From c3ba08c55283620d4618c298b1a4ec6f14469394 Mon Sep 17 00:00:00 2001
From: Johan Hedberg <johan.hedberg@intel.com>
Date: Fri, 12 Feb 2016 14:30:47 +0200
Subject: [PATCH] drivers/nble: Add proper boundary checks for function tables

We should just discard the data if the received table index goes
beyond the actual table size.

Change-Id: I267621f098e349abab5a1f37f485a28448a9396b
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
---
 drivers/nble/rpc_deserialize.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/drivers/nble/rpc_deserialize.c b/drivers/nble/rpc_deserialize.c
index 753a08ae5ef..9f165d8c7dd 100644
--- a/drivers/nble/rpc_deserialize.c
+++ b/drivers/nble/rpc_deserialize.c
@@ -478,49 +478,49 @@ void rpc_deserialize(struct net_buf *buf)
 
 	switch (sig_type) {
 	case SIG_TYPE_NONE:
-		if (sizeof(m_fct_none)) {
+		if (fn_index < ARRAY_SIZE(m_fct_none)) {
 			BT_DBG("%s", debug_func_none[fn_index]);
 			deserialize_none(fn_index, buf);
 		}
 		break;
 	case SIG_TYPE_S:
-		if (sizeof(m_fct_s)) {
+		if (fn_index < ARRAY_SIZE(m_fct_s)) {
 			BT_DBG("%s", debug_func_s[fn_index]);
 			deserialize_s(fn_index, buf);
 		}
 		break;
 	case SIG_TYPE_P:
-		if (sizeof(m_fct_p)) {
+		if (fn_index < ARRAY_SIZE(m_fct_p)) {
 			BT_DBG("%s", debug_func_p[fn_index]);
 			deserialize_p(fn_index, buf);
 		}
 		break;
 	case SIG_TYPE_S_B:
-		if (sizeof(m_fct_s_b)) {
+		if (fn_index < ARRAY_SIZE(m_fct_s_b)) {
 			BT_DBG("%s", debug_func_s_b[fn_index]);
 			deserialize_s_b(fn_index, buf);
 		}
 		break;
 	case SIG_TYPE_B_B_P:
-		if (sizeof(m_fct_b_b_p)) {
+		if (fn_index < ARRAY_SIZE(m_fct_b_b_p)) {
 			BT_DBG("%s", debug_func_b_b_p[fn_index]);
 			deserialize_b_b_p(fn_index, buf);
 		}
 		break;
 	case SIG_TYPE_S_P:
-		if (sizeof(m_fct_s_p)) {
+		if (fn_index < ARRAY_SIZE(m_fct_s_p)) {
 			BT_DBG("%s", debug_func_s_p[fn_index]);
 			deserialize_s_p(fn_index, buf);
 		}
 		break;
 	case SIG_TYPE_S_B_P:
-		if (sizeof(m_fct_s_b_p)) {
+		if (fn_index < ARRAY_SIZE(m_fct_s_b_p)) {
 			BT_DBG("%s", debug_func_s_b_p[fn_index]);
 			deserialize_s_b_p(fn_index, buf);
 		}
 		break;
 	case SIG_TYPE_S_B_B_P:
-		if (sizeof(m_fct_s_b_b_p)) {
+		if (fn_index < ARRAY_SIZE(m_fct_s_b_b_p)) {
 			BT_DBG("%s", debug_func_s_b_b_p[fn_index]);
 			deserialize_s_b_b_p(fn_index, buf);
 		}