From d3f06e71f2508d4c1ff582f9645c0d328e99ee4a Mon Sep 17 00:00:00 2001 From: Carles Cufi Date: Fri, 18 Aug 2023 14:53:07 +0200 Subject: [PATCH] Bluetooth: controller: Check minimum sizes of adv PDUs While the maximum sizes were already correctly checked by the code, the minimum sizes of the PDUs were not. This meant that PDUs smaller than the minimum required length (typically 6 bytes for AdvA) were incorrectly forwarded up to the Host. Signed-off-by: Carles Cufi (cherry picked from commit 3f0d7012a6f0ecfa3925baabac2006e3e6c94f71) --- subsys/bluetooth/controller/ll_sw/nordic/lll/lll_scan.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/subsys/bluetooth/controller/ll_sw/nordic/lll/lll_scan.c b/subsys/bluetooth/controller/ll_sw/nordic/lll/lll_scan.c index 666806675c3350..8d7a0c4e773906 100644 --- a/subsys/bluetooth/controller/ll_sw/nordic/lll/lll_scan.c +++ b/subsys/bluetooth/controller/ll_sw/nordic/lll/lll_scan.c @@ -1267,6 +1267,7 @@ static inline int isr_rx_pdu(struct lll_scan *lll, struct pdu_adv *pdu_adv_rx, /* Active scanner */ } else if (((pdu_adv_rx->type == PDU_ADV_TYPE_ADV_IND) || (pdu_adv_rx->type == PDU_ADV_TYPE_SCAN_IND)) && + (pdu_adv_rx->len >= offsetof(struct pdu_adv_adv_ind, data)) && (pdu_adv_rx->len <= sizeof(struct pdu_adv_adv_ind)) && lll->type && !lll->state && #if defined(CONFIG_BT_CENTRAL) @@ -1359,6 +1360,7 @@ static inline int isr_rx_pdu(struct lll_scan *lll, struct pdu_adv *pdu_adv_rx, else if (((((pdu_adv_rx->type == PDU_ADV_TYPE_ADV_IND) || (pdu_adv_rx->type == PDU_ADV_TYPE_NONCONN_IND) || (pdu_adv_rx->type == PDU_ADV_TYPE_SCAN_IND)) && + (pdu_adv_rx->len >= offsetof(struct pdu_adv_adv_ind, data)) && (pdu_adv_rx->len <= sizeof(struct pdu_adv_adv_ind))) || ((pdu_adv_rx->type == PDU_ADV_TYPE_DIRECT_IND) && (pdu_adv_rx->len == sizeof(struct pdu_adv_direct_ind)) && @@ -1373,6 +1375,7 @@ static inline int isr_rx_pdu(struct lll_scan *lll, struct pdu_adv *pdu_adv_rx, &dir_report)) || #endif /* CONFIG_BT_CTLR_ADV_EXT */ ((pdu_adv_rx->type == PDU_ADV_TYPE_SCAN_RSP) && + (pdu_adv_rx->len >= offsetof(struct pdu_adv_scan_rsp, data)) && (pdu_adv_rx->len <= sizeof(struct pdu_adv_scan_rsp)) && (lll->state != 0U) && isr_scan_rsp_adva_matches(pdu_adv_rx))) && @@ -1423,6 +1426,7 @@ static inline bool isr_scan_init_check(const struct lll_scan *lll, lll_scan_adva_check(lll, pdu->tx_addr, pdu->adv_ind.addr, rl_idx)) && (((pdu->type == PDU_ADV_TYPE_ADV_IND) && + (pdu->len >= offsetof(struct pdu_adv_adv_ind, data)) && (pdu->len <= sizeof(struct pdu_adv_adv_ind))) || ((pdu->type == PDU_ADV_TYPE_DIRECT_IND) && (pdu->len == sizeof(struct pdu_adv_direct_ind)) &&