I got a hardfault crash in the ANCS code, when an invalid ANCS notification was received from the phone: attr_id_parse() read 195 as attr_id, and used that as index in ancs_attr_list array, which resulted in illegal memory access.
Here is a patch that fixes this:
diff --git a/SDK/components/ble/ble_services/ble_ancs_c/ble_ancs_c.c b/SDK/components/ble/ble_services/ble_ancs_c/ble_ancs_c.c
index e43b70c..ccd6d8f 100644
--- a/SDK/components/ble/ble_services/ble_ancs_c/ble_ancs_c.c
+++ b/SDK/components/ble/ble_services/ble_ancs_c/ble_ancs_c.c
@@ -284,6 +284,11 @@ static ble_ancs_c_parse_state_t attr_id_parse(ble_ancs_c_t * p_ancs,
uint32_t * index)
{
p_ancs->evt.attr.attr_id = (ble_ancs_c_notif_attr_id_values_t) p_data_src[(*index)++];
+ if (p_ancs->evt.attr.attr_id >= BLE_ANCS_NB_OF_ATTRS) {
+ NRF_LOG_INFO("Invalid Attribute ID\r\n");
+ return DONE;
+ }
+
p_ancs->evt.attr.p_attr_data = p_ancs->ancs_attr_list[p_ancs->evt.attr.attr_id].p_attr_data;
if (p_ancs->expected_number_of_attrs == 0)
--
