When peer monitor and retransmission timeout are zero, set them to the
default values. This ensures that the monitor timeout is always a valid
value to avoid the L2CAP BR timer work queue hang.
Signed-off-by: Make Shi <make.shi@nxp.com>
HTTP 1.1 server has two ways of indicating the message body length -
either by providing the Content Length header, or by closing the
connection when the entire body has been transmitted.
The second method didn't work with Zephyr's HTTP client implementation,
as EOF on a socket was treated as an error condition. Therefore, if no
Content Length was provided by the server, such transfers would always
end up with ECONNRESET error.
In order to fix this, we need to notify the parser about the EOF on a
socket when connection is closed. It is the parser role to determine
whether the EOF was expected in current state (by marking end of message
flag) or not (by setting an error).
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Remove duplicated check for 'ep->stream == NULL' to clean up conditionals
and avoid unnecessary repeated evaluations.
This cleans up the code and avoids unnecessary repeated condition
evaluation.
Signed-off-by: Gaetan Perrot <gaetan.perrot@spacecubics.com>
Update the socket_service_thread function signature to match the expected
k_thread_entry_t type:
typedef void (*k_thread_entry_t)(void *p1, void *p2, void *p3);
Signed-off-by: Tim Pambor <tim.pambor@codewrights.de>
Fix a bug in zbus_chan_rm_obs() where removing the first observer in a
channel's observer list would cause undefined behavior due to accessing
a member of a NULL pointer.
The issue occurred when prev_obs_nd was NULL (indicating the first node
in the list) and the code attempted to pass &prev_obs_nd->node to
sys_slist_remove(). This resulted in accessing the 'node' member of a
NULL pointer, which is undefined behavior even when taking its address.
The sys_slist_remove() function is designed to handle a NULL prev_node
parameter correctly for removing the first element in a list. The fix
ensures we pass NULL directly instead of attempting to compute the
address of a member within a NULL pointer.
This was detected by Undefined Behavior Sanitizer as "member access
within null pointer".
Signed-off-by: Jan Tore Guggedal <jantore.guggedal@nordicsemi.no>
In coap_well_known_core_get(), move the null check for 'resource' before
applying pointer arithmetic ('resource + 1') to avoid undefined behavior
when 'resource == NULL'.
Signed-off-by: Gaetan Perrot <gaetan.perrot@spacecubics.com>
Socket dispatcher (and offloaded implementations in tests) register
fd as ZVFS_MODE_IFSOCK therefore they should register a close2(
function instead of close().
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
socketpair fd regsiters ZVFS_MODE_IFSOCK therefore it should register a
close2() function instead of close().
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
In case address mode in a packet is none, the address pointer within mhr
struct will not be set. Therefore, the pointer should not be used before
address mode is verified inside ieee802154_check_dst_addr().
This was reported by UBSAN:
subsys/net/l2/ieee802154ieee802154.c:296:41: runtime error: member
access within null pointer of type 'struct ieee802154_address_field'
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Cast uint8_t variable to uint32_t explicitly to avoid implicit cast to
int, and thus potentially undefined behavior, reported by UBSAN:
net_pkt.c:1946:17: runtime error: left shift of 239 by 24 places
cannot be represented in type 'int'
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
In order to avoid alignment issues when casting void pointers to
in(6)_addr structures, create a properly aligned copy of the ip(v6)
address on stack.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
In order to prevent an overflow warning from UBSAN when bitshifting,
cast to uint64_t first before shifting, and then back to uint32_t.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
As struct sockaddr have now alignment of 4 bytes, net_ipaddr_copy()
gives the following error if used for sockaddr:
error: alignment 1 of ‘struct <anonymous>’ is less than 4
[-Werror=packed-not-aligned]
Just use memcpy() instead, net_ipaddr_copy() was intended to use with IP
addresses, not socket related structs.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Rework the IPv4-related code to avoid casting. Use raw variants of
IPv4-related functions whenever possible (especially on the critical
data path).
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
To address the misaligned access issues reported by UBSAN, introduce raw
variant of certain IPv4 functions used in the critical data path of the
network stack, operating on plain uint8_t buffers in stead of IPv4
address struct.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Rework the rest of the IPv6-related code to avoid casting. Use raw
variants of IPv6-related functions whenever possible (especially on the
critical data path). For the routing case, use a copy of the address to
avoid massive rework of the routing module.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
IPv6 Neighbor Discovery interfaces modules like neighbor or routing
tables - converting them to raw variants seems futile. Therefore, for
IPv6 ND case, copy the raw IP address from the packet into the in6_addr
structure, and then pass it to respective functions. Performance
overhead should not be a big problem in such case as those actions are
only performed if a respective ND packet is received.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Refactor local functions to work with byte buffers instead of struct
in6_addr and use switch to use raw variants of functions operating on
IPv6 addresses.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
To address the misaligned access issues reported by UBSAN, introduce raw
variant of certain IPv6 functions used in the critical data path of the
network stack, operating on plain uint8_t buffers in stead of IPv6
address struct.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
The peer uses the RPA address.
