Skip to content

Commit fd9f8f4

Browse files
xcguangxcguang
committed
Merge branch 'bugfix/espat-2446' into 'master'
fix(ESPAT-2446): Fix null pointer crash during periodic advertising scan See merge request application/esp-at!1926
2 parents 6abc547 + 3be1357 commit fd9f8f4

File tree

2 files changed

+102
-0
lines changed

2 files changed

+102
-0
lines changed

patches/patch_list.ini

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -90,3 +90,10 @@
9090
target = esp32c61
9191
when = after_sdkconfig
9292
dependency = CONFIG_AT_BLUFI_COMMAND_SUPPORT
93+
94+
[sync-periodic-broadcast.patch]
95+
description = "[ESPAT-2446] Fix null pointer crash during periodic advertising scan"
96+
path = esp-idf/components/bt/host/nimble/nimble
97+
target = esp32c61
98+
when = after_sdkconfig
99+
dependency = CONFIG_AT_BLE_COMMAND_SUPPORT

patches/sync-periodic-broadcast.patch

Lines changed: 95 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,95 @@
1+
From c6026127e180d09ef38a0eac28b49c140617b470 Mon Sep 17 00:00:00 2001
2+
From: xiewenxiang <[email protected]>
3+
Date: Mon, 13 Oct 2025 10:46:24 +0800
4+
Subject: [PATCH] bugfix(espat-2446): workaround sync periodic broadcast crash
5+
issue
6+
7+
---
8+
nimble/host/src/ble_gap.c | 37 +++++++++++++++++++++++++++----------
9+
1 file changed, 27 insertions(+), 10 deletions(-)
10+
11+
diff --git a/nimble/host/src/ble_gap.c b/nimble/host/src/ble_gap.c
12+
index 4c0002d53..279f86f51 100644
13+
--- a/nimble/host/src/ble_gap.c
14+
+++ b/nimble/host/src/ble_gap.c
15+
@@ -2304,6 +2304,7 @@ ble_gap_rx_peroidic_adv_sync_estab(const struct ble_hci_ev_le_subev_periodic_adv
16+
struct ble_gap_event event;
17+
ble_gap_event_fn *cb;
18+
void *cb_arg;
19+
+ struct ble_hs_periodic_sync *psync_local;
20+
#if MYNEWT_VAL(BLE_ENABLE_CONN_REATTEMPT) && NIMBLE_BLE_CONNECT
21+
int rc;
22+
#endif
23+
@@ -2316,7 +2317,24 @@ ble_gap_rx_peroidic_adv_sync_estab(const struct ble_hci_ev_le_subev_periodic_adv
24+
25+
BLE_HS_DBG_ASSERT(ble_gap_sync.psync);
26+
27+
+ psync_local = ble_gap_sync.psync;
28+
+
29+
if (!ev->status) {
30+
+
31+
+ if (!psync_local) {
32+
+ cb = ble_gap_sync.cb;
33+
+ cb_arg = ble_gap_sync.cb_arg;
34+
+ ble_gap_sync.op = BLE_GAP_OP_NULL;
35+
+ ble_gap_sync.cb_arg = NULL;
36+
+ ble_gap_sync.psync = NULL;
37+
+ ble_gap_event_listener_call(&event);
38+
+ if (cb) {
39+
+ cb(&event, cb_arg);
40+
+ }
41+
+ ble_hs_unlock();
42+
+ return;
43+
+ }
44+
+
45+
sync_handle = le16toh(ev->sync_handle);
46+
47+
#if MYNEWT_VAL(BLE_ENABLE_CONN_REATTEMPT) && NIMBLE_BLE_CONNECT
48+
@@ -2324,17 +2342,17 @@ ble_gap_rx_peroidic_adv_sync_estab(const struct ble_hci_ev_le_subev_periodic_adv
49+
ble_conn_reattempt.sync_reattempt = 0;
50+
}
51+
#endif
52+
- ble_gap_sync.psync->sync_handle = sync_handle;
53+
- ble_gap_sync.psync->adv_sid = ev->sid;
54+
- memcpy(ble_gap_sync.psync->advertiser_addr.val, ev->peer_addr, 6);
55+
- ble_gap_sync.psync->advertiser_addr.type = ev->peer_addr_type;
56+
+ psync_local->sync_handle = sync_handle;
57+
+ psync_local->adv_sid = ev->sid;
58+
+ memcpy(psync_local->advertiser_addr.val, ev->peer_addr, 6);
59+
+ psync_local->advertiser_addr.type = ev->peer_addr_type;
60+
61+
- ble_gap_sync.psync->cb = ble_gap_sync.cb;
62+
- ble_gap_sync.psync->cb_arg = ble_gap_sync.cb_arg;
63+
+ psync_local->cb = ble_gap_sync.cb;
64+
+ psync_local->cb_arg = ble_gap_sync.cb_arg;
65+
66+
event.periodic_sync.sync_handle = sync_handle;
67+
event.periodic_sync.sid = ev->sid;
68+
- event.periodic_sync.adv_addr = ble_gap_sync.psync->advertiser_addr;
69+
+ event.periodic_sync.adv_addr = psync_local->advertiser_addr;
70+
event.periodic_sync.adv_phy = ev->phy;
71+
event.periodic_sync.per_adv_ival = ev->interval;
72+
event.periodic_sync.adv_clk_accuracy = ev->aca;
73+
@@ -2345,9 +2363,9 @@ ble_gap_rx_peroidic_adv_sync_estab(const struct ble_hci_ev_le_subev_periodic_adv
74+
event.periodic_sync.response_slot_spacing = ev->response_slot_spacing;
75+
#endif
76+
77+
- ble_hs_periodic_sync_insert(ble_gap_sync.psync);
78+
+ ble_hs_periodic_sync_insert(psync_local);
79+
} else {
80+
- ble_hs_periodic_sync_free(ble_gap_sync.psync);
81+
+ ble_hs_periodic_sync_free(psync_local);
82+
#if MYNEWT_VAL(BLE_ENABLE_CONN_REATTEMPT) && NIMBLE_BLE_CONNECT
83+
if (ev->status == BLE_ERR_CONN_ESTABLISHMENT) {
84+
if (ble_conn_reattempt.count < MAX_REATTEMPT_ALLOWED) {
85+
@@ -2385,7 +2403,6 @@ ble_gap_rx_peroidic_adv_sync_estab(const struct ble_hci_ev_le_subev_periodic_adv
86+
87+
ble_gap_sync.op = BLE_GAP_OP_NULL;
88+
ble_gap_sync.cb_arg = NULL;
89+
- ble_gap_sync.cb_arg = NULL;
90+
ble_gap_sync.psync = NULL;
91+
92+
ble_gap_event_listener_call(&event);
93+
--
94+
2.39.5 (Apple Git-154)
95+

0 commit comments

Comments
 (0)