blackbeard420/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf synced 2025-03-09 09:09:10 -04:00
Code Issues Projects Releases Wiki Activity

Merge branch 'fix/blufi_example_mem_access_v5.0' into 'release/v5.0'

Browse Source 
fix(ble/blufi): Fixed blufi example security issue (v5.0)

See merge request espressif/esp-idf!36160
This commit is contained in:
Island 2025-02-12 15:02:33 +08:00
commit 8dde4f9233
8 changed files with 39 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
components/bt/common/btc/profile/esp/blufi/blufi_prf.c
View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2015-2021 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -95,7 +95,29 @@ void btc_blufi_report_error(esp_blufi_error_state_t state)
void btc_blufi_recv_handler(uint8_t *data, int len)
{
if (len < sizeof(struct blufi_hdr)) {
BTC_TRACE_ERROR("%s invalid data length: %d", __func__, len);
btc_blufi_report_error(ESP_BLUFI_DATA_FORMAT_ERROR);
return;
}
struct blufi_hdr *hdr = (struct blufi_hdr *)data;
// Verify if the received data length matches the expected length based on the BLUFI protocol
int target_data_len;
if (BLUFI_FC_IS_CHECK(hdr->fc)) {
target_data_len = hdr->data_len + 4 + 2; // Data + (Type + Frame Control + Sequence Number + Data Length) + Checksum
} else {
target_data_len = hdr->data_len + 4; // Data + (Type + Frame Control + Sequence Number + Data Length)
}
if (len != target_data_len) {
BTC_TRACE_ERROR("%s: Invalid data length: %d, expected: %d", __func__, len, target_data_len);
btc_blufi_report_error(ESP_BLUFI_DATA_FORMAT_ERROR);
return;
}
uint16_t checksum, checksum_pkt;
int ret;

2
components/bt/host/bluedroid/api/include/api/esp_gap_ble_api.h
View File

@ -1593,6 +1593,8 @@ typedef void (* esp_gap_ble_cb_t)(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_p
*
* @param[in] callback: callback function
*
* @note Avoid performing time-consuming operations within the callback functions.
*
* @return
* - ESP_OK : success
* - other : failed

2
components/bt/host/bluedroid/api/include/api/esp_gattc_api.h
View File

@ -272,6 +272,8 @@ typedef void (* esp_gattc_cb_t)(esp_gattc_cb_event_t event, esp_gatt_if_t gattc_
*
* @param[in] callback The pointer to the application callback function
*
* @note Avoid performing time-consuming operations within the callback functions.
*
* @return
* - ESP_OK: Success
* - ESP_FAIL: Failure

2
components/bt/host/bluedroid/api/include/api/esp_gatts_api.h
View File

@ -283,6 +283,8 @@ typedef void (* esp_gatts_cb_t)(esp_gatts_cb_event_t event, esp_gatt_if_t gatts_
*
* @param[in] callback The pointer to the application callback function
*
* @note Avoid performing time-consuming operations within the callback functions.
*
* @return
* - ESP_OK: Success
* - ESP_FAIL: Failure

4
components/bt/host/bluedroid/bta/dm/bta_dm_act.c
View File

@ -4875,7 +4875,9 @@ static UINT8 bta_dm_ble_smp_cback (tBTM_LE_EVT event, BD_ADDR bda, tBTM_LE_EVT_D
if (p_data->complt.reason != 0) {
sec_event.auth_cmpl.fail_reason = BTA_DM_AUTH_CONVERT_SMP_CODE(((UINT8)p_data->complt.reason));
/* delete this device entry from Sec Dev DB */
bta_dm_remove_sec_dev_entry (bda);
APPL_TRACE_WARNING("%s remove bond,rsn %d, BDA:0x%02X%02X%02X%02X%02X%02X", __func__, sec_event.auth_cmpl.fail_reason,
bda[0], bda[1], bda[2], bda[3], bda[4], bda[5]);
bta_dm_remove_sec_dev_entry(bda);
} else {
sec_event.auth_cmpl.success = TRUE;
if (!p_data->complt.smp_over_br) {

3
components/bt/host/bluedroid/btc/core/btc_dm.c
View File

@ -293,6 +293,9 @@ static void btc_dm_ble_auth_cmpl_evt (tBTA_DM_AUTH_CMPL *p_auth_cmpl)
status = BT_STATUS_AUTH_REJECTED;
break;
default:
BTC_TRACE_WARNING ("%s, remove bond in flash bd_addr: %08x%04x", __func__,
(p_auth_cmpl->bd_addr[0] << 24) + (p_auth_cmpl->bd_addr[1] << 16) + (p_auth_cmpl->bd_addr[2] << 8) + p_auth_cmpl->bd_addr[3],
(p_auth_cmpl->bd_addr[4] << 8) + p_auth_cmpl->bd_addr[5]);
btc_dm_remove_ble_bonding_keys();
status = BT_STATUS_FAIL;
break;

6
examples/bluetooth/bluedroid/ble/gatt_client/main/gattc_demo.c
View File

@ -483,15 +483,15 @@ void app_main(void)
ESP_LOGE(GATTC_TAG, "%s enable bluetooth failed: %s\n", __func__, esp_err_to_name(ret));
return;
}
//register the callback function to the gap module
// Note: Avoid performing time-consuming operations within callback functions.
// Register the callback function to the gap module
ret = esp_ble_gap_register_callback(esp_gap_cb);
if (ret){
ESP_LOGE(GATTC_TAG, "%s gap register failed, error code = %x\n", __func__, ret);
return;
}
//register the callback function to the gattc module
// Register the callback function to the gattc module
ret = esp_ble_gattc_register_callback(esp_gattc_cb);
if(ret){
ESP_LOGE(GATTC_TAG, "%s gattc register failed, error code = %x\n", __func__, ret);

2
examples/bluetooth/bluedroid/ble/gatt_server/main/gatts_demo.c
View File

@ -718,7 +718,7 @@ void app_main(void)
ESP_LOGE(GATTS_TAG, "%s enable bluetooth failed: %s\n", __func__, esp_err_to_name(ret));
return;
}
// Note: Avoid performing time-consuming operations within callback functions.
ret = esp_ble_gatts_register_callback(gatts_event_handler);
if (ret){
ESP_LOGE(GATTS_TAG, "gatts register error, error code = %x", ret);