From e8c5405609e355cf9483debffbd09844e4c92900 Mon Sep 17 00:00:00 2001 From: Aleksander Wasaznik Date: Wed, 11 Dec 2024 11:18:31 +0100 Subject: [PATCH] Bluetooth: Controller: Fix headroom reservation for ISO Calling `net_buf_reserve` removed any previous reservation, which includes the reservation by hci_ipc to hold the H4 type byte. This resulted in a out-of-bounds net_buf_push in hci_ipc. This commit also enables asserts in hci_ipc in the audio bsim test, which reveal the out-of-bounds write. Signed-off-by: Aleksander Wasaznik --- subsys/bluetooth/controller/hci/hci_driver.c | 4 ++-- tests/bsim/bluetooth/audio/sysbuild.cmake | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/subsys/bluetooth/controller/hci/hci_driver.c b/subsys/bluetooth/controller/hci/hci_driver.c index 0a655537a4a0..1f856e56f6a8 100644 --- a/subsys/bluetooth/controller/hci/hci_driver.c +++ b/subsys/bluetooth/controller/hci/hci_driver.c @@ -158,8 +158,8 @@ isoal_status_t sink_sdu_alloc_hci(const struct isoal_sink *sink_ctx, struct net_buf *buf = bt_buf_get_rx(BT_BUF_ISO_IN, K_FOREVER); if (buf) { - /* Reserve space for headers */ - net_buf_reserve(buf, SDU_HCI_HDR_SIZE); + /* Increase reserved space for headers */ + net_buf_reserve(buf, SDU_HCI_HDR_SIZE + net_buf_headroom(buf)); sdu_buffer->dbuf = buf; sdu_buffer->size = net_buf_tailroom(buf); diff --git a/tests/bsim/bluetooth/audio/sysbuild.cmake b/tests/bsim/bluetooth/audio/sysbuild.cmake index 5dfd594349c1..e5bd9d9e4255 100644 --- a/tests/bsim/bluetooth/audio/sysbuild.cmake +++ b/tests/bsim/bluetooth/audio/sysbuild.cmake @@ -20,6 +20,7 @@ if(SB_CONFIG_NET_CORE_IMAGE_HCI_IPC) set(${NET_APP}_EXTRA_CONF_FILE ${APP_DIR}/overlay-nrf5340_cpunet_iso-bt_ll_sw_split.conf + ${NET_APP_SRC_DIR}/debug_overlay.conf CACHE INTERNAL "" )