Bluetooth: Fixing UBSAN warning in CTE field parsing in adv.c/scan.c

during local testling, UBSAN reported the following warnings: - bluetooth/host/adv.c:2067:19: runtime error: shift exponent 255 is too large for 32-bit type 'long unsigned int' - bluetooth/host/scan.c:828:18: runtime error: shift exponent 255 is too large for 32-bit type 'long unsigned int' It turned out that we can't use BIT() macro directly on bt_hci_evt_le_per_advertising_report::cte_type field. According to Core Spec, `cte_type = 0xFF` corresponds to `No contstant tone extension`. Added separate function to convert CTE bit field from HCI format to bt_df_cte_type Signed-off-by: Ivan Iushkov <ivan.iushkov@nordicsemi.no>
zephyrproject-rtos · Feb 8, 2024 · b1e9f86 · b1e9f86
1 parent b30d088
commit b1e9f86
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 3 deletions.
diff --git a/subsys/bluetooth/host/adv.c b/subsys/bluetooth/host/adv.c
@@ -2064,7 +2064,7 @@ void bt_hci_le_per_adv_response_report(struct net_buf *buf)
 		response = net_buf_pull_mem(buf, sizeof(struct bt_hci_evt_le_per_adv_response));
 		info.tx_power = response->tx_power;
 		info.rssi = response->rssi;
-		info.cte_type = BIT(response->cte_type);
+		info.cte_type = bt_get_df_cte_type(response->cte_type);
 		info.response_slot = response->response_slot;
 
 		if (buf->len < response->data_length) {

diff --git a/subsys/bluetooth/host/hci_core.c b/subsys/bluetooth/host/hci_core.c
@@ -424,6 +424,22 @@ uint8_t bt_get_phy(uint8_t hci_phy)
 	}
 }
 
+int bt_get_df_cte_type(uint8_t hci_cte_type)
+{
+	switch (hci_cte_type) {
+	case BT_HCI_LE_AOA_CTE:
+		return BT_DF_CTE_TYPE_AOA;
+	case BT_HCI_LE_AOD_CTE_1US:
+		return BT_DF_CTE_TYPE_AOD_1US;
+	case BT_HCI_LE_AOD_CTE_2US:
+		return BT_DF_CTE_TYPE_AOD_2US;
+	case BT_HCI_LE_NO_CTE:
+		return BT_DF_CTE_TYPE_NONE;
+	default:
+		return BT_DF_CTE_TYPE_NONE;
+	}
+}
+
 #if defined(CONFIG_BT_CONN_TX)
 static void hci_num_completed_packets(struct net_buf *buf)
 {

diff --git a/subsys/bluetooth/host/hci_core.h b/subsys/bluetooth/host/hci_core.h
@@ -434,7 +434,14 @@ int bt_le_set_data_len(struct bt_conn *conn, uint16_t tx_octets, uint16_t tx_tim
 int bt_le_set_phy(struct bt_conn *conn, uint8_t all_phys,
 		  uint8_t pref_tx_phy, uint8_t pref_rx_phy, uint8_t phy_opts);
 uint8_t bt_get_phy(uint8_t hci_phy);
-
+/**
+ * @brief Convert CTE type value from HCI format to @ref bt_df_cte_type format.
+ *
+ * @param hci_cte_type   CTE type in an HCI format.
+ *
+ * @return CTE type (@ref bt_df_cte_type).
+ */
+int bt_get_df_cte_type(uint8_t hci_cte_type);
 int bt_le_scan_update(bool fast_scan);
 
 int bt_le_create_conn(const struct bt_conn *conn);

diff --git a/subsys/bluetooth/host/scan.c b/subsys/bluetooth/host/scan.c
@@ -825,7 +825,7 @@ static void bt_hci_le_per_adv_report_common(struct net_buf *buf)
 
 	info.tx_power = evt->tx_power;
 	info.rssi = evt->rssi;
-	info.cte_type = BIT(evt->cte_type);
+	info.cte_type = bt_get_df_cte_type(evt->cte_type);
 	info.addr = &per_adv_sync->addr;
 	info.sid = per_adv_sync->sid;