From 0fe62c6392f3cee7bcfb082510304e17e5ffd636 Mon Sep 17 00:00:00 2001 From: Joakim Andersson Date: Thu, 17 Sep 2020 15:24:24 +0200 Subject: [PATCH] Bluetooth: host: Fix bug in device name shortening handling Fix bug in device name shortening handling leading to memory corruption. This is triggered by an underflow in the length field of the shortened name when set_data_len + 2 > set_data_len_max. Fixes: #27693 Signed-off-by: Joakim Andersson --- subsys/bluetooth/host/hci_core.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/subsys/bluetooth/host/hci_core.c b/subsys/bluetooth/host/hci_core.c index e415da3904c..40d18aa02e5 100644 --- a/subsys/bluetooth/host/hci_core.c +++ b/subsys/bluetooth/host/hci_core.c @@ -6592,14 +6592,17 @@ static int set_data_add(uint8_t *set_data, uint8_t set_data_len_max, /* Check if ad fit in the remaining buffer */ if ((set_data_len + len + 2) > set_data_len_max) { - len = set_data_len_max - (set_data_len + 2); + ssize_t shortened_len = set_data_len_max - + (set_data_len + 2); - if (type != BT_DATA_NAME_COMPLETE || !len) { + if (!(type == BT_DATA_NAME_COMPLETE && + shortened_len > 0)) { BT_ERR("Too big advertising data"); return -EINVAL; } type = BT_DATA_NAME_SHORTENED; + len = shortened_len; } set_data[set_data_len++] = len + 1;