A BR connection is created firstly, a subsequent BLE connection is
created secondly, the BR SMP CTKD occur thirdly (The BLE LTK is
derived from BR and the BR SMP distribute peer's IRK and identity address
here), but the BLE LTK is saved to key pool that is not
matched with the previous BLE connection because the derived LTK is saved
with identity address and BLE connection uses RPA. Fix it by: Resolve the
BLE connections' RPA with the derived IRK to find the previous BLE
connections and match the connections with derived LTK key.
Signed-off-by: Mark Wang <yichang.wang@nxp.com>
According to RFC 793, ch 3.9 Event Processing,
after the connection is sync-ed with seqnum of both sides then,
1. drop any received segment if the ACK bit is off.
2. validate the acknum like this:
SND.UNA =< SEG.ACK =< SND.NXT
The ACK validation is done before entering the state-machine, so
remove the flags <ACK> check in the state-machine processing.
Signed-off-by: Shrek Wang <inet_eman@outlook.com>
Channel tx_queue purging on disconnect was inconsistently handled
by the different channels: iso, l2cap, l2cap_br.
iso channels handled purging in the tx_data_pull hook.
l2cap and l2cap_br did the purging in channel delete functions
and did not expect tx_data_pull to be called for a disconnected
channel. Their data_pull functions could return a ptr to a
net_buf that was still on the tx_queue, which is problematic
when the conn tx_processor unrefs the returned buffer resulting
in multiple calls to the buf destroy function.
To make things consistent and correct, remove the code that tries
to purge tx_queues in the tx_processor and only do purging in
the channels themselves when they are deleted/disconnected.
Also refactor and clarify referencing of the net_buf returned
by tx_data_pull. It was confusing who had a reference and
when, which could vary depending on the length of the original
buffer. There are three cases: the buffer length is less
than the tx.mps, greater the mps but less than the mtu so
requiring segementation but not fragmentation, or greater than
both mps and mtu so requiring both segmentation and fragmentation.
The conn layer would increase the refcnt if the length was
greater than the mtu, but not have any awareness of whether
the net_buf was still on the tx_queue or not.
Now it is the tx_data_pull callbacks responsibitity to increment
the reference count if it is returning a pointer to a net_buf
that it is still keeping on the tx_queue for segmentation purposes.
The conn layer will now always transfer that reference into a
fragment view and not conditional it on the length relative to
the mtu, and always decrement the reference to the parent when
the fragment is destroyed.
So there is no risk of decrementing a reference to a net buf
that might still be on a tx_queue, which simplifies error
handling in particular.
Also add error handling paths for when asserts are not enabled.
Signed-off-by: Mike J. Chen <mjchen@google.com>
Fix peripheral role assertion during connection update and
simultaneous flash operations.
prepare_cb: Actual EVENT_OVERHEAD_START_US = 6149
This happens due to instant latency at connection update
where the ticks_at_expire was in the past.
Signed-off-by: Vinayak Kariappa Chettimada <vich@nordicsemi.no>
Write operations are not constant time on nRF54Lx SoCs and
depend on the previous value present versus new value to be
written. Hence, perform no more than one iteration.
Signed-off-by: Vinayak Kariappa Chettimada <vich@nordicsemi.no>
In HFP PTS, cases run fail with the log 'Bluetooth Profile Descriptor
List UUID (0x111E) is missing'.
With this patch, the affected cases can pass correctly.
Signed-off-by: Jiawei Yang <jiawei.yang_1@nxp.com>
This commit fixes the content of the log messages that appear when an
error occurs while applying the pinctrl.
Signed-off-by: Jun Lin <CHLin56@nuvoton.com>
htons() takes uint16_t as argument. Add the 'u' suffix to the
TTL constants to ensure the correct unsigned type is used and to avoid
undefined behavior if these functions are implemented as macros using
bit shifts.
Signed-off-by: Tim Pambor <tim.pambor@codewrights.de>
Verify if the block number isn't negative before processing it, to
prevent potentially undefined behavior. This was reported by the
undefined behavior sanitizer.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
SonarQube reports: cast from 'const struct _snode *' to 'struct _snode *'
drops const qualifier. Fix it by removing the const.
Signed-off-by: Mark Wang <yichang.wang@nxp.com>
(cherry picked from commit 7982ee0df13b7f9e54595f799e32f38c464b0f9e)
1. bt_sdp_discover may be called in two tasks at the same time:
(1) If the 2 calls are for 2 acl conns,
the same session may be new allocated to two acl conns.
