Merge branch 'bugfix/fix_blufi_prepare_write_v5.0' into 'release/v5.0'

Isl2017 · Isl2017 · commit 94f3007db051 · 2024-12-18T10:42:03.000+08:00
fix(blufi): Fixed crash issue in Blufi example during prepare write operation (v5.0)

See merge request espressif/esp-idf!35713
diff --git a/components/bt/common/btc/profile/esp/blufi/bluedroid_host/esp_blufi.c b/components/bt/common/btc/profile/esp/blufi/bluedroid_host/esp_blufi.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2015-2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -160,20 +160,31 @@ static void blufi_profile_cb(tBTA_GATTS_EVT event, tBTA_GATTS *p_data)
         if (p_data->req_data.p_data->write_req.is_prep) {
             tBTA_GATT_STATUS status = GATT_SUCCESS;
 
-            if (blufi_env.prepare_buf == NULL) {
-                blufi_env.prepare_buf = osi_malloc(BLUFI_PREPAIR_BUF_MAX_SIZE);
-                blufi_env.prepare_len = 0;
-                if (blufi_env.prepare_buf == NULL) {
-                    BLUFI_TRACE_ERROR("Blufi prep no mem\n");
-                    status = GATT_NO_RESOURCES;
+            do {
+                if (p_data->req_data.p_data->write_req.offset > BLUFI_PREPARE_BUF_MAX_SIZE) {
+                   status = ESP_GATT_INVALID_OFFSET;
+                   break;
                 }
-            } else {
-                if (p_data->req_data.p_data->write_req.offset > BLUFI_PREPAIR_BUF_MAX_SIZE) {
-                    status = GATT_INVALID_OFFSET;
-                } else if ((p_data->req_data.p_data->write_req.offset + p_data->req_data.p_data->write_req.len) > BLUFI_PREPAIR_BUF_MAX_SIZE) {
-                    status = GATT_INVALID_ATTR_LEN;
+
+                if ((p_data->req_data.p_data->write_req.offset + p_data->req_data.p_data->write_req.len) > BLUFI_PREPARE_BUF_MAX_SIZE) {
+                   status = ESP_GATT_INVALID_ATTR_LEN;
+                   break;
                 }
-            }
+
+                if (blufi_env.prepare_buf == NULL) {
+                    if (p_data->req_data.p_data->write_req.offset != 0) {
+                        status = GATT_INVALID_OFFSET;
+                        break;
+                    }
+                    blufi_env.prepare_buf = osi_malloc(BLUFI_PREPARE_BUF_MAX_SIZE);
+                    blufi_env.prepare_len = 0;
+                    if (blufi_env.prepare_buf == NULL) {
+                        BLUFI_TRACE_ERROR("Blufi prep no mem\n");
+                        status = GATT_NO_RESOURCES;
+                        break;
+                    }
+                }
+            } while (0);
 
             memset(&rsp, 0, sizeof(tGATTS_RSP));
             rsp.attr_value.handle = p_data->req_data.p_data->write_req.handle;
diff --git a/components/bt/common/btc/profile/esp/blufi/include/blufi_int.h b/components/bt/common/btc/profile/esp/blufi/include/blufi_int.h
@@ -36,7 +36,9 @@ typedef struct {
     UINT32                  trans_id;
     UINT8                   congest;
     UINT16                  frag_size;
+// Deprecated: This macro will be removed in the future
 #define BLUFI_PREPAIR_BUF_MAX_SIZE 1024
+#define BLUFI_PREPARE_BUF_MAX_SIZE 1024
     uint8_t                 *prepare_buf;
     int                     prepare_len;
     /* Control reference */
