From 525f2a85122a9ffbbdbf70a860596b9ce3c21f83 Mon Sep 17 00:00:00 2001 From: Bob McWhirter Date: Wed, 25 May 2022 15:42:10 -0400 Subject: Avoid UB around use-after-free and BLE scanning/stopping. --- nrf-softdevice/src/ble/central.rs | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/nrf-softdevice/src/ble/central.rs b/nrf-softdevice/src/ble/central.rs index 86a97a4..e2f6aae 100644 --- a/nrf-softdevice/src/ble/central.rs +++ b/nrf-softdevice/src/ble/central.rs @@ -157,13 +157,20 @@ where // Buffer to store received advertisement data. const BUF_LEN: usize = 256; - let mut buf = [0u8; BUF_LEN]; - let buf_data = raw::ble_data_t { - p_data: buf.as_mut_ptr(), + + // Both of these are intentionally static because Softdevice will, + // sometimes, write to the buffer after scan_stop() has been + // called, somewhere around evt_get(). + // + // This can result in UB as a use-after-free, given the buffer + // has been dropped and the scanning has been stopped. + static mut BUF: [u8; BUF_LEN] = [0u8; BUF_LEN]; + static mut BUF_DATA: raw::ble_data_t = raw::ble_data_t { + p_data: unsafe { BUF.as_mut_ptr() }, len: BUF_LEN as u16, }; - let ret = unsafe { raw::sd_ble_gap_scan_start(&scan_params, &buf_data) }; + let ret = unsafe { raw::sd_ble_gap_scan_start(&scan_params, &BUF_DATA) }; match RawError::convert(ret) { Ok(()) => {} Err(err) => { @@ -192,7 +199,7 @@ where } // Resume scan - let ret = raw::sd_ble_gap_scan_start(ptr::null(), &buf_data); + let ret = raw::sd_ble_gap_scan_start(ptr::null(), &BUF_DATA); match RawError::convert(ret) { Ok(()) => {} Err(err) => { -- cgit v1.2.3