ARMmbed
/
mbed-os
mirror of https://github.com/ARMmbed/mbed-os.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Cordio BLE: Fix two integer overflows (CVE-2024-48982) (#386) 

* Cordio BLE: Fix two integer overflows

* Cordio BLE: Fix sign in length check
pull/15530/head
Diff-fusion 2024-11-21 17:54:37 +01:00 committed by GitHub
parent 92df6292cf
commit 8974db5f9a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/hci/dual_chip/hci_evt.c
View File

@ -2482,6 +2482,11 @@ void hciEvtProcessCmdCmpl(uint8_t *p, uint8_t len)
uint8_t cbackEvt = 0;
hciEvtCback_t cback = hciCb.evtCback;
if (len < 3)
{
return;
}
BSTREAM_TO_UINT8(numPkts, p);
BSTREAM_TO_UINT16(opcode, p);
@ -2695,7 +2700,7 @@ void hciEvtProcessCmdCmpl(uint8_t *p, uint8_t len)
if (cbackEvt == HCI_UNHANDLED_CMD_CMPL_CBACK_EVT) {
const uint8_t structSize = sizeof(hciUnhandledCmdCmplEvt_t) - 1 /* removing the fake 1-byte array */;
const uint8_t remainingLen = len - 3 /* we already read opcode and numPkts */;
const uint8_t msgSize = structSize + remainingLen;
const uint16_t msgSize = structSize + remainingLen;
pMsg = WsfBufAlloc(msgSize);
if (pMsg != NULL) {