dm/bta_dm_act.c +++ b/components/bt/host/bluedroid/bta/dm/bta_dm_act.c @@ -4972,7 +4972,9 @@ static UINT8 bta_dm_ble_smp_cback (tBTM_LE_EVT event, BD_ADDR bda, tBTM_LE_EVT_D if (p_data->complt.reason != 0) { sec_event.auth_cmpl.fail_reason = BTA_DM_AUTH_CONVERT_SMP_CODE(((UINT8)p_data->complt.reason)); /* delete this device entry from Sec Dev DB */ - bta_dm_remove_sec_dev_entry (bda); + APPL_TRACE_WARNING("%s remove bond,rsn %d, BDA:0x%02X%02X%02X%02X%02X%02X", __func__, sec_event.auth_cmpl.fail_reason, + bda[0], bda[1], bda[2], bda[3], bda[4], bda[5]); + bta_dm_remove_sec_dev_entry(bda); } else { sec_event.auth_cmpl.success = TRUE; if (!p_data->complt.smp_over_br) { diff --git a/components/bt/host/bluedroid/btc/core/btc_dm.c b/components/bt/host/bluedroid/btc/core/btc_dm.c index 52dbd77c18..5777df3da0 100644 --- a/components/bt/host/bluedroid/btc/core/btc_dm.c +++ b/components/bt/host/bluedroid/btc/core/btc_dm.c @@ -288,6 +288,9 @@ static void btc_dm_ble_auth_cmpl_evt (tBTA_DM_AUTH_CMPL *p_auth_cmpl) status = BT_STATUS_AUTH_REJECTED; break; default: + BTC_TRACE_WARNING ("%s, remove bond in flash bd_addr: %08x%04x", __func__, + (p_auth_cmpl->bd_addr[0] << 24) + (p_auth_cmpl->bd_addr[1] << 16) + (p_auth_cmpl->bd_addr[2] << 8) + p_auth_cmpl->bd_addr[3], + (p_auth_cmpl->bd_addr[4] << 8) + p_auth_cmpl->bd_addr[5]); btc_dm_remove_ble_bonding_keys(); status = BT_STATUS_FAIL; break; From 668a2ab2ef2258a2e17b4011fdb8d220b16a48b7 Mon Sep 17 00:00:00 2001 From: Zhang Hai Peng Date: Mon, 6 Jan 2025 11:14:24 +0800 Subject: [PATCH 4/4] fix(ble/bluedroid): Fixed BLE feature selection configuration (cherry picked from commit 117aa74705456d69715fcf690a9b5dbc9bce0ce7) Co-authored-by: zhanghaipeng --- components/bt/host/bluedroid/Kconfig.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/bt/host/bluedroid/Kconfig.in b/components/bt/host/bluedroid/Kconfig.in index dc235c2b99..3128c9d86b 100644 --- a/components/bt/host/bluedroid/Kconfig.in +++ b/components/bt/host/bluedroid/Kconfig.in @@ -1228,7 +1228,7 @@ config BT_BLE_50_FEATURES_SUPPORTED config BT_BLE_42_FEATURES_SUPPORTED bool "Enable BLE 4.2 features(please disable BLE 5.0 if enable BLE 4.2)" - depends on (BT_BLE_ENABLED && ((BT_CONTROLLER_ENABLED && SOC_BLE_SUPPORTED) || BT_CONTROLLER_DISABLED)) + depends on (BT_BLE_ENABLED && ((BT_CONTROLLER_ENABLED && SOC_BLE_50_SUPPORTED) || BT_CONTROLLER_DISABLED)) default n help This enables BLE 4.2 features.