michaelh/zephyr
1
0
Fork 0
Code Releases Activity

Bluetooth: host: Fix bug in device name shortening handling

Browse source 
Fix bug in device name shortening handling leading to memory
corruption.
This is triggered by an underflow in the length field of the shortened
name when set_data_len + 2 > set_data_len_max.

Fixes: #27693

Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
This commit is contained in:
Joakim Andersson 2020-09-17 15:24:24 +02:00 committed by Carles Cufí
commit 0fe62c6392
1 changed files with 5 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

7
subsys/bluetooth/host/hci_core.c
View file

@ -6592,14 +6592,17 @@ static int set_data_add(uint8_t *set_data, uint8_t set_data_len_max,
/* Check if ad fit in the remaining buffer */ /* Check if ad fit in the remaining buffer */
if ((set_data_len + len + 2) > set_data_len_max) { if ((set_data_len + len + 2) > set_data_len_max) {
len = set_data_len_max - (set_data_len + 2); ssize_t shortened_len = set_data_len_max -
(set_data_len + 2);
if (type != BT_DATA_NAME_COMPLETE || !len) { if (!(type == BT_DATA_NAME_COMPLETE &&
shortened_len > 0)) {
BT_ERR("Too big advertising data"); BT_ERR("Too big advertising data");
return -EINVAL; return -EINVAL;
} }
type = BT_DATA_NAME_SHORTENED; type = BT_DATA_NAME_SHORTENED;
len = shortened_len;
} }
set_data[set_data_len++] = len + 1; set_data[set_data_len++] = len + 1;