Bluetooth: OTS: Add len validation in olcp_ind_handler

Verify the length of the indication before we pull from the buffer. (cherry picked from commit 044f8aa) Original-Signed-off-by: Emil Gydesen <emil.gydesen@nordicsemi.no> GitOrigin-RevId: 044f8aa Change-Id: Ia8572fd32690241469ff53ea4f0ef5d7cb0e004b Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/zephyr/+/5666207 Tested-by: Ting Shen <phoenixshen@chromium.org> Tested-by: ChromeOS Prod (Robot) <chromeos-ci-prod@chromeos-bot.iam.gserviceaccount.com> Reviewed-by: Ting Shen <phoenixshen@chromium.org> Commit-Queue: Ting Shen <phoenixshen@chromium.org>
coreboot · Jun 28, 2024 · 33cacf4 · 33cacf4
1 parent e7437b1
commit 33cacf4
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/subsys/bluetooth/services/ots/ots_client.c b/subsys/bluetooth/services/ots/ots_client.c
@@ -297,13 +297,24 @@ static void olcp_ind_handler(struct bt_conn *conn,
  enum bt_gatt_ots_olcp_proc_type op_code;
  struct net_buf_simple net_buf;
 
+ if (length < sizeof(op_code)) {
+ LOG_DBG("Invalid indication length: %u", length);
+ return;
+ }
+
  net_buf_simple_init_with_data(&net_buf, (void *)data, length);
 
  op_code = net_buf_simple_pull_u8(&net_buf);
 
  LOG_DBG("OLCP indication");
 
  if (op_code == BT_GATT_OTS_OLCP_PROC_RESP) {
+ if (net_buf.len < (sizeof(uint8_t) + sizeof(uint8_t))) {
+ LOG_DBG("Invalid indication length for op_code %u: %u", op_code,
+ net_buf.len);
+ return;
+ }
+
  enum bt_gatt_ots_olcp_proc_type req_opcode =
  net_buf_simple_pull_u8(&net_buf);
  enum bt_gatt_ots_olcp_res_code result_code =
@@ -366,6 +377,11 @@ static void oacp_ind_handler(struct bt_conn *conn,
  uint32_t checksum;
  struct net_buf_simple net_buf;
 
+ if (length < sizeof(op_code)) {
+ LOG_DBG("Invalid indication length: %u", length);
+ return;
+ }
+
  net_buf_simple_init_with_data(&net_buf, (void *)data, length);
 
  op_code = net_buf_simple_pull_u8(&net_buf);