drivers: bluetooth: spi: Check lengths in incoming headers
So far the lengths provided in event and ACL packets were not being checked at all, which could have caused an overflow if the contents were not to fit inside the net_buf. Check the length and discard the packet when it doesn't fit. Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
This commit is contained in:
parent
fef2e30b7f
commit
02cee09308
1 changed files with 15 additions and 5 deletions
|
@ -314,6 +314,7 @@ static void bt_spi_rx_thread(void)
|
|||
struct bt_hci_acl_hdr acl_hdr;
|
||||
uint8_t size = 0U;
|
||||
int ret;
|
||||
int len;
|
||||
|
||||
(void)memset(&txmsg, 0xFF, SPI_MAX_MSG_LEN);
|
||||
|
||||
|
@ -383,15 +384,24 @@ static void bt_spi_rx_thread(void)
|
|||
}
|
||||
}
|
||||
|
||||
net_buf_add_mem(buf, &rxmsg[1],
|
||||
rxmsg[EVT_HEADER_SIZE] + 2);
|
||||
len = sizeof(struct bt_hci_evt_hdr) + rxmsg[EVT_HEADER_SIZE];
|
||||
if (len > net_buf_tailroom(buf)) {
|
||||
BT_ERR("Event too long: %d", len);
|
||||
net_buf_unref(buf);
|
||||
continue;
|
||||
}
|
||||
net_buf_add_mem(buf, &rxmsg[1], len);
|
||||
break;
|
||||
case HCI_ACL:
|
||||
buf = bt_buf_get_rx(BT_BUF_ACL_IN, K_FOREVER);
|
||||
memcpy(&acl_hdr, &rxmsg[1], sizeof(acl_hdr));
|
||||
net_buf_add_mem(buf, &acl_hdr, sizeof(acl_hdr));
|
||||
net_buf_add_mem(buf, &rxmsg[5],
|
||||
sys_le16_to_cpu(acl_hdr.len));
|
||||
len = sizeof(acl_hdr) + sys_le16_to_cpu(acl_hdr.len);
|
||||
if (len > net_buf_tailroom(buf)) {
|
||||
BT_ERR("ACL too long: %d", len);
|
||||
net_buf_unref(buf);
|
||||
continue;
|
||||
}
|
||||
net_buf_add_mem(buf, &rxmsg[1], len);
|
||||
break;
|
||||
default:
|
||||
BT_ERR("Unknown BT buf type %d", rxmsg[0]);
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue