From 02cee09308432e86eeb0c0b5b2946d14f00a5988 Mon Sep 17 00:00:00 2001 From: Carles Cufi Date: Mon, 20 Dec 2021 11:25:31 +0100 Subject: [PATCH] drivers: bluetooth: spi: Check lengths in incoming headers So far the lengths provided in event and ACL packets were not being checked at all, which could have caused an overflow if the contents were not to fit inside the net_buf. Check the length and discard the packet when it doesn't fit. Signed-off-by: Carles Cufi --- drivers/bluetooth/hci/spi.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/drivers/bluetooth/hci/spi.c b/drivers/bluetooth/hci/spi.c index 563a95e9c53..642c3799c24 100644 --- a/drivers/bluetooth/hci/spi.c +++ b/drivers/bluetooth/hci/spi.c @@ -314,6 +314,7 @@ static void bt_spi_rx_thread(void) struct bt_hci_acl_hdr acl_hdr; uint8_t size = 0U; int ret; + int len; (void)memset(&txmsg, 0xFF, SPI_MAX_MSG_LEN); @@ -383,15 +384,24 @@ static void bt_spi_rx_thread(void) } } - net_buf_add_mem(buf, &rxmsg[1], - rxmsg[EVT_HEADER_SIZE] + 2); + len = sizeof(struct bt_hci_evt_hdr) + rxmsg[EVT_HEADER_SIZE]; + if (len > net_buf_tailroom(buf)) { + BT_ERR("Event too long: %d", len); + net_buf_unref(buf); + continue; + } + net_buf_add_mem(buf, &rxmsg[1], len); break; case HCI_ACL: buf = bt_buf_get_rx(BT_BUF_ACL_IN, K_FOREVER); memcpy(&acl_hdr, &rxmsg[1], sizeof(acl_hdr)); - net_buf_add_mem(buf, &acl_hdr, sizeof(acl_hdr)); - net_buf_add_mem(buf, &rxmsg[5], - sys_le16_to_cpu(acl_hdr.len)); + len = sizeof(acl_hdr) + sys_le16_to_cpu(acl_hdr.len); + if (len > net_buf_tailroom(buf)) { + BT_ERR("ACL too long: %d", len); + net_buf_unref(buf); + continue; + } + net_buf_add_mem(buf, &rxmsg[1], len); break; default: BT_ERR("Unknown BT buf type %d", rxmsg[0]);