Skip to content

Commit 24bc714

Browse files
gmarullgmarull
committed
bluetooth-fw/nimble: fix potential NULL access on service discovery
On certain cases, we could call prv_discover_next_dscs() without checking if context->current_characteristic was NULL or not, causing a later hardfault. Fixes FIRM-751 Signed-off-by: Gerard Marull-Paretas <gerard@teslabs.com>
1 parent 59b8d64 commit 24bc714

1 file changed

Lines changed: 18 additions & 4 deletions

File tree

src/bluetooth-fw/nimble/gatt_client_discovery.c

Lines changed: 18 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -363,13 +363,21 @@ static int prv_find_dsc_cb(uint16_t conn_handle, const struct ble_gatt_error *er
363363
prv_discover_next_dscs(conn_handle, context);
364364
} else {
365365
context->current_service = list_get_next(context->current_service);
366-
if (context->current_service != NULL) {
366+
while (context->current_service != NULL) {
367367
GATTServiceDiscoveryServiceNode *service_node = prv_get_current_service(context);
368368

369369
context->current_characteristic = list_get_head(service_node->characteristics);
370370

371-
prv_discover_next_dscs(conn_handle, context);
372-
} else {
371+
if (context->current_characteristic != NULL) {
372+
prv_discover_next_dscs(conn_handle, context);
373+
break;
374+
}
375+
376+
// Service has no characteristics, skip to next service
377+
context->current_service = list_get_next(context->current_service);
378+
}
379+
380+
if (context->current_service == NULL) {
373381
// we're done!
374382
s_discovery_in_progress = false;
375383
prv_convert_service_and_notify_os(conn_handle, context);
@@ -440,7 +448,13 @@ static int prv_find_chr_cb(uint16_t conn_handle, const struct ble_gatt_error *er
440448
GATTServiceDiscoveryServiceNode *service_node = prv_get_current_service(context);
441449
context->current_characteristic = list_get_head(service_node->characteristics);
442450

443-
prv_discover_next_dscs(conn_handle, context);
451+
if (context->current_characteristic != NULL) {
452+
prv_discover_next_dscs(conn_handle, context);
453+
} else {
454+
// No characteristics found, discovery complete
455+
s_discovery_in_progress = false;
456+
prv_convert_service_and_notify_os(conn_handle, context);
457+
}
444458
}
445459

446460
break;

0 commit comments

Comments
 (0)