From 33cacf4edccdf9d58850df83114a84efd32f00d3 Mon Sep 17 00:00:00 2001 From: Emil Gydesen Date: Tue, 25 Jun 2024 12:45:52 +0200 Subject: [PATCH] Bluetooth: OTS: Add len validation in olcp_ind_handler Verify the length of the indication before we pull from the buffer. (cherry picked from commit 044f8aaeb37113d5b597299a6bf1ffa884bccf0b) Original-Signed-off-by: Emil Gydesen GitOrigin-RevId: 044f8aaeb37113d5b597299a6bf1ffa884bccf0b Change-Id: Ia8572fd32690241469ff53ea4f0ef5d7cb0e004b Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/zephyr/+/5666207 Tested-by: Ting Shen Tested-by: ChromeOS Prod (Robot) Reviewed-by: Ting Shen Commit-Queue: Ting Shen --- subsys/bluetooth/services/ots/ots_client.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/subsys/bluetooth/services/ots/ots_client.c b/subsys/bluetooth/services/ots/ots_client.c index e14e83b047a..f8f03d7200c 100644 --- a/subsys/bluetooth/services/ots/ots_client.c +++ b/subsys/bluetooth/services/ots/ots_client.c @@ -297,6 +297,11 @@ static void olcp_ind_handler(struct bt_conn *conn, enum bt_gatt_ots_olcp_proc_type op_code; struct net_buf_simple net_buf; + if (length < sizeof(op_code)) { + LOG_DBG("Invalid indication length: %u", length); + return; + } + net_buf_simple_init_with_data(&net_buf, (void *)data, length); op_code = net_buf_simple_pull_u8(&net_buf); @@ -304,6 +309,12 @@ static void olcp_ind_handler(struct bt_conn *conn, LOG_DBG("OLCP indication"); if (op_code == BT_GATT_OTS_OLCP_PROC_RESP) { + if (net_buf.len < (sizeof(uint8_t) + sizeof(uint8_t))) { + LOG_DBG("Invalid indication length for op_code %u: %u", op_code, + net_buf.len); + return; + } + enum bt_gatt_ots_olcp_proc_type req_opcode = net_buf_simple_pull_u8(&net_buf); enum bt_gatt_ots_olcp_res_code result_code = @@ -366,6 +377,11 @@ static void oacp_ind_handler(struct bt_conn *conn, uint32_t checksum; struct net_buf_simple net_buf; + if (length < sizeof(op_code)) { + LOG_DBG("Invalid indication length: %u", length); + return; + } + net_buf_simple_init_with_data(&net_buf, (void *)data, length); op_code = net_buf_simple_pull_u8(&net_buf);