nimble/host: Validate advertising instance before parsing event

Advertising instance is used for indexing slave state array. Since instance is provided by host invalid handle in event means there is bug in controller.
apache · Sep 24, 2024 · f393308 · f393308
1 parent 845ea65
commit f393308
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/nimble/host/src/ble_hs_hci_evt.c b/nimble/host/src/ble_hs_hci_evt.c
@@ -879,6 +879,13 @@ ble_hs_hci_evt_le_adv_set_terminated(uint8_t subevent, const void *data,
         return BLE_HS_ECONTROLLER;
     }
 
+    /* this indicates bug in controller as host uses instances from
+     * 0-BLE_ADV_INSTANCES range only
+     */
+    if (ev->adv_handle >= BLE_ADV_INSTANCES) {
+        return BLE_HS_ECONTROLLER;
+    }
+
     if (ev->status == 0) {
         /* ignore return code as we need to terminate advertising set anyway */
         ble_gap_rx_conn_complete(&pend_conn_complete, ev->adv_handle);
@@ -900,6 +907,13 @@ ble_hs_hci_evt_le_scan_req_rcvd(uint8_t subevent, const void *data,
         return BLE_HS_ECONTROLLER;
     }
 
+    /* this indicates bug in controller as host uses instances from
+     * 0-BLE_ADV_INSTANCES range only
+     */
+    if (ev->adv_handle >= BLE_ADV_INSTANCES) {
+        return BLE_HS_ECONTROLLER;
+    }
+
     ble_gap_rx_scan_req_rcvd(ev);
 #endif