(2) If the 2 calls are for the same acl conn, the same session should be
used.
Use the bt_conn_index to map acl conn with session to fix it.
2. fix that bt_sdp_discover may use one session that is disconnecting,
put req to reqs_next and process it after disconnected.
3. remove memset of session, reset each members individually.
Signed-off-by: Mark Wang <yichang.wang@nxp.com>
(cherry picked from commit dcbe5d7dc5d72ce0d2915cf2b291cc84a916a536)
Utilize a code spell-checking tool to scan for and correct spelling errors
in `Kconfig` files within the `soc` and `subsys` directory.
Additionally, incorporates a fix recommended by the reviewer.
Signed-off-by: Pisit Sawangvonganan <pisit@ndrsolution.com>
Ensure that the BR/EDR L2CAP RX MTU is limited to the configured
BT_L2CAP_RX_MTU value during channel configuration.
This change prevent potential buffer overflow issues when receiving
data larger than the configured buffer size.
Signed-off-by: Jiawei Yang <jiawei.yang_1@nxp.com>
The MTU calculation in rfcomm_connected() was incorrectly adding the FCS
size instead of subtracting it.
This could lead to buffer overflows when sending data that exceeds
the actual available space.
Fix the calculation by properly subtracting both the RFCOMM header size and
the FCS size from the L2CAP MTU to get the correct RFCOMM session MTU.
Signed-off-by: Jiawei Yang <jiawei.yang_1@nxp.com>
Some of the Kconfig options did not reflect the actual
requirements from the TMAP spec. Relying on the AUDIO_TX
and AUDIO_RX was misleading, as they could be set by
broadcast configurations when the features required
unicast features.
Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
Instead of crashing fail with a message when -test arguments is of
wrong format.
Fixeszephyrproject-rtos/zephyr#91655
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Use UNALIGNED_MEMBER_ADDR when getting the address of possibly
unaligned structures members instead of attempting to directly
get the address as an offset.
Signed-off-by: Alberto Escolar Piedras <alberto.escolar.piedras@nordicsemi.no>
Use UNALIGNED_MEMBER_ADDR when getting the address of possibly
unaligned structures members instead of attempting to directly
get the address as an offset.
Signed-off-by: Alberto Escolar Piedras <alberto.escolar.piedras@nordicsemi.no>
Use UNALIGNED_MEMBER_ADDR when getting the address of possibly
unaligned structures members instead of attempting to directly
get the address as an offset.
Signed-off-by: Alberto Escolar Piedras <alberto.escolar.piedras@nordicsemi.no>
Use UNALIGNED_MEMBER_ADDR when getting the address of possibly
unaligned structures members instead of attempting to directly
get the address as an offset.
Signed-off-by: Alberto Escolar Piedras <alberto.escolar.piedras@nordicsemi.no>
Use UNALIGNED_MEMBER_ADDR when getting the address of possibly
unaligned structures members instead of attempting to directly
get the address as an offset.
Signed-off-by: Alberto Escolar Piedras <alberto.escolar.piedras@nordicsemi.no>
zperf should only return 'Kbps'. There are still two left-overs
from converting shell prints to 'Kbps'.
Align all prints to make it easier for scripting and parsing
content from console output.
Signed-off-by: Daniel Schultz <d.schultz@phytec.de>
POLLHUP event may be returned even if there is still data to read
and POLLIN is set. To ensure all data is consumed, check for
POLLHUP after handling POLLIN.
https://man7.org/linux/man-pages/man2/poll.2.html
Signed-off-by: Juha Ylinen <juha.ylinen@nordicsemi.no>
The NET_EVENT_WIFI_SIGNAL_CHANGE was not added to net mgmt event queue
so that no scan was triggered, which caused roaming fail. The event
NET_EVENT_WIFI_SIGNAL_CHANGE was dropped because it was not enabled in
WIFI_SHELL_MGMT_EVENTS. After adding NET_EVENT_WIFI_SIGNAL_CHANGE, the
roaming works as expected.
Same issue found on event NET_EVENT_WIFI_NEIGHBOR_REP_COMP for 11k
roaming. Add this event to WIFI_SHELL_MGMT_EVENTS, too.
Signed-off-by: Hui Bai <hui.bai@nxp.com>
Cheng Kai
Make Shi
Robert Lubos
Gaetan Perrot
Tim Pambor
Jan Tore Guggedal
Mark Wang
Shrek Wang
Christoph Mair
Mike J. Chen
Vinayak Kariappa Chettimada
Jiawei Yang
Jun Lin
Florian La Roche
Pisit Sawangvonganan
Emil Gydesen
Anas Nashif
Toon Stegen
Alberto Escolar Piedras
Daniel Schultz
Juha Ylinen
Hui Bai
Doug Young