From 784417f65cf633b1a5f1af354389267d4d5adce6 Mon Sep 17 00:00:00 2001
From: Diff-fusion <felix@buchmann.ruhr>
Date: Thu, 21 Nov 2024 09:18:10 +0100
Subject: [PATCH] Cordio BLE: fix OOB read in event processing (#387)

---
 .../ble-host/sources/hci/dual_chip/hci_evt.c          | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/hci/dual_chip/hci_evt.c b/connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/hci/dual_chip/hci_evt.c
index fd708ea2dd..11737ba693 100644
--- a/connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/hci/dual_chip/hci_evt.c
+++ b/connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/hci/dual_chip/hci_evt.c
@@ -1331,6 +1331,11 @@ static void hciEvtProcessLeExtAdvReport(uint8_t *p, uint8_t len)
   while (i-- > 0)
   {
     ptr += HCI_EXT_ADV_RPT_DATA_LEN_OFFSET;
+    // discard event if it doesn't contain enough data
+    if (ptr >= p + len)
+    {
+        return;
+    }
     BSTREAM_TO_UINT8(dataLen, ptr);
     ptr += dataLen;
 
@@ -1342,6 +1347,12 @@ static void hciEvtProcessLeExtAdvReport(uint8_t *p, uint8_t len)
     }
   }
 
+  // finally check that the last report is fully contained within the event
+  if (ptr > p + len)
+  {
+      return;
+  }
+
   /* allocate temp buffer that can hold max length ext adv/scan rsp data */
   if ((pMsg = WsfBufAlloc(sizeof(hciLeExtAdvReportEvt_t) + maxLen)) != NULL)
   {