michaelh/zephyr
1
0
Fork 0
Code Releases Activity

bt: mesh: shell: Fix possible buffer overflow

Browse source 
Fix possible overflow in rpr_scan_report.

Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
This commit is contained in:
Flavio Ceolin 2023-07-17 11:38:03 -07:00 committed by Fabio Baltieri
commit ddd2bc94e2
1 changed files with 19 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

21
subsys/bluetooth/mesh/shell/rpr.c
View file

@ -38,9 +38,26 @@ static void rpr_scan_report(struct bt_mesh_rpr_cli *cli,
uint8_t len, type;
uint8_t data[31];
len = net_buf_simple_pull_u8(adv_data) - 1;
len = net_buf_simple_pull_u8(adv_data);
if (len == 0) {
/* No data in this AD Structure. */
continue;
}
if (len > adv_data->len) {
/* Malformed AD Structure. */
break;
}
type = net_buf_simple_pull_u8(adv_data);
memcpy(data, net_buf_simple_pull_mem(adv_data, len), len);
if ((--len) > 0) {
uint8_t dlen;
/* Pull all length, but print only what fits into `data` array. */
dlen = MIN(len, sizeof(data) - 1);
memcpy(data, net_buf_simple_pull_mem(adv_data, len), dlen);
len = dlen;
}
data[len] = '\0';
if (type == BT_DATA_URI) {