This is an automated email from the ASF dual-hosted git repository.
andk pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mynewt-nimble.git
commit 0c3e1b728c43250bfc73f1ebde68a28c79047597
Author: Andrzej Kaczmarek <andrzej.kaczma...@codecoup.pl>
AuthorDate: Thu Sep 29 01:01:26 2022 +0200
nimble/ll: Fix active scan on aux
We should not allow to free aux_data from pkt_in if there was
AUX_SCAN_REQ sent for that pdu as this will result in use-after-free of
aux_data when AUX_SCAN_RSP is received.
This can happen if we send AUX_SCAN_REQ from isr and then in pkt_in
figure out this is a duplicate so we don't want to scan this chain
anymore. We should just wait for AUX_SCAN_RSP and stop there.
---
nimble/controller/src/ble_ll_scan_aux.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/nimble/controller/src/ble_ll_scan_aux.c
b/nimble/controller/src/ble_ll_scan_aux.c
index 57d79f92..60b4b5c1 100644
--- a/nimble/controller/src/ble_ll_scan_aux.c
+++ b/nimble/controller/src/ble_ll_scan_aux.c
@@ -1724,12 +1724,14 @@ ble_ll_scan_aux_rx_pkt_in(struct os_mbuf *rxpdu, struct
ble_mbuf_hdr *rxhdr)
aux->hci_state |= BLE_LL_SCAN_AUX_H_DONE;
}
- /*
- * If we are done processing this chain and aux scan was not scheduled or
- * we removed it from scheduler, we can remove aux_data now. Otherwise we
- * will remove on next pkt_in.
+ /* If we are done processing this chain we can remove aux_data now if:
+ * - we did not send AUX_SCAN_REQ for this PDU
+ * - there was no aux scan scheduled from this PDU
+ * - there was aux scan scheduled from this PDU but we removed it
+ * In other cases, we'll remove aux_data on next pkt_in.
*/
if ((aux->hci_state & BLE_LL_SCAN_AUX_H_DONE) &&
+ !(rxinfo->flags & BLE_MBUF_HDR_F_SCAN_REQ_TXD) &&
(!(rxinfo->flags & BLE_MBUF_HDR_F_AUX_PTR_WAIT) ||
(ble_ll_sched_rmv_elem(&aux->sch) == 0))) {
ble_ll_scan_aux_free(aux);
