From c0dc21c31559f55861d6fccbd5aae67115f8d2c2 Mon Sep 17 00:00:00 2001 From: Ayush Garg Date: Thu, 26 Nov 2020 16:58:37 +0530 Subject: [PATCH] Validate GATT handle in CAPI Validation of GATT handle is missing in few CAPIs (ex. bt_gatt_characteristic_destroy) which leads to coredump sometimes. One such scenario is when application accidently calls bt_gatt_characteristic_destroy even after destroying the GATT server. This change will handle such cases. Change-Id: Iafb43af73ee25b192bfa673bbde7f96498c1557e Signed-off-by: Ayush Garg --- src/bluetooth-gatt.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/src/bluetooth-gatt.c b/src/bluetooth-gatt.c index 1915e47..0f07527 100644 --- a/src/bluetooth-gatt.c +++ b/src/bluetooth-gatt.c @@ -1017,7 +1017,7 @@ static void __bt_gatt_free_characteristic(bt_gatt_h gatt_handle) svc_handle.instance_id = service_s->instance_id; BT_INFO("Service UUID [%s]", service_s->uuid); - BT_INFO("Charc Instance ID [%d]", service_s->instance_id); + BT_INFO("Service Instance ID [%d]", service_s->instance_id); BT_INFO("Charc UUID [%s]", chr->uuid); BT_INFO("Charc Instance ID [%d]", chr->instance_id); @@ -1345,6 +1345,8 @@ int bt_gatt_characteristic_destroy(bt_gatt_h gatt_handle) BT_CHECK_INIT_STATUS(); BT_CHECK_INPUT_PARAMETER(gatt_handle); + BT_VALIDATE_GATT_HANDLE(gatt_handle); + if (handle->type == BT_GATT_TYPE_CHARACTERISTIC) __bt_gatt_destroy_characteristic(gatt_handle); else { @@ -1363,6 +1365,8 @@ int bt_gatt_descriptor_destroy(bt_gatt_h gatt_handle) BT_CHECK_INIT_STATUS(); BT_CHECK_INPUT_PARAMETER(gatt_handle); + BT_VALIDATE_GATT_HANDLE(gatt_handle); + if (handle->type == BT_GATT_TYPE_DESCRIPTOR) __bt_gatt_destroy_descriptor(gatt_handle); else { @@ -1419,6 +1423,8 @@ int bt_gatt_get_int_value(bt_gatt_h gatt_handle, bt_data_type_int_e type, BT_CHECK_INPUT_PARAMETER(gatt_handle); BT_CHECK_INPUT_PARAMETER(value); /* LCOV_EXCL_START */ + BT_VALIDATE_GATT_HANDLE(gatt_handle); + if (handle->type == BT_GATT_TYPE_CHARACTERISTIC) { val = chr->value; val_len = chr->value_length; @@ -1482,6 +1488,8 @@ int bt_gatt_get_float_value(bt_gatt_h gatt_handle, bt_data_type_float_e type, BT_CHECK_INPUT_PARAMETER(gatt_handle); BT_CHECK_INPUT_PARAMETER(value); /* LCOV_EXCL_START */ + BT_VALIDATE_GATT_HANDLE(gatt_handle); + if (handle->type == BT_GATT_TYPE_CHARACTERISTIC) { val = chr->value; val_len = chr->value_length; @@ -1611,6 +1619,8 @@ int bt_gatt_set_int_value(bt_gatt_h gatt_handle, bt_data_type_int_e type, BT_CHECK_INPUT_PARAMETER(gatt_handle); + BT_VALIDATE_GATT_HANDLE(gatt_handle); + if (handle->type == BT_GATT_TYPE_CHARACTERISTIC) { /* LCOV_EXCL_START */ val = &chr->value; val_len = &chr->value_length; @@ -1740,6 +1750,8 @@ int bt_gatt_set_float_value(bt_gatt_h gatt_handle, bt_data_type_float_e type, BT_CHECK_INPUT_PARAMETER(gatt_handle); + BT_VALIDATE_GATT_HANDLE(gatt_handle); + if (handle->type == BT_GATT_TYPE_CHARACTERISTIC) { /* LCOV_EXCL_START */ val = &chr->value; val_len = &chr->value_length; @@ -1920,6 +1932,8 @@ int bt_gatt_get_uuid(bt_gatt_h gatt_handle, char **uuid) BT_CHECK_INPUT_PARAMETER(gatt_handle); BT_CHECK_INPUT_PARAMETER(uuid); /* LCOV_EXCL_LINE */ + BT_VALIDATE_GATT_HANDLE(gatt_handle); + *uuid = g_strdup(handle->uuid); /* LCOV_EXCL_LINE */ return BT_ERROR_NONE; /* LCOV_EXCL_LINE */ @@ -1935,6 +1949,8 @@ int bt_gatt_get_type(bt_gatt_h gatt_handle, bt_gatt_type_e *gatt_type) BT_CHECK_INPUT_PARAMETER(gatt_handle); BT_CHECK_INPUT_PARAMETER(gatt_type); /* LCOV_EXCL_LINE */ + BT_VALIDATE_GATT_HANDLE(gatt_handle); + *gatt_type = handle->type; /* LCOV_EXCL_LINE */ return BT_ERROR_NONE; /* LCOV_EXCL_LINE */ @@ -3827,6 +3843,8 @@ int bt_gatt_client_read_value(bt_gatt_h gatt_handle, BT_CHECK_INPUT_PARAMETER(gatt_handle); BT_CHECK_INPUT_PARAMETER(callback); /* LCOV_EXCL_START */ + BT_VALIDATE_GATT_HANDLE(gatt_handle); + if (__bt_gatt_client_is_in_progress()) { BT_ERR("Operation is in progress"); return BT_ERROR_NOW_IN_PROGRESS; @@ -3977,6 +3995,8 @@ int bt_gatt_client_write_value(bt_gatt_h gatt_handle, BT_CHECK_INPUT_PARAMETER(gatt_handle); BT_CHECK_INPUT_PARAMETER(callback); /* LCOV_EXCL_START */ + BT_VALIDATE_GATT_HANDLE(gatt_handle); + if (__bt_gatt_client_is_in_progress()) { BT_ERR("Operation is in progress"); return BT_ERROR_NOW_IN_PROGRESS; -- 2.7.4