Hi,
I noticed a bug in ble_ancs_c.c where it will write NULL-termination outside the attribute buffers added with ble_ancs_c_attr_add(). When the received ANCS notification string doesn't fit in the buffer the code in attr_data_parse() detects this, but writes NULL termination at attr_data[attr_len] instead of at attr_len - 1.
Patch to fix this in SDK 12.1 (bug is present at least since SDK 9):
---
SDK/components/ble/ble_services/ble_ancs_c/ble_ancs_c.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/SDK/components/ble/ble_services/ble_ancs_c/ble_ancs_c.c b/SDK/components/ble/ble_services/ble_ancs_c/ble_ancs_c.c
index e9c584a..42de178 100644
--- a/SDK/components/ble/ble_services/ble_ancs_c/ble_ancs_c.c
+++ b/SDK/components/ble/ble_services/ble_ancs_c/ble_ancs_c.c
@@ -369,7 +369,7 @@ static ble_ancs_c_parse_state_t attr_data_parse(ble_ancs_c_t * p_ancs, const uin
{
// We have not reached the end of the attribute, nor our max allocated internal size.
// Proceed with copying data over to our buffer.
- if ( (p_ancs->current_attr_index < p_ancs->ancs_attr_list[p_ancs->evt.attr.attr_id].attr_len)
+ if ( (p_ancs->current_attr_index < p_ancs->ancs_attr_list[p_ancs->evt.attr.attr_id].attr_len - 1)
&& (p_ancs->current_attr_index < p_ancs->evt.attr.attr_len))
{
p_ancs->evt.attr.p_attr_data[p_ancs->current_attr_index++] = p_data_src[(*index)++];
@@ -378,7 +378,7 @@ static ble_ancs_c_parse_state_t attr_data_parse(ble_ancs_c_t * p_ancs, const uin
// We have reached the end of the attribute, or our max allocated internal size.
// Stop copying data over to our buffer. NUL-terminate at the current index.
if ( (p_ancs->current_attr_index == p_ancs->evt.attr.attr_len) ||
- (p_ancs->current_attr_index == p_ancs->ancs_attr_list[p_ancs->evt.attr.attr_id].attr_len))
+ (p_ancs->current_attr_index == p_ancs->ancs_attr_list[p_ancs->evt.attr.attr_id].attr_len - 1))
{
p_ancs->evt.attr.p_attr_data[p_ancs->current_attr_index] = '\0';
--