-
Notifications
You must be signed in to change notification settings - Fork 383
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix ble_gap_unpair_oldest_peer to prevent writing to invalid memory #1650
base: master
Are you sure you want to change the base?
Fix ble_gap_unpair_oldest_peer to prevent writing to invalid memory #1650
Conversation
what exactly was the issue? original code retrieves only 1 address so it looks fine. |
|
This function removes 1 bond which is 1st on the returned list and thus it only needs to retrieve that single bond. There's no need to retrieve all bonded devices only to pick 1st one anyway... |
That's correct. However, it's necessary to provide BLE_STORE_MAX_BONDS as a parameter to ble_store_util_bonded_peers to manage the maximum bond count. Subsequently, ble_store_util_iter_unique_peer will be invoked. In this process, when it accesses |
|
But in the Previously, when an array was not used, the function appeared to work, but there was a mismatch between the list count and the actual stored values and it's possible that the data was being stored outside the allocated memory. This changes should resolve the resource exhaustion error and enable the proper deletion of the oldest peer. |
|
The error code rc=6 is returned from |
Again, please point me to exact location in code which returns this error code. I don't see how |
Upon review, I noticed that instead of passing BLE_STORE_MAX_BONDS as the argument for ble_store_util_bonded_peers in ble_gap_unpair_oldest_peer, a hardcoded value of 1 is being used. Consequently, within ble_store_iterate called from ble_store_util_bonded_peers, the callback function ble_store_util_iter_unique_peer is invoked. It returns 1 since set->num_peers >= set->max_peers evaluates to true, causing an overflow. As a result, it updates the set status to BLE_HS_ENOMEM (6) due to resource exhaustion. Thus, this is the place where overflow occurred. These changes should address the resource exhaustion error and enable proper deletion of the oldest peer. |
That behavior is on purpose because we only need single peer returned by |
Okay, earlier when I attempted to bond 3 devices by setting MAX_BOND_COUNT to 2, it didn't work correctly. The correct behavior should be to delete the oldest peer when bonding with the 3rd device. Therefore, I made changes, and now it functions correctly. Additionally, in |
I don't really see how |
Modifications were made for secure handling of bonded peers.
The changes ensures proper handling of bonded peers, preventing unintended memory writes.