Skip to content

Commit

Permalink
Cordio BLE: fix OOB read in event processing (#387)
Browse files Browse the repository at this point in the history
  • Loading branch information
@Diff-fusion
Diff-fusion authored Nov 21, 2024
1 parent 8576b04 commit 784417f
Showing 1 changed file with 11 additions and 0 deletions.
11 changes: 11 additions & 0 deletions connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/hci/dual_chip/hci_evt.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1331,6 +1331,11 @@ static void hciEvtProcessLeExtAdvReport(uint8_t *p, uint8_t len)
while (i-- > 0)
{
ptr += HCI_EXT_ADV_RPT_DATA_LEN_OFFSET;
// discard event if it doesn't contain enough data
if (ptr >= p + len)
{
return;
}
BSTREAM_TO_UINT8(dataLen, ptr);
ptr += dataLen;

Expand All @@ -1342,6 +1347,12 @@ static void hciEvtProcessLeExtAdvReport(uint8_t *p, uint8_t len)
}
}

// finally check that the last report is fully contained within the event
if (ptr > p + len)
{
return;
}

/* allocate temp buffer that can hold max length ext adv/scan rsp data */
if ((pMsg = WsfBufAlloc(sizeof(hciLeExtAdvReportEvt_t) + maxLen)) != NULL)
{
Expand Down

0 comments on commit 784417f

Please sign in to comment.