Bluetooth: HCI: Add validation for le_conn_update_complete() and bt_h…

…ci_le_subrate_change_event() Like 2ca179c, check and warn if incoming HCI event parameters exceed the specification. This helps debugging controllers by detecting the out-of-spec value that shouldn't appear. Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
zephyrproject-rtos · Oct 9, 2024 · 29a7722 · 29a7722
1 parent 9f60075
commit 29a7722
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 0 deletions.
diff --git a/include/zephyr/bluetooth/hci_types.h b/include/zephyr/bluetooth/hci_types.h
@@ -2969,6 +2969,13 @@ struct bt_hci_evt_le_advertising_report {
 	struct bt_hci_evt_le_advertising_info adv_info[0];
 } __packed;
 
+/** All limits according to BT Core Spec v5.4 [Vol 4, Part E]. */
+#define BT_HCI_LE_INTERVAL_MIN 0x0006
+#define BT_HCI_LE_INTERVAL_MAX 0x0c80
+#define BT_HCI_LE_PERIPHERAL_LATENCY_MAX 0x01f3
+#define BT_HCI_LE_SUPERVISON_TIMEOUT_MIN 0x000a
+#define BT_HCI_LE_SUPERVISON_TIMEOUT_MAX 0x0c80
+
 #define BT_HCI_EVT_LE_CONN_UPDATE_COMPLETE      0x03
 struct bt_hci_evt_le_conn_update_complete {
 	uint8_t  status;
@@ -3338,6 +3345,11 @@ struct bt_hci_evt_le_biginfo_adv_report {
 	uint8_t  encryption;
 } __packed;
 
+/** All limits according to BT Core Spec v5.4 [Vol 4, Part E]. */
+#define BT_HCI_LE_SUBRATE_FACTOR_MIN 0x0001
+#define BT_HCI_LE_SUBRATE_FACTOR_MAX 0x01f4
+#define BT_HCI_LE_CONTINUATION_NUM_MAX 0x01f3
+
 #define BT_HCI_EVT_LE_SUBRATE_CHANGE            0x23
 struct bt_hci_evt_le_subrate_change {
 	uint8_t status;

diff --git a/subsys/bluetooth/host/hci_core.c b/subsys/bluetooth/host/hci_core.c
@@ -1929,6 +1929,16 @@ static void le_conn_update_complete(struct net_buf *buf)
 			conn->le.latency = sys_le16_to_cpu(evt->latency);
 			conn->le.timeout = sys_le16_to_cpu(evt->supv_timeout);
 
+			if (!IN_RANGE(conn->le.interval, BT_HCI_LE_INTERVAL_MIN, BT_HCI_LE_INTERVAL_MAX)) {
+				LOG_WRN("interval exceeds the valid range 0x%04x", conn->le.interval);
+			}
+			if (BT_HCI_LE_PERIPHERAL_LATENCY_MAX < conn->le.latency) {
+				LOG_WRN("latency exceeds the valid range 0x%04x", conn->le.latency);
+			}
+			if (!IN_RANGE(conn->le.timeout, BT_HCI_LE_SUPERVISON_TIMEOUT_MIN, BT_HCI_LE_SUPERVISON_TIMEOUT_MAX)) {
+				LOG_WRN("supv_timeout exceeds the valid range 0x%04x", conn->le.timeout);
+			}
+
 #if defined(CONFIG_BT_GAP_AUTO_UPDATE_CONN_PARAMS)
 			atomic_clear_bit(conn->flags,
 					 BT_CONN_PERIPHERAL_PARAM_AUTO_UPDATE);
@@ -2626,6 +2636,19 @@ void bt_hci_le_subrate_change_event(struct net_buf *buf)
 		conn->le.subrate.continuation_number = sys_le16_to_cpu(evt->continuation_number);
 		conn->le.latency = sys_le16_to_cpu(evt->peripheral_latency);
 		conn->le.timeout = sys_le16_to_cpu(evt->supervision_timeout);
+
+		if (!IN_RANGE(conn->le.subrate_factor, BT_HCI_LE_SUBRATE_FACTOR_MIN, BT_HCI_LE_SUBRATE_FACTOR_MAX)) {
+			LOG_WRN("subrate_factor exceeds the valid range %d", conn->le.subrate.factor);
+		}
+		if (BT_HCI_LE_PERIPHERAL_LATENCY_MAX < conn->le.peripheral_latency) {
+			LOG_WRN("peripheral_latency exceeds the valid range 0x%04x", conn->le.peripheral_latency);
+		}
+		if (BT_HCI_LE_CONTINUATION_NUM_MAX < conn->le.continuation_number) {
+			LOG_WRN("continuation_number exceeds the valid range %d", conn->le.continuation_number);
+		}
+		if (!IN_RANGE(conn->le.timeout, BT_HCI_LE_SUPERVISON_TIMEOUT_MIN, BT_HCI_LE_SUPERVISON_TIMEOUT_MAX)) {
+			LOG_WRN("supervision_timeout exceeds the valid range 0x%04x", conn->le.timeout);
+		}
 	}
 
 	params.status = evt->status;