Bluetooth: Controller: Restrict AD Data to BT_CTLR_ADV_DATA_LEN_MAX

Strictly restrict AD Data length to BT_CTLR_ADV_DATA_LEN_MAX when there can be free bytes in Advertising PDU with common extended header format of less that the maximum 64 bytes. Signed-off-by: Vinayak Kariappa Chettimada <vich@nordicsemi.no>
2022-04-27 19:13:22 +05:30 · 2022-04-27 19:13:22 +05:30 · 3af3c1237c
commit 3af3c1237c
parent d72126d2d9
2 changed files with 26 additions and 9 deletions
--- a/subsys/bluetooth/controller/ll_sw/ull_adv_aux.c
+++ b/subsys/bluetooth/controller/ll_sw/ull_adv_aux.c
@ -313,11 +313,19 @@ uint8_t ll_adv_aux_sr_data_set(uint8_t handle, uint8_t op, uint8_t frag_pref,
 	sr_adi = NULL;
 #endif

+	/* Check Max Advertising Data Length */
+	if (len > CONFIG_BT_CTLR_ADV_DATA_LEN_MAX) {
+		return BT_HCI_ERR_MEM_CAPACITY_EXCEEDED;
+	}
+
 	/* Check if data will fit in remaining space */
 	/* TODO: need aux_chain_ind support */
 	ext_hdr_len = sr_dptr - &sr_com_hdr->ext_hdr_adv_data[0];
 	if ((PDU_AC_EXT_HEADER_SIZE_MIN + ext_hdr_len + len) >
 	    PDU_AC_PAYLOAD_SIZE_MAX) {
+		/* Will use packet too long error to determine fragmenting
+		 * long data
+		 */
 		return BT_HCI_ERR_PACKET_TOO_LONG;
 	}

@ -824,18 +832,22 @@ uint8_t ull_adv_aux_hdr_set_clear(struct ll_adv_set *adv,
 		ad_data = sec_dptr_prev;
 	}

-	/* Add AD len to secondary PDU length */
-	sec_len += ad_len;
+	/* Check Max Advertising Data Length */
+	if (ad_len > CONFIG_BT_CTLR_ADV_DATA_LEN_MAX) {
+		return BT_HCI_ERR_MEM_CAPACITY_EXCEEDED;
+	}

 	/* Check AdvData overflow */
 	/* TODO: need aux_chain_ind support */
-	if (sec_len > PDU_AC_PAYLOAD_SIZE_MAX) {
-		/* FIXME: release allocations */
+	if ((sec_len + ad_len) > PDU_AC_PAYLOAD_SIZE_MAX) {
+		/* Will use packet too long error to determine fragmenting
+		 * long data
+		 */
 		return BT_HCI_ERR_PACKET_TOO_LONG;
 	}

 	/* set the secondary PDU len */
-	sec_pdu->len = sec_len;
+	sec_pdu->len = sec_len + ad_len;

 	/* Start filling pri and sec PDU payload based on flags from here
 	 * ==============================================================
--- a/subsys/bluetooth/controller/ll_sw/ull_adv_sync.c
+++ b/subsys/bluetooth/controller/ll_sw/ull_adv_sync.c
@ -1311,16 +1311,21 @@ uint8_t ull_adv_sync_pdu_set_clear(struct lll_adv_sync *lll_sync,
 		ad_data = NULL;
 	}

-	/* Add AD len to tertiary PDU length */
-	ter_len += ad_len;
+	/* Check Max Advertising Data Length */
+	if (ad_len > CONFIG_BT_CTLR_ADV_DATA_LEN_MAX) {
+		return BT_HCI_ERR_MEM_CAPACITY_EXCEEDED;
+	}

 	/* Check AdvData overflow */
-	if (ter_len > PDU_AC_PAYLOAD_SIZE_MAX) {
+	if ((ter_len + ad_len) > PDU_AC_PAYLOAD_SIZE_MAX) {
+		/* Will use packet too long error to determine fragmenting
+		 * long data
+		 */
 		return BT_HCI_ERR_PACKET_TOO_LONG;
 	}

 	/* set the tertiary PDU len */
-	ter_pdu->len = ter_len;
+	ter_pdu->len = ter_len + ad_len;

 	/* Start filling tertiary PDU payload based on flags from here
 	 * ==============================================================