From ee0314a8320c651555af8b802e97ca283310c34c Mon Sep 17 00:00:00 2001 From: Carles Cufi Date: Fri, 6 Oct 2023 10:44:14 +0200 Subject: [PATCH] Bluetooth: host: Replace length check assert with if statement A few of the length checks that deal with HCI packets coming from the controller were using assert statements. But the recommended practice is to drop invalid packets and continue execution whenever a malformed packet arrives from an external source, so replace those assert statements with branches that will drop the packet and return. Signed-off-by: Carles Cufi --- subsys/bluetooth/host/hci_core.c | 19 +++++++++++++++---- subsys/bluetooth/host/iso.c | 6 +++++- 2 files changed, 20 insertions(+), 5 deletions(-) diff --git a/subsys/bluetooth/host/hci_core.c b/subsys/bluetooth/host/hci_core.c index 710dbf3fe21..7b607d6f048 100644 --- a/subsys/bluetooth/host/hci_core.c +++ b/subsys/bluetooth/host/hci_core.c @@ -508,8 +508,11 @@ static void hci_acl(struct net_buf *buf) uint8_t flags; LOG_DBG("buf %p", buf); - - BT_ASSERT(buf->len >= sizeof(*hdr)); + if (buf->len < sizeof(*hdr)) { + LOG_ERR("Invalid HCI ACL packet size (%u)", buf->len); + net_buf_unref(buf); + return; + } hdr = net_buf_pull_mem(buf, sizeof(*hdr)); len = sys_le16_to_cpu(hdr->len); @@ -2650,7 +2653,11 @@ static void hci_event(struct net_buf *buf) { struct bt_hci_evt_hdr *hdr; - BT_ASSERT(buf->len >= sizeof(*hdr)); + if (buf->len < sizeof(*hdr)) { + LOG_ERR("Invalid HCI event size (%u)", buf->len); + net_buf_unref(buf); + return; + } hdr = net_buf_pull_mem(buf, sizeof(*hdr)); LOG_DBG("event 0x%02x", hdr->evt); @@ -3714,7 +3721,11 @@ void hci_event_prio(struct net_buf *buf) net_buf_simple_save(&buf->b, &state); - BT_ASSERT(buf->len >= sizeof(*hdr)); + if (buf->len < sizeof(*hdr)) { + LOG_ERR("Invalid HCI event size (%u)", buf->len); + net_buf_unref(buf); + return; + } hdr = net_buf_pull_mem(buf, sizeof(*hdr)); evt_flags = bt_hci_evt_get_flags(hdr->evt); diff --git a/subsys/bluetooth/host/iso.c b/subsys/bluetooth/host/iso.c index 49dd52d0ffb..a1b645c0e2f 100644 --- a/subsys/bluetooth/host/iso.c +++ b/subsys/bluetooth/host/iso.c @@ -105,7 +105,11 @@ void hci_iso(struct net_buf *buf) BT_ISO_DATA_DBG("buf %p", buf); - BT_ASSERT(buf->len >= sizeof(*hdr)); + if (buf->len < sizeof(*hdr)) { + LOG_ERR("Invalid HCI ISO packet size (%u)", buf->len); + net_buf_unref(buf); + return; + } hdr = net_buf_pull_mem(buf, sizeof(*hdr)); len = bt_iso_hdr_len(sys_le16_to_cpu(hdr->len));