Skip to content

Bluetooth: Controller: Fix missing conn update ind PDU validation #72608

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 31, 2024
Merged

Bluetooth: Controller: Fix missing conn update ind PDU validation #72608

merged 1 commit into from
May 31, 2024

Conversation

cvinayak
Copy link
Contributor

Fix missing validation of Connection Update Ind PDU. Ignore invalid connection update parameters and let the connection either procedure timeout or supervision timeout if the central switched to using invalid connection parameters.

@cvinayak
Copy link
Contributor Author

cvinayak commented May 11, 2024
edited
Loading

@thoh-ot @erbr-ot @wopu-ot @kruithofa is this behavior to let procedure/supervision timeout an acceptable outcome?
Will have to add/update unit tests accordingly.

@cvinayak cvinayak force-pushed the github_conn_update_ind_param_check branch from 4992255 to f7f65af Compare May 12, 2024 03:36
@erbr-ot
Copy link
Contributor

erbr-ot commented May 13, 2024

I tend to think we should be more pro-active in case of invalid params and disconnect with BT_HCI_ERR_INVALID_LL_PARAM. This could make recovery from a central mistake faster.

@thoh-ot
Copy link
Contributor

thoh-ot commented May 14, 2024

Take at look at how invalid LL_PHY_UPDATE_IND are handled in

zephyr/subsys/bluetooth/controller/ll_sw/ull_llcp_phy.c

Lines 714 to 747 in 99adbad

static void lp_pu_st_wait_rx_phy_update_ind(struct ll_conn *conn, struct proc_ctx *ctx, uint8_t evt,
void *param)
{
switch (evt) {
case LP_PU_EVT_PHY_UPDATE_IND:
LL_ASSERT(conn->lll.role == BT_HCI_ROLE_PERIPHERAL);
llcp_rr_set_incompat(conn, INCOMPAT_RESERVED);
llcp_pdu_decode_phy_update_ind(ctx, (struct pdu_data *)param);
const uint8_t end_procedure = pu_check_update_ind(conn, ctx);
/* Mark RX node to NOT release */
llcp_rx_node_retain(ctx);
if (!end_procedure) {
if (ctx->data.pu.p_to_c_phy) {
/* If periph to central phy changes apply tx timing restriction */
pu_set_timing_restrict(conn, ctx->data.pu.p_to_c_phy);
}
/* Since at least one phy will change,
* stop the procedure response timeout
*/
llcp_lr_prt_stop(conn);
ctx->state = LP_PU_STATE_WAIT_INSTANT;
} else {
llcp_rr_set_incompat(conn, INCOMPAT_NO_COLLISION);
if (ctx->data.pu.error != BT_HCI_ERR_SUCCESS) {
/* Mark the connection for termination */
conn->llcp_terminate.reason_final = ctx->data.pu.error;
}
ctx->data.pu.ntf_pu = ctx->data.pu.host_initiated;
lp_pu_complete(conn, ctx, evt, param);
}

@cvinayak cvinayak force-pushed the github_conn_update_ind_param_check branch from f7f65af to 8e762f6 Compare May 31, 2024 04:28
@cvinayak
Bluetooth: Controller: Fix missing conn update ind PDU validation
e91b3e3 
Fix missing validation of Connection Update Ind PDU. Ignore
invalid connection update parameters and force a silent
local connection termination.

Signed-off-by: Vinayak Kariappa Chettimada <[email protected]>
@cvinayak cvinayak force-pushed the github_conn_update_ind_param_check branch from 8e762f6 to e91b3e3 Compare May 31, 2024 08:00
@cvinayak cvinayak marked this pull request as ready for review May 31, 2024 08:39
@zephyrbot zephyrbot requested review from carlescufi and mtpr-ot May 31, 2024 08:39
Thalley
Thalley approved these changes May 31, 2024
View reviewed changes
Copy link
Contributor

@Thalley Thalley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good, with some minor suggestions for improved readability

subsys/bluetooth/controller/ll_sw/ull_llcp_conn_upd.c
Comment on lines +206 to +212
return (interval_max >= CONN_INTERVAL_MIN(conn)) &&
(interval_max <= CONN_UPDATE_CONN_INTV_4SEC) &&
(latency <= CONN_UPDATE_LATENCY_MAX) &&
(timeout >= CONN_UPDATE_TIMEOUT_100MS) &&
(timeout <= CONN_UPDATE_TIMEOUT_32SEC) &&
((timeout * 4U) > /* *4U re. conn events is equivalent to *2U re. ms */
((latency + 1U) * interval_max));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggest to make this more readable by using the IN_RANGE macro

subsys/bluetooth/controller/ll_sw/ull_llcp_conn_upd.c
}
#endif /* CONFIG_BT_CTLR_CONN_PARAM_REQ */

static bool cu_check_conn_ind_parameters(struct ll_conn *conn, struct proc_ctx *ctx)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggest to rename check to valid or something.

If a check function returns true, is it really obvious that it's valid?

IMO check works better with int than bool

@carlescufi carlescufi merged commit 4b6d3f1 into zephyrproject-rtos:main May 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Thalley Thalley Thalley approved these changes

@carlescufi carlescufi carlescufi approved these changes

@thoh-ot thoh-ot Awaiting requested review from thoh-ot

@erbr-ot erbr-ot Awaiting requested review from erbr-ot

@wopu-ot wopu-ot Awaiting requested review from wopu-ot

@kruithofa kruithofa Awaiting requested review from kruithofa

@mtpr-ot mtpr-ot Awaiting requested review from mtpr-ot

Assignees

@cvinayak cvinayak

Labels
area: Bluetooth Controller area: Bluetooth
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@cvinayak @erbr-ot @thoh-ot @Thalley @carlescufi @zephyrbot