Cordio BLE: Fix integer overflows (#388)

connectivity/FEATURE_BLE/libraries/cordio_stack/wsf/sources/port/baremetal/wsf_msg.c

@@ -53,6 +53,10 @@ typedef struct wsfMsg_tag
 /*************************************************************************************************/
 void *WsfMsgDataAlloc(uint16_t len, uint8_t tailroom)
 {
+  /* check for overflow */
+  if (len > UINT16_MAX - tailroom) {
+    return NULL;
+  }
   return WsfMsgAlloc(len + tailroom);
 }
 
@@ -69,6 +73,11 @@ void *WsfMsgAlloc(uint16_t len)
 {
   wsfMsg_t  *pMsg;
 
+  /* check for overflow */
+  if (len > UINT16_MAX - sizeof(wsfMsg_t)) {
+    return NULL;
+  }
+
   pMsg = WsfBufAlloc(len + sizeof(wsfMsg_t));
 
   /* hide header */

connectivity/FEATURE_BLE/source/cordio/stack_adaptation/hci_tr.c

@@ -204,6 +204,12 @@ void hciTrSerialRxIncoming(uint8_t *pBuf, uint8_t len)
         }
 
         /* allocate data buffer to hold entire packet */
+        /* check that the length doesn't overflow */
+        if (hdrLen > UINT16_MAX - dataLen)
+        {
+          stateRx = HCI_RX_STATE_IDLE;
+          return;
+        }
         if (pktIndRx == HCI_ACL_TYPE)
         {
           pPktRx = (uint8_t*)WsfMsgDataAlloc(hdrLen + dataLen, 0);