From 8576b0406ca39739afec9c63f6fdc2addfe79741 Mon Sep 17 00:00:00 2001 From: Diff-fusion Date: Thu, 21 Nov 2024 09:08:33 +0100 Subject: [PATCH] Cordio BLE: Fix integer overflows (#388) --- .../cordio_stack/wsf/sources/port/baremetal/wsf_msg.c | 9 +++++++++ .../FEATURE_BLE/source/cordio/stack_adaptation/hci_tr.c | 6 ++++++ 2 files changed, 15 insertions(+) diff --git a/connectivity/FEATURE_BLE/libraries/cordio_stack/wsf/sources/port/baremetal/wsf_msg.c b/connectivity/FEATURE_BLE/libraries/cordio_stack/wsf/sources/port/baremetal/wsf_msg.c index 4f5f4144fac..55697577cd9 100644 --- a/connectivity/FEATURE_BLE/libraries/cordio_stack/wsf/sources/port/baremetal/wsf_msg.c +++ b/connectivity/FEATURE_BLE/libraries/cordio_stack/wsf/sources/port/baremetal/wsf_msg.c @@ -53,6 +53,10 @@ typedef struct wsfMsg_tag /*************************************************************************************************/ void *WsfMsgDataAlloc(uint16_t len, uint8_t tailroom) { + /* check for overflow */ + if (len > UINT16_MAX - tailroom) { + return NULL; + } return WsfMsgAlloc(len + tailroom); } @@ -69,6 +73,11 @@ void *WsfMsgAlloc(uint16_t len) { wsfMsg_t *pMsg; + /* check for overflow */ + if (len > UINT16_MAX - sizeof(wsfMsg_t)) { + return NULL; + } + pMsg = WsfBufAlloc(len + sizeof(wsfMsg_t)); /* hide header */ diff --git a/connectivity/FEATURE_BLE/source/cordio/stack_adaptation/hci_tr.c b/connectivity/FEATURE_BLE/source/cordio/stack_adaptation/hci_tr.c index 7663276ec5b..7284df9cfa4 100644 --- a/connectivity/FEATURE_BLE/source/cordio/stack_adaptation/hci_tr.c +++ b/connectivity/FEATURE_BLE/source/cordio/stack_adaptation/hci_tr.c @@ -204,6 +204,12 @@ void hciTrSerialRxIncoming(uint8_t *pBuf, uint8_t len) } /* allocate data buffer to hold entire packet */ + /* check that the length doesn't overflow */ + if (hdrLen > UINT16_MAX - dataLen) + { + stateRx = HCI_RX_STATE_IDLE; + return; + } if (pktIndRx == HCI_ACL_TYPE) { pPktRx = (uint8_t*)WsfMsgDataAlloc(hdrLen + dataLen, 0);