michaelh/zephyr
1
0
Fork 0
Code Releases Activity

Bluetooth: Mesh: check buffer tailroom before relaying proxy message

Browse source 
PR adds checking proxy buffer tailroom before adding
a relayed message. That prevents potential proxy trash attacks.

Signed-off-by: Aleksandr Khromykh <aleksandr.khromykh@nordicsemi.no>
This commit is contained in:
Aleksandr Khromykh 2023-04-03 16:55:14 +02:00 committed by Carles Cufí
commit 4b5be77531
1 changed files with 5 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
subsys/bluetooth/mesh/proxy_msg.c
View file

@ -78,6 +78,11 @@ ssize_t bt_mesh_proxy_msg_recv(struct bt_conn *conn,
const uint8_t *data = buf; const uint8_t *data = buf;
struct bt_mesh_proxy_role *role = &roles[bt_conn_index(conn)]; struct bt_mesh_proxy_role *role = &roles[bt_conn_index(conn)];
if (net_buf_simple_tailroom(&role->buf) < len - 1) {
LOG_WRN("Proxy role buffer overflow");
return -EINVAL;
}
switch (PDU_SAR(data)) { switch (PDU_SAR(data)) {
case SAR_COMPLETE: case SAR_COMPLETE:
if (role->buf.len) { if (role->buf.len) {