ARMmbed
/
mbed-os
mirror of https://github.com/ARMmbed/mbed-os.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Cordio BLE: fix OOB read in event processing (#387)

pull/15530/head
Diff-fusion 2024-11-21 09:18:10 +01:00 committed by GitHub
parent 8576b0406c
commit 784417f65c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/hci/dual_chip/hci_evt.c
View File

@ -1331,6 +1331,11 @@ static void hciEvtProcessLeExtAdvReport(uint8_t *p, uint8_t len)
while (i-- > 0) while (i-- > 0)
{ {
ptr += HCI_EXT_ADV_RPT_DATA_LEN_OFFSET; ptr += HCI_EXT_ADV_RPT_DATA_LEN_OFFSET;
// discard event if it doesn't contain enough data
if (ptr >= p + len)
{
return;
}
BSTREAM_TO_UINT8(dataLen, ptr); BSTREAM_TO_UINT8(dataLen, ptr);
ptr += dataLen; ptr += dataLen;
@ -1342,6 +1347,12 @@ static void hciEvtProcessLeExtAdvReport(uint8_t *p, uint8_t len)
} }
} }
// finally check that the last report is fully contained within the event
if (ptr > p + len)
{
return;
}
/* allocate temp buffer that can hold max length ext adv/scan rsp data */ /* allocate temp buffer that can hold max length ext adv/scan rsp data */
if ((pMsg = WsfBufAlloc(sizeof(hciLeExtAdvReportEvt_t) + maxLen)) != NULL) if ((pMsg = WsfBufAlloc(sizeof(hciLeExtAdvReportEvt_t) + maxLen)) != NULL)
{ {