From a4c4601e59b6d578be8d1118442db572609d5449 Mon Sep 17 00:00:00 2001 From: zhanghaipeng Date: Tue, 17 Dec 2024 19:42:06 +0800 Subject: [PATCH 1/3] fix(ble/blufi): Fixed blufi example security issue --- .../common/btc/profile/esp/blufi/blufi_prf.c | 24 ++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/components/bt/common/btc/profile/esp/blufi/blufi_prf.c b/components/bt/common/btc/profile/esp/blufi/blufi_prf.c index 9620df5ce0..83541d727d 100644 --- a/components/bt/common/btc/profile/esp/blufi/blufi_prf.c +++ b/components/bt/common/btc/profile/esp/blufi/blufi_prf.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2021 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -95,7 +95,29 @@ void btc_blufi_report_error(esp_blufi_error_state_t state) void btc_blufi_recv_handler(uint8_t *data, int len) { + if (len < sizeof(struct blufi_hdr)) { + BTC_TRACE_ERROR("%s invalid data length: %d", __func__, len); + btc_blufi_report_error(ESP_BLUFI_DATA_FORMAT_ERROR); + return; + } + struct blufi_hdr *hdr = (struct blufi_hdr *)data; + + // Verify if the received data length matches the expected length based on the BLUFI protocol + int target_data_len; + + if (BLUFI_FC_IS_CHECK(hdr->fc)) { + target_data_len = hdr->data_len + 4 + 2; // Data + (Type + Frame Control + Sequence Number + Data Length) + Checksum + } else { + target_data_len = hdr->data_len + 4; // Data + (Type + Frame Control + Sequence Number + Data Length) + } + + if (len != target_data_len) { + BTC_TRACE_ERROR("%s: Invalid data length: %d, expected: %d", __func__, len, target_data_len); + btc_blufi_report_error(ESP_BLUFI_DATA_FORMAT_ERROR); + return; + } + uint16_t checksum, checksum_pkt; int ret; From d2d3ce7f0c31cd472733aab14852d512f884baef Mon Sep 17 00:00:00 2001 From: zhanghaipeng Date: Wed, 10 Jul 2024 14:58:34 +0800 Subject: [PATCH 2/3] docs(ble/bluedroid): Optimize doc for registering BLE callback functions --- .../bt/host/bluedroid/api/include/api/esp_gap_ble_api.h | 2 ++ .../bt/host/bluedroid/api/include/api/esp_gattc_api.h | 2 ++ .../bt/host/bluedroid/api/include/api/esp_gatts_api.h | 2 ++ .../bluetooth/bluedroid/ble/gatt_client/main/gattc_demo.c | 6 +++--- .../bluetooth/bluedroid/ble/gatt_server/main/gatts_demo.c | 2 +- 5 files changed, 10 insertions(+), 4 deletions(-) diff --git a/components/bt/host/bluedroid/api/include/api/esp_gap_ble_api.h b/components/bt/host/bluedroid/api/include/api/esp_gap_ble_api.h index 5fd20de0a8..e1a0f325d5 100644 --- a/components/bt/host/bluedroid/api/include/api/esp_gap_ble_api.h +++ b/components/bt/host/bluedroid/api/include/api/esp_gap_ble_api.h @@ -1593,6 +1593,8 @@ typedef void (* esp_gap_ble_cb_t)(esp_gap_ble_cb_event_t event, esp_ble_gap_cb_p * * @param[in] callback: callback function * + * @note Avoid performing time-consuming operations within the callback functions. + * * @return * - ESP_OK : success * - other : failed diff --git a/components/bt/host/bluedroid/api/include/api/esp_gattc_api.h b/components/bt/host/bluedroid/api/include/api/esp_gattc_api.h index 0f5b83d351..0d9837a5ca 100644 --- a/components/bt/host/bluedroid/api/include/api/esp_gattc_api.h +++ b/components/bt/host/bluedroid/api/include/api/esp_gattc_api.h @@ -272,6 +272,8 @@ typedef void (* esp_gattc_cb_t)(esp_gattc_cb_event_t event, esp_gatt_if_t gattc_ * * @param[in] callback The pointer to the application callback function * + * @note Avoid performing time-consuming operations within the callback functions. + * * @return * - ESP_OK: Success * - ESP_FAIL: Failure diff --git a/components/bt/host/bluedroid/api/include/api/esp_gatts_api.h b/components/bt/host/bluedroid/api/include/api/esp_gatts_api.h index 420cc80359..642222104a 100644 --- a/components/bt/host/bluedroid/api/include/api/esp_gatts_api.h +++ b/components/bt/host/bluedroid/api/include/api/esp_gatts_api.h @@ -283,6 +283,8 @@ typedef void (* esp_gatts_cb_t)(esp_gatts_cb_event_t event, esp_gatt_if_t gatts_ * * @param[in] callback The pointer to the application callback function * + * @note Avoid performing time-consuming operations within the callback functions. + * * @return * - ESP_OK: Success * - ESP_FAIL: Failure diff --git a/examples/bluetooth/bluedroid/ble/gatt_client/main/gattc_demo.c b/examples/bluetooth/bluedroid/ble/gatt_client/main/gattc_demo.c index bde14e5ea8..43873a8bbf 100644 --- a/examples/bluetooth/bluedroid/ble/gatt_client/main/gattc_demo.c +++ b/examples/bluetooth/bluedroid/ble/gatt_client/main/gattc_demo.c @@ -483,15 +483,15 @@ void app_main(void) ESP_LOGE(GATTC_TAG, "%s enable bluetooth failed: %s\n", __func__, esp_err_to_name(ret)); return; } - - //register the callback function to the gap module + // Note: Avoid performing time-consuming operations within callback functions. + // Register the callback function to the gap module ret = esp_ble_gap_register_callback(esp_gap_cb); if (ret){ ESP_LOGE(GATTC_TAG, "%s gap register failed, error code = %x\n", __func__, ret); return; } - //register the callback function to the gattc module + // Register the callback function to the gattc module ret = esp_ble_gattc_register_callback(esp_gattc_cb); if(ret){ ESP_LOGE(GATTC_TAG, "%s gattc register failed, error code = %x\n", __func__, ret); diff --git a/examples/bluetooth/bluedroid/ble/gatt_server/main/gatts_demo.c b/examples/bluetooth/bluedroid/ble/gatt_server/main/gatts_demo.c index 244938b151..b31b86ec02 100644 --- a/examples/bluetooth/bluedroid/ble/gatt_server/main/gatts_demo.c +++ b/examples/bluetooth/bluedroid/ble/gatt_server/main/gatts_demo.c @@ -718,7 +718,7 @@ void app_main(void) ESP_LOGE(GATTS_TAG, "%s enable bluetooth failed: %s\n", __func__, esp_err_to_name(ret)); return; } - + // Note: Avoid performing time-consuming operations within callback functions. ret = esp_ble_gatts_register_callback(gatts_event_handler); if (ret){ ESP_LOGE(GATTS_TAG, "gatts register error, error code = %x", ret); From b5b9f9559e16d18b60b0fcdc76fbbad23b8cbfc6 Mon Sep 17 00:00:00 2001 From: zhanghaipeng Date: Wed, 18 Dec 2024 11:49:53 +0800 Subject: [PATCH 3/3] docs(ble/bluedroid): Added BLE log when bond info was deleted --- components/bt/host/bluedroid/bta/dm/bta_dm_act.c | 4 +++- components/bt/host/bluedroid/btc/core/btc_dm.c | 3 +++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/components/bt/host/bluedroid/bta/dm/bta_dm_act.c b/components/bt/host/bluedroid/bta/dm/bta_dm_act.c index 8d88f98af3..755e9bb881 100644 --- a/components/bt/host/bluedroid/bta/dm/bta_dm_act.c +++ b/components/bt/host/bluedroid/bta/dm/bta_dm_act.c @@ -4875,7 +4875,9 @@ static UINT8 bta_dm_ble_smp_cback (tBTM_LE_EVT event, BD_ADDR bda, tBTM_LE_EVT_D if (p_data->complt.reason != 0) { sec_event.auth_cmpl.fail_reason = BTA_DM_AUTH_CONVERT_SMP_CODE(((UINT8)p_data->complt.reason)); /* delete this device entry from Sec Dev DB */ - bta_dm_remove_sec_dev_entry (bda); + APPL_TRACE_WARNING("%s remove bond,rsn %d, BDA:0x%02X%02X%02X%02X%02X%02X", __func__, sec_event.auth_cmpl.fail_reason, + bda[0], bda[1], bda[2], bda[3], bda[4], bda[5]); + bta_dm_remove_sec_dev_entry(bda); } else { sec_event.auth_cmpl.success = TRUE; if (!p_data->complt.smp_over_br) { diff --git a/components/bt/host/bluedroid/btc/core/btc_dm.c b/components/bt/host/bluedroid/btc/core/btc_dm.c index 9838dc0651..27e0b601b2 100644 --- a/components/bt/host/bluedroid/btc/core/btc_dm.c +++ b/components/bt/host/bluedroid/btc/core/btc_dm.c @@ -293,6 +293,9 @@ static void btc_dm_ble_auth_cmpl_evt (tBTA_DM_AUTH_CMPL *p_auth_cmpl) status = BT_STATUS_AUTH_REJECTED; break; default: + BTC_TRACE_WARNING ("%s, remove bond in flash bd_addr: %08x%04x", __func__, + (p_auth_cmpl->bd_addr[0] << 24) + (p_auth_cmpl->bd_addr[1] << 16) + (p_auth_cmpl->bd_addr[2] << 8) + p_auth_cmpl->bd_addr[3], + (p_auth_cmpl->bd_addr[4] << 8) + p_auth_cmpl->bd_addr[5]); btc_dm_remove_ble_bonding_keys(); status = BT_STATUS_FAIL; break;