Bluetooth: drivers: Add length checks before net_buf_add_mem

Add length checks before calls to net_buf_add_mem for dynamically sized data. This should give a better error response than hitting the __ASSERT in net_buf_simple_add. Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no>
2021-12-08 18:01:20 +01:00 · 2021-12-08 18:01:20 +01:00 · b988c803f6
commit b988c803f6
parent 0ef5dac70e
6 changed files with 107 additions and 5 deletions
--- a/drivers/bluetooth/hci/ipm_stm32wb.c
+++ b/drivers/bluetooth/hci/ipm_stm32wb.c
@ -160,6 +160,8 @@ static void bt_ipm_rx_thread(void)
 		struct bt_hci_acl_hdr acl_hdr;
 		TL_AclDataSerial_t *acl;
 		struct bt_hci_evt_le_meta_event *mev;
+		size_t buf_tailroom;
+		size_t buf_add_len;

 		hcievt = k_fifo_get(&ipm_rx_events_fifo, K_FOREVER);

@ -195,8 +197,18 @@ static void bt_ipm_rx_thread(void)
 			}

 			tryfix_event(&hcievt->evtserial.evt);
+
+			buf_tailroom = net_buf_tailroom(buf);
+			buf_add_len = hcievt->evtserial.evt.plen + 2;
+			if (buf_tailroom < buf_add_len) {
+				BT_ERR("Not enough space in buffer %zu/%zu",
+				       buf_add_len, buf_tailroom);
+				net_buf_unref(buf);
+				goto end_loop;
+			}
+
 			net_buf_add_mem(buf, &hcievt->evtserial.evt,
-					hcievt->evtserial.evt.plen + 2);
+					buf_add_len);
 			break;
 		case HCI_ACL:
 			acl = &(((TL_AclDataPacket_t *)hcievt)->AclDataSerial);
@ -206,8 +218,18 @@ static void bt_ipm_rx_thread(void)
 			BT_DBG("ACL: handle %x, len %x",
 			       acl_hdr.handle, acl_hdr.len);
 			net_buf_add_mem(buf, &acl_hdr, sizeof(acl_hdr));
+
+			buf_tailroom = net_buf_tailroom(buf);
+			buf_add_len = acl_hdr.len;
+			if (buf_tailroom < buf_add_len) {
+				BT_ERR("Not enough space in buffer %zu/%zu",
+				       buf_add_len, buf_tailroom);
+				net_buf_unref(buf);
+				goto end_loop;
+			}
+
 			net_buf_add_mem(buf, (uint8_t *)&acl->acl_data,
-					acl_hdr.len);
+					buf_add_len);
 			break;
 		default:
 			BT_ERR("Unknown BT buf type %d",