[Bugfix] Missing notification data when length > 255 bytes

h2zero · h2zero · commit 970537aaa593 · 2026-03-16T13:16:09.000-06:00
When the ACL buffer is less than the MTU, the data arrives in more than one mbuf.
This combines the data from the mbuf chain and stores it before calling the appliation callback, ensuring it has all the data.
diff --git a/src/NimBLEClient.cpp b/src/NimBLEClient.cpp
@@ -933,7 +933,6 @@ int NimBLEClient::handleGapEvent(struct ble_gap_event* event, void* arg) {
 
     switch (event->type) {
         case BLE_GAP_EVENT_DISCONNECT: {
-
             // workaround for bug in NimBLE stack where disconnect event argument is not passed correctly
             pClient = NimBLEDevice::getClientByPeerAddress(event->disconnect.conn.peer_ota_addr);
             if (pClient == nullptr) {
@@ -946,8 +945,7 @@ int NimBLEClient::handleGapEvent(struct ble_gap_event* event, void* arg) {
             }
 
             if (pClient == nullptr) {
-                NIMBLE_LOGE(LOG_TAG, "Disconnected client not found, conn_handle=%d",
-                            event->disconnect.conn.conn_handle);
+                NIMBLE_LOGE(LOG_TAG, "Disconnected client not found, conn_handle=%d", event->disconnect.conn.conn_handle);
                 return 0;
             }
 
@@ -1068,11 +1066,27 @@ int NimBLEClient::handleGapEvent(struct ble_gap_event* event, void* arg) {
                     if (chr->getHandle() == event->notify_rx.attr_handle) {
                         NIMBLE_LOGD(LOG_TAG, "Got Notification for characteristic %s", chr->toString().c_str());
 
-                        uint32_t data_len = OS_MBUF_PKTLEN(event->notify_rx.om);
-                        chr->m_value.setValue(event->notify_rx.om->om_data, data_len);
+                        uint8_t  buf[BLE_ATT_ATTR_MAX_LEN];
+                        uint16_t len = event->notify_rx.om->om_len;
+                        memcpy(buf, event->notify_rx.om->om_data, len);
+
+                        os_mbuf* next;
+                        next = SLIST_NEXT(event->notify_rx.om, om_next);
+                        while (next != NULL) {
+                            if ((len + next->om_len) > BLE_ATT_ATTR_MAX_LEN) {
+                                NIMBLE_LOGE(LOG_TAG,
+                                            "Received notification is too long for buffer, dropping remaining data");
+                                return BLE_ATT_ERR_INVALID_ATTR_VALUE_LEN;
+                            }
+                            memcpy(&buf[len], next->om_data, next->om_len);
+                            len  += next->om_len;
+                            next  = SLIST_NEXT(next, om_next);
+                        }
+
+                        chr->m_value.setValue(buf, len);
 
                         if (chr->m_notifyCallback != nullptr) {
-                            chr->m_notifyCallback(chr, event->notify_rx.om->om_data, data_len, !event->notify_rx.indication);
+                            chr->m_notifyCallback(chr, buf, len, !event->notify_rx.indication);
                         }
                         break;
                     }
