Cordio BLE: fix OOB read in event processing (#387)

Diff-fusion · web-flow · commit 784417f65cf6 · 2024-11-21T00:18:10.000-08:00
diff --git a/connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/hci/dual_chip/hci_evt.c b/connectivity/FEATURE_BLE/libraries/cordio_stack/ble-host/sources/hci/dual_chip/hci_evt.c
@@ -1331,6 +1331,11 @@ static void hciEvtProcessLeExtAdvReport(uint8_t *p, uint8_t len)
   while (i-- > 0)
   {
     ptr += HCI_EXT_ADV_RPT_DATA_LEN_OFFSET;
+    // discard event if it doesn't contain enough data
+    if (ptr >= p + len)
+    {
+        return;
+    }
     BSTREAM_TO_UINT8(dataLen, ptr);
     ptr += dataLen;
 
@@ -1342,6 +1347,12 @@ static void hciEvtProcessLeExtAdvReport(uint8_t *p, uint8_t len)
     }
   }
 
+  // finally check that the last report is fully contained within the event
+  if (ptr > p + len)
+  {
+      return;
+  }
+
   /* allocate temp buffer that can hold max length ext adv/scan rsp data */
   if ((pMsg = WsfBufAlloc(sizeof(hciLeExtAdvReportEvt_t) + maxLen)) != NULL)
   {

Original file line number	Diff line number	Diff line change
`@@ -1331,6 +1331,11 @@ static void hciEvtProcessLeExtAdvReport(uint8_t *p, uint8_t len)`
`1331`	`1331`	`while (i-- > 0)`
`1332`	`1332`	`{`
`1333`	`1333`	`ptr += HCI_EXT_ADV_RPT_DATA_LEN_OFFSET;`
	`1334`	`+ // discard event if it doesn't contain enough data`
	`1335`	`+ if (ptr >= p + len)`
	`1336`	`+ {`
	`1337`	`+ return;`
	`1338`	`+ }`
`1334`	`1339`	`BSTREAM_TO_UINT8(dataLen, ptr);`
`1335`	`1340`	`ptr += dataLen;`
`1336`	`1341`
`@@ -1342,6 +1347,12 @@ static void hciEvtProcessLeExtAdvReport(uint8_t *p, uint8_t len)`
`1342`	`1347`	`}`
`1343`	`1348`	`}`
`1344`	`1349`
	`1350`	`+ // finally check that the last report is fully contained within the event`
	`1351`	`+ if (ptr > p + len)`
	`1352`	`+ {`
	`1353`	`+ return;`
	`1354`	`+ }`
	`1355`	`+`
`1345`	`1356`	`/* allocate temp buffer that can hold max length ext adv/scan rsp data */`
`1346`	`1357`	`if ((pMsg = WsfBufAlloc(sizeof(hciLeExtAdvReportEvt_t) + maxLen)) != NULL)`
`1347`	`1358`	`{`