Skip to content
Permalink
Browse files

Bluetooth: GATT: Fix segfault discover descriptors all UUIDs

Handle optional argument UUID in bt_gatt_discover with type
DISCOVER_DESCRIPTOR, bt_uuid_cmp doesn't check for NULL pointer.
On system with MMU (nrf52_bsim) this can result in segfault.

Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
  • Loading branch information...
joerchan authored and jhedberg committed Jul 10, 2019
1 parent 600c1d6 commit 3bddc20f87f2aa28ade499689532f6be9f7ee865
Showing with 5 additions and 4 deletions.
  1. +5 −4 subsys/bluetooth/host/gatt.c
@@ -2587,10 +2587,11 @@ int bt_gatt_discover(struct bt_conn *conn,
return gatt_read_type(conn, params);
case BT_GATT_DISCOVER_DESCRIPTOR:
/* Only descriptors can be filtered */
if (!bt_uuid_cmp(params->uuid, BT_UUID_GATT_PRIMARY) ||
!bt_uuid_cmp(params->uuid, BT_UUID_GATT_SECONDARY) ||
!bt_uuid_cmp(params->uuid, BT_UUID_GATT_INCLUDE) ||
!bt_uuid_cmp(params->uuid, BT_UUID_GATT_CHRC)) {
if (params->uuid &&
(!bt_uuid_cmp(params->uuid, BT_UUID_GATT_PRIMARY) ||
!bt_uuid_cmp(params->uuid, BT_UUID_GATT_SECONDARY) ||
!bt_uuid_cmp(params->uuid, BT_UUID_GATT_INCLUDE) ||
!bt_uuid_cmp(params->uuid, BT_UUID_GATT_CHRC))) {
return -EINVAL;
}
/* Fallthrough. */

0 comments on commit 3bddc20

Please sign in to comment.
You can’t perform that action at this